Privacy Policy
Last updated June 18, 2026
Ensight.ai (“spendguard,” “we”) operates llmspendguard.com — an optional team/org roll-up layer over the open-source llm-spendguard client. Privacy is the product: the client runs on your machine with your keys, and only scrubbed aggregates ever reach us. This policy explains exactly what we store, what we never store, and your rights.
What we store
- Per-day spend roll-ups — daily totals by provider, model, project, resource class (LLM / remote-compute), and a contributor reference (an email if you linked one, otherwise an anonymous
usr_…id). Amounts and token counts, not calls. - Scrubbed insight abstracts — generalizable, de-identified cost/efficiency rules (condition → action), produced and scrubbed by the client before they leave your machine.
- Leak / coverage metrics — aggregate figures, no per-call detail.
- Identity & billing — org/team/member identity from Clerk (our auth provider) and subscription state from Stripe (our payments provider). We do not see your card number.
What we never store
- Your provider API keys or any secret. Your keys never leave your machine; we never proxy or resell tokens.
- Raw prompts, completions, or per-call data.
- Spend tied to an individual beyond that member's visibility tier, or any other organization's data.
Two layers enforce this: the open-source client scrubs at the source (visibility=private sends nothing), and our ingest API rejects (HTTP 422) any payload containing prompt-like, key-like, or PII fields. We never silently store something we shouldn't.
Optional org-private examples (off by default)
An organization may explicitly opt in to sync prompt/response examples to power its own private search. This is never enabled by default, never pooled across organizations, encrypted at rest, tenant-isolated, and purgeable at any time. It is your data, centralized only by your choice.
How we use it
To show your team aggregate spend, coverage, and pooled (scrubbed) cost learnings; to bill active contributors; and to send the alerts/notifications you opt into. We do not sell data or use it for advertising.
Your rights (GDPR / CCPA)
You can access, export, and delete your data. An organization owner can permanently delete all of the org's data from the dashboard — we send a confirmation link to your verified email, and the deletion cascades across every table. Or email privacy@llmspendguard.com. We don't sell personal information.
Retention
Roll-ups and abstracts are retained while you maintain a subscription and for a short period after, then deleted; you can purge sooner at any time.
Security & data location
Your data is stored in the United States (AWS us-east-1, via Neon + Vercel). TLS in transit; encryption at rest; Postgres row-level security so a query physically cannot cross organizations; ingest keys stored hashed (with an optional encrypted copy for re-reveal); webhook signatures verified. See our security overview and subprocessors.
Subprocessors & cookies
We use a small set of subprocessors (Clerk, Stripe, Neon, Vercel, OpenAI embeddings, Resend). We use only essential cookies for your Clerk session; no advertising trackers.
Changes & contact
We'll post changes here and update the date above. Questions or requests: privacy@llmspendguard.com.
Ensight.ai · 204 2nd Ave, #204, San Mateo, CA 94401 · privacy@llmspendguard.com (privacy) · support@llmspendguard.com (support)
Privacy · Terms · DPA · Subprocessors