Privacy Policy

1. Information We Collect

We collect information you provide directly, information generated through your use of the Service, and limited technical information necessary to operate and secure the platform.

2. How We Use Information

We use the information we collect to:

• Provide, operate, and maintain the Service and its features
• Authenticate users and enforce workspace access controls
• Process billing events and manage subscription state
• Deliver organization invitation emails and alert notifications
• Evaluate spend anomaly rules and trigger configured notifications
• Enforce API rate limits and request idempotency
• Monitor for and respond to security threats and abuse
• Improve the Service using aggregate, non-identifying usage patterns
• Respond to support requests and account inquiries
• Comply with applicable legal obligations

3. Privacy Framework

Our privacy practices are designed around generally recognized privacy principles, including core concepts reflected in the Australian Privacy Act (such as transparency, data minimization, security safeguards, and access/correction rights), together with local legal requirements where we operate.

• We collect and use personal information that is reasonably necessary to provide and secure the Service.
• We seek to keep information accurate, up to date, and protected against unauthorized access or misuse.
• We use information for service delivery, account administration, security, support, billing, and legal compliance.
• Where required by applicable law, we rely on consent or another valid legal basis for specific processing activities.

4. How We Share Information

We do not sell your personal data. We do not share your data with third parties for advertising purposes.

We share data with the following service providers ("subprocessors") who process data on our behalf to operate the Service:

All subprocessors are contractually required to handle data in accordance with applicable law and maintain appropriate security safeguards. We may update this list as our service providers change; material updates will be reflected in this policy.

We may disclose information if required by law, court order, or valid legal process, or where necessary to protect the rights, safety, or property of CostLynx, its users, or the public.

In the event of a merger, acquisition, or sale of assets, customer data may be transferred as part of that transaction, subject to equivalent or greater privacy protections.

5. Data Retention

• Account and organization data is retained while your account is active and for a reasonable period after account closure to fulfill legal obligations and resolve disputes.
• AI usage event data is retained while your organization is active. You may request deletion upon account closure.
• Billing records are retained as required by applicable financial, tax, and regulatory obligations.
• Transient operational data (rate limit counters, idempotency records) is short-lived and not retained beyond its operational purpose.

6. Security

We use industry-standard security measures to protect information under our control, including:

• TLS encryption for all data in transit
• AES-256-GCM encryption for sensitive credentials (provider API keys, webhook URLs) at rest
• HMAC-based hashing for ingestion and API key storage (plaintext keys are not retained after issuance)
• Role-based access controls within the platform
• Security headers on all HTTP responses

No method of transmission or storage is completely secure. We do not guarantee absolute security, and we are not responsible for the acts of third parties. If you believe you have discovered a security issue, please report it to security@costlynx.com.

7. International Data Transfers

CostLynx is operated from Australia and through service providers that may operate in other regions. If you use the Service, your information may be processed in Australia, the United States, and other countries where we or our subprocessors run infrastructure and support operations.

Privacy laws in those regions may differ from the laws in your location. Where required, we take reasonable contractual and operational steps to safeguard information transferred across borders.

8. Your Rights and Choices

Depending on your location and applicable law, you may have rights to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete personal data
• Request deletion of your personal data, subject to legal retention requirements
• Restrict or object to certain processing activities
• Request portability of your data in a structured, machine-readable format
• Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@costlynx.com. Enterprise customers may also submit requests through their account team. We will respond within a reasonable timeframe and in accordance with applicable law.

9. Cookies and Tracking

We use session and authentication cookies necessary to operate the Service. These are managed by our authentication provider, Clerk. We do not deploy third-party advertising cookies or behavioral tracking technologies.

Because authentication cookies are functionally necessary to use the Service, they cannot be disabled without preventing sign-in.

10. Children's Privacy

The Service is intended for business use and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently received data from a child, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide notice by email or in-app notification before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date of any change constitutes your acceptance of the updated policy.

12. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact: