Privacy Policy

Last updated: March 26, 2026

Chisel and Code LLC (“we,” “us,” or “our”) operates the SpendRebel application and website (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

Account Information

When you create an account, we collect your email address and display name. If you sign in with Google, we receive your name and email address from your Google account.

Benefits Data

You may voluntarily provide information about your FSA, HSA, or DCFSA accounts, including balance amounts, plan year dates, carryover limits, and employer information. This data is stored locally on your device using browser localStorage and is not transmitted to our servers unless you explicitly enable cloud sync.

Usage Data

We automatically collect certain information when you use our Service, including your browser type, operating system, pages visited, and time spent on pages. This data is collected through Google Analytics and is used to improve the Service.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Send you notification reminders about your benefit account deadlines
  • Generate personalized spending recommendations
  • Communicate with you about service updates and changes
  • Analyze usage patterns to improve user experience
  • Respond to your inquiries and support requests

3. Authentication and Security

We use Firebase Authentication (provided by Google) to manage user accounts and sign-in. Firebase handles authentication tokens and session management. We do not store your password directly — it is managed entirely by Firebase Auth.

4. Data Storage

Your benefits data (account balances, plan details, spending history) is stored locally in your browser's localStorage. This means your financial data stays on your device and is not transmitted to our servers by default.

Account authentication data is managed by Firebase and stored on Google's secure infrastructure.

5. HIPAA Disclaimer

SpendRebel is not a HIPAA-covered entity. We do not store, process, or transmit protected health information (PHI). The Service tracks financial balances and product eligibility information only — not medical records, diagnoses, or treatment information.

6. Data Sharing

We do not sell, rent, or trade your personal information to third parties. We may share information only in the following limited circumstances:

  • Service Providers: We use Firebase (Google) for authentication, Resend for transactional emails, and Google Analytics for usage analytics.
  • Legal Requirements: We may disclose information if required by law or in response to valid legal process.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

7. Cookies and Tracking

We use cookies and similar technologies for authentication sessions and analytics. Google Analytics uses cookies to collect anonymized usage data. You can control cookie preferences through your browser settings.

8. Third-Party Services

Our Service integrates with the following third-party services:

  • Firebase Authentication — User account management and sign-in (Google LLC)
  • Resend — Transactional email delivery (welcome emails, password resets, notifications)
  • Google Analytics — Anonymous usage analytics and site performance

Each of these services has their own privacy policy governing how they process data.

9. Your Rights

You have the right to:

  • Access your data: View all data associated with your account through the Settings page.
  • Export your data: Download your benefits data as a CSV file from Settings.
  • Delete your account: Permanently delete your account and all associated data from Settings. This action is irreversible.
  • Opt out of communications: Unsubscribe from non-essential emails at any time.

10. Children's Privacy

SpendRebel is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us so we can delete it.

11. Data Retention

We retain your account information for as long as your account is active. If you delete your account, we will permanently remove your data within 30 days. Anonymized analytics data may be retained indefinitely for aggregate statistical purposes.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or your data, please contact us at: stop@losing.spendrebel.com

Chisel and Code LLC
Operating as SpendRebel