Privacy Policy

Last Updated: August 18, 2021

 EXPENSIFY GLOBAL PRIVACY POLICY

At Expensify, Inc. (“Expensify”, “we”, “us”, or “our” which include our group and affiliated companies, including, without limitation, Expensify Limited, Expensify Australia Pty Ltd, and Expensify Canada Inc., which such entities collect information from users from particular jurisdictions), our most important asset is our relationship with our user community. We are committed to maintaining the confidentiality, integrity and security of information about our users and their organizations. This privacy policy (“Privacy Policy” or “Policy”) describes how we collect, use, disclose, share and secure the personal and company information you provide when you use our expense management, invoicing or bill processing software, through our mobile application (the “Application”) or visit the Expensify websites www.expensify.com or www.use.expensify.com or new.expensify.com (collectively, the “Site” and, together with any related software, tools and services provided in connection with the Application or the Site, the “Expensify Service”). It also describes your choices regarding the use, access and correction of your Personal Data (as defined in Section 3 of this Privacy Policy) and how to contact us if you have any further queries or complaints about our management of your personal information.

In this Privacy Policy, “you” and “your” refers to individual users of the Expensify Service, as well as to Members and Corporate Members. “Members,” “Corporate Members,” and other capitalized terms not defined in this privacy policy are defined in the Expensify Terms of Service.

 We process your Personal Data as set out in the Privacy Policy which you should read.

 Please review the Jurisdiction-specific provisions below for more information if you are visiting from Europe, Australia, California, or Nevada.

1. MEMBER ACKNOWLEDGMENT

By submitting or making available Personal Data (as defined below) through our Site, the Expensify Software or the Expensify Service, you confirm that you have read and acknowledged the terms of this Privacy Policy and you understand our practices around the collection, storage, use and disclosure of your Personal Data in accordance with this Privacy Policy.

2. A NOTE ABOUT CHILDREN

We do not intentionally gather Personal Data about individuals who are under the age of 18. If you become aware that we inadvertently hold or have access to Personal Data about anyone under 18, please let us know so we can delete it.

3. TYPES OF PERSONAL DATA WE COLLECT AND HOW IT IS COLLECTED

Personal information or “Personal Data”, means any information about an individual from which that person can be identified, or which when combined with other information which is in the possession of, or is likely to come into the possession of, Expensify could be used to identify that person. If you are accessing the Expensify Service from Australia, “Personal Data” also includes any information or opinion, whether true or not and whether recorded in material form or not, by which you may be reasonably identifiable. Expensify will not use your Personal Data except as set forth in this Privacy Policy and in the Terms of Service. 

We may collect (both directly and indirectly), use, store and transfer different kinds of personal data about you. For specific details about how Expensify does this with cookies, identifiers and other tracking technologies please review the Expensify Cookie Policy below. The categories of Personal Data we collect, use, store and transfer have been grouped together as follows:

We also collect, use and share aggregated or de-identified, such as statistical or demographic data. This information has either been de-identified or otherwise combined with that of other users and analyzed or evaluated as a whole, such that no specific individual may be identified. We may use aggregated or de-identified data for purposes such as research and marketing purposes and may also share such data with any third parties, including advertisers, promotional partners, sponsors, event promoters, and/or others.

We do not collect any “Special Categories of Personal Data” about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data) nor do we collect any information about criminal convictions and offences.

4. THIRD PARTY LINKS

This Privacy Policy applies only to the use and disclosure of Personal Data that we collect while you use the Expensify Service. Our provision of a link to any other website or location is for your convenience and does not signify our endorsement of such other website or location or its contents. When you click on such a link, you will leave the Expensify Service and go to another site. During this process, a third party may collect Personal Data from you. We have no control over, do not review, do not endorse, and cannot be responsible for, these outside websites or their content. Please be aware that the terms of this Privacy Policy do not apply to these outside websites or content, or to any collection of data after you click on a link to a third party. If you submit Personal Data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.

5. EXPENSIFY COOKIE POLICY AND USE OF TRACKING TECHNOLOGIES

When you interact with the Site or the Application, we try to make that experience simple and useful. We and our partners use industry standard identifiers, such as cookies or other similar technologies. We will generally refer to cookies, web beacons, flash cookies, and pixels collectively as “cookies”, “tracking technology” or “identifiers” in this policy. By using our Services, you are agreeing that we can use cookies and other tracking technologies described in this Cookie Policy. 

A. What are cookies and how long are they stored? 

Cookies are small pieces of information which are issued to your computer or mobile device (as the case may be) when you visit a website or access or use a mobile application and which store and sometimes track information about your use of the Site or Application (as the case may be). A number of cookies we use last only for the duration of your web or Application session and expire when you close your browser or exit the Application (known as “session cookies). Other cookies are used to remember you when you return to the Site or Application and will last for longer (known as persistent cookies). A persistent cookie lasts until you or your browser deletes the cookies or they expire. 

Cookies set by us are called “first party cookies”, while cookies set by parties other than Expensify are called “third party cookies”. The parties that set third party cookies can recognize your device, both when you use the Services and when you use other websites or mobile apps. You should check the third party’s website for more information about how they use cookies and other tracking technologies. Both first party and third party cookies can serve a number of different functions, such as analytics, marketing and advertising. 

B. What other similar tracking technologies does Expensify use?  

C. How do we use cookies? 

We use cookies to provide our Site, gather information about your usage patterns when you navigate the Sites in order to enhance your personalized experience, and to understand usage patterns to improve our Sites, products, and services. We also allow certain third parties to place cookies on our Site in order to collect information about your online activities on our Sites over time and across different websites you visit. This information is used to provide advertising tailored to your interests on websites you visit, also known as interest based advertising, and to analyze the effectiveness of such advertising. 

Usage information may be linked to your account in order to assist Expensify to provide services to your account, for example analyzing data for the purposes of trouble shooting. Expensify will not sell or disclose usage data to any third party unless such usage data has been aggregated or de-identified. 

Cookies on our Sites are generally divided into the following categories:

D. Your Choices

 Cookies

Most web and mobile device browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. Here are links to information from some of the larger browsers about how you can control your browser cookies: Chrome, Firefox, Safari, Internet Explorer. Visit the All About Cookies.org to learn more cookies and how to block cookies using different types of browser or mobile device. Please note, however, that by blocking or deleting cookies used on the Site or Application, you may not be able to take full advantage of the Expensify Service.

Behavioral Advertising

We may partner with a third party to either display advertising on our Site or Application or to manage our advertising on other sites. Our third-party partner may use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you advertising based upon your browsing activities and interests. If you wish to opt -out of interest-based advertising click https://optout.networkadvertising.org/?c=1 or https://youradchoices.com/control (or if located in the European Union click Union click here). Please note you will continue to receive generic ads.

If you would like more information about cookies and targeted advertisements or to opt out of having this information used by companies that are part of the Network Advertising Initiative, please click here or the Digital Advertising Alliance, please click here.

Analytics

We and our vendors (including but not limited to Google Analytics) may use Identifiers and similar tracking technologies to monitor performance and usage on the site for internal analytics and performance monitoring. These Identifiers and similar tracking technologies are used to help the Site collect and store information regarding your visit, such as session state and authentication tokens. Users can control the use of cookies at the individual browser level but if you choose to disable cookies, it may limit your use of certain features or functions provided through the Expensify Service. To manage Flash cookies, please click here

To opt out of Google Analytics you can download a Browser Add-On.

The use of Identifiers by our vendors is not covered by our Privacy Policy. We do not have access or control over these cookies.

We use mobile analytics software to allow us to better understand the functionality of our Mobile Software on your phone. This software may record information such as how often you use the Application, the events that occur within the Application, aggregated usage, performance data, and where the Application was downloaded from. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile Application.  

E. Do Not Track Statement 

Some browsers have a “do not track” feature that allows you to tell websites that you do not want to have your online activities tracked. At this time, due to a lack of industry standards, we do not respond to browser “do not track” signals. 

 6. USE OF YOUR PERSONAL DATA

Expensify and our Partner Companies may use your Personal Data in the following ways:

From time to time, we may also use your Personal Data to send important notices to you, such as communications about purchases you have made, or changes to our terms and conditions or other policies. This information is important to your interactions with us, and you acknowledge that if you opt out of receiving these communications, where permitted by applicable law, Expensify reserves its right to discontinue its services to you.

If you provide feedback on the Expensify Service, we may use such feedback for any purpose. Expensify will collect and store any information contained in such communication and will treat the Personal Data in such communication in accordance with this Privacy Policy.

Any information, including Personal Data, which you elect to make publicly available on the Expensify Service will be available to other Members or the public. If you remove information that you have made public on the Expensify Service, copies may remain viewable in cached and archived pages of the Expensify Service, or if other Members have copied or saved that information. 

In some cases we collect information provided by our Corporate Members, and in such cases, we have no direct relationship with the individuals whose Personal Data we process. If you believe your Personal Data has been collected by us in such circumstances, and would no longer like to be contacted as an employee or customer of one of our Corporate Members, please contact that Corporate Member directly in order to request your removal.  

We may send you push notifications from time-to-time in order to update you about any events or promotions that we may be running. If you no longer wish to receive these types of communications, you turn them off at the device level. To ensure you receive proper notifications, we will need to collect certain information about your device such as operating system and user identification information.

7. DISCLOSURE OF YOUR PERSONAL DATA

We may share your Personal Data with Partner Companies to provide technical support or to provide specific services, such as hosting of your applications, maintenance services, database management or payment processing for purchases, reimbursements or other payments (including but not limited to PayPal and the Bancorp), and with your consent, to register you for participation in the Corporate Card Program. Partner Companies will have access to your Personal Data only to perform these services on our behalf and are obligated not to disclose or use it for any other purpose. They may be located, or their data processing activities may take place, in the United States of America or elsewhere outside the European Economic Area (EEA).  

Any subsidiaries, joint ventures, or other companies under common control with us (collectively, “Related Entities”), may share some or all of your Personal Data, in which case we will require our Related Entities to honor this Privacy Policy and your Personal Data will only be used for the purposes set out in this Privacy Policy. 

A key feature of Expensify’s Karma Program is the opportunity for those enrolled in the Karma Program to receive emails and chats from Expensify and participants in the Karma Program.  Whether you signed up for the program on your own behalf or if you are a member of the Karma Program through your Corporate Member, as part of administering this program we will disclose your chosen login credentials (e-mail address or phone number, depending on your chosen registration method) to volunteers of the Karma Program and other Members participating in the Karma program.  

Expensify may sell/divest/transfer the company (including any shares in the company), or any combination of its products, services, assets and/or businesses. Personal Data may be among the items sold or otherwise transferred in these types of transactions, you will be notified via email and/or a prominent notice on our Site of any change in ownership of your Personal Data. We may also sell, assign or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of the company.

In certain situations, Expensify may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Expensify may disclose Personal Data if it is necessary to (a) comply with relevant laws or to respond to subpoenas or warrants or lawful requests from government authorities served on Expensify; or (b) protect or defend the rights, reputation or property of Expensify or users of the Expensify Service.  We look for opportunities to be an advocate for you when law enforcement or other third parties subject to a legal process seek to encroach on your privacy.  If we receive requests from law enforcement or private parties seeking information, we are prepared to take a stand when appropriate.  We have various tools at our disposal that we may elect to rely on to do so depending on the circumstances, for example: our legal team reviewing these requests to ensure that parties are following applicable laws and statutes; rejecting or challenging  requests that have no legal basis or are unclear, overbroad, or otherwise inappropriate; construing legal process as narrowly as possible; encouraging parties to look elsewhere for the information. We are prepared to ensure that requests have a legal basis. 

Except as otherwise stated in this policy and our Terms of Service, we do not sell, trade, share, or rent the Personal Data collected from the Expensify Service to third parties.

We may aggregate or de-identify information collected through the Expensify Service so that such information is no longer directly identifiable to an individual. We may use and share such aggregated or de-identified information solely for marketing purposes or distribution to third party research firms. 

Service Provider, Sub-Processors/Onward Transfer

Expensify may transfer Personal Data to companies that help us provide the Expensify Service and related programs. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our Clients. 

Sharing with Corporate Members 

When a Member connects to a Corporate Policy, such Member understands and agrees that the Corporate Member has access and a right to the Member Data related to transactions associated with the Corporate Policy (including any Personal Data) for its internal bookkeeping purposes. A Corporate Member will maintain the following information when you connect with a Corporate Policy: full name, email, phone number, and expense data. Please contact the Corporate Member directly for more information about what Personal Data the Corporate Member maintains.

8. CHOICE/OPT-OUT

Expensify offers you the choice of receiving different types of communication and information related to our company, products and services. You may subscribe to e-newsletters or other publications; you may also elect to receive marketing communications and other special offers from us via email. If at any time you would like to change your communication preferences, we provide unsubscribe links and an opt-out mechanism for your convenience where available. You may also access and manage your preferences from your account.     

9. PERSONAL DATA CHANGES

If you believe that the Personal Data we hold about you may not be complete, accurate and up-to-date, you may change aspects of any of your Personal Data in your account by editing your profile within the registration portion of the Site. You may request deletion of your account information by us, but please note that we may be permitted or required (by law or otherwise) to keep this information and not delete or change it (or to keep this information for a certain time, in which case we will comply with your deletion request only after we have fulfilled such requirements). If you request deletion, subject to our rights to retain the Personal Data as set out in this Privacy Policy and the rights of any Corporate Member to retain the Personal Data as set forth below, we will respond to your request within 1 month. We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Access to Data Controlled by our Corporate Members

You have the right to access your Personal Data subject to any exceptions which may apply in the jurisdiction in which you reside. If you have connected to a Corporate Policy and shared your Personal Data with the Corporate Member administering such Corporate Policy, you acknowledge that some Personal Data shared with a Corporate Member may not be able to be deleted as it pertains to their records. Upon request, we will provide you with information about whether any of your Personal Data is shared with a Corporate Member administering a connected Corporate Policy. 

Blog / Forum

Our Site offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Data from our blog or community forum, contact us at [email protected]. In some cases, we may not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.

10. SECURITY OF YOUR APPLICATION AND PERSONAL DATA

Expensify is committed to protecting the security of your Personal Data. We use a variety of industry-standard security technologies and procedures to help protect your Personal Data from unauthorized access, use, or disclosure. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL). We also require you to enter a password to access your account information. Please do not disclose your account password to unauthorized people. Despite these measures, you should know that Expensify cannot fully eliminate security risks associated with Personal Data. If you have any questions about the security of your Personal Data, you can contact us at [email protected]

11. CONTACT INFORMATION

If you have any comments, questions or complaints about this Privacy Policy or if you feel that we have breached our obligations in the handling, use or disclosure of your Personal Data, feel free to email comments or questions to us at [email protected] or 401 SW 5th Ave, Portland, OR 97204. 

If you have general enquiry type questions, you can choose to use a pseudonym. However, if you require information which is specific to your circumstances then it may not be possible for you to deal with us by pseudonym. You acknowledge and agree that when contacting Expensify, whether by email, chat, or otherwise, you will not include any personally identifiable information in your communications, and that if such information is included in your communications with Expensify, Expensify will have no legal obligation or liability with regard to such information.

12. CHANGES TO THIS PRIVACY POLICY

If Expensify makes changes to this Privacy Policy, these changes will be posted on the Site and Application in a timely manner. Expensify reserves the right to modify this Privacy Policy at any time, so please review it frequently. You acknowledge that the updated policy will apply to the collection, storage, use or disclosure of Personal Data from the date of publication and it is your responsibility to check the Site and Application regularly for updates. You can determine when this Privacy Policy was last revised by referring to the “Last Updated” legend at the top of this page. Any changes to this Privacy Policy will become effective upon our posting of the revised Privacy Policy on the Site and Application. If we make any material changes, we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this Site prior to the change becoming effective. Use of the Expensify Service following such changes constitutes your acceptance of the revised Privacy Policy then in effect. We encourage you to periodically review this page for the latest information on our privacy practices.

13. OVERSEAS DISCLOSURE

Expensify is based in the United States, and, unless we expressly agree otherwise, we may host, transfer, and process data, including Personal Data, in the United States and in other countries through Expensify and third parties that we use to operate and manage the Service. These countries may have data protection laws that are different from those of your country of residence. When you access or use the Service, or otherwise provide information to us, you understand and acknowledge that the processing and transfer of information in and to the United States and other countries which may have different privacy laws from your or their country of residence. Expensify takes appropriate measures to ensure such transfers are in compliance with applicable laws and subject to the additional jurisdictional terms set forth in Section 15(A) and 15(D) below.  

14. DATA RETENTION

Other than in aggregated or de-identified,  form as permitted under the Expensify Terms of Service, and except as required by applicable law, we will delete or otherwise destroy your Personal Data as soon as practicably possible following your termination or cancellation of your use of the Expensify Service.

Expensify will retain data licensed to our Corporate Members as set forth in the Expensify Terms of Service for as long as needed to provide services to our Corporate Member. Expensify will retain and use this information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We ensure that Personal Data we dispose of is de-identified or destroyed in a secure fashion. 

The Corporate Member with which you are affiliated with may have specific policies concerning the retention of data including User Content. Please consult the entity or organization with which you are affiliated with for additional detail about its specific data retention policies. 

15. JURISDICTION-SPECIFIC PROVISIONS 

A. Additional Disclosures for Data Subjects in the United Kingdom, European Economic Area (EEA), and Switzerland

I.  International Transfers

Where we transfer your Personal Data to another country outside the UK, EEA and / or Switzerland, we will ensure that it is protected and transferred in a manner consistent with legal requirements. In relation to data being transferred outside the UK and / or EEA, for example, this may be done in one of the following ways:

1. the country that we send the data to might be approved by relevant data protection authorities as offering an adequate level of protection for Personal Data;


2. the recipient might have signed up to a contract based on “model contractual clauses” approved by relevant data protection authorities, obliging them to protect your Personal Data;


3. the recipient may have adhered to binding corporate rules (only for intragroup transfers); or


4. in other circumstances the law may permit us to otherwise transfer your Personal Data outside Europe.


You can obtain more details of the protection given to your Personal Data when it is transferred outside the UK, EEA and / or Switzerland (including a copy of the standard data protection clauses which we have entered into with recipients of your Personal Data) by contacting us as described in Section      16      below.  Please note, following recent decisions invalidating the adequacy of the EU-U.S. and Swiss-U.S. Privacy Shields, we no longer rely on the Privacy Shields for cross-border personal data transfers. However, Expensify still participates in the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks and more information about this program is also provided below.

II.  Our Relationship with You

Expensify is made up of different legal entities, Expensify Inc., the parent company, and Expensify Ltd., a subsidiary.  This Privacy Policy is issued on behalf of the Expensify Group so when we mention “Expensify”, “we”, “us” or “our” in this Privacy Policy, we are referring to the relevant company in the Expensify Group responsible for processing your data. Expensify, Inc. is the controller for all of your Personal Data unless explicitly otherwise identified in the applicable contracts. 

We have appointed an Expensify Group entity based in the Netherlands to act as our representative in the EU. If you are located in the EU, you may address this entity to raise any issues or queries relating to our processing of your Personal Data. Our EU representative is Expensify Netherlands B.V. and can be contacted in the manner set out at Section 16 below. 

III.  Legal Basis for Processing

We have listed the use of your Personal Data by us in Section 6 above. The legal grounds on which we process the Personal Data for those uses includes; if you consent to the processing, to satisfy our legal obligations, if it is necessary to carry out our obligations arising from any contracts we entered with you or to take steps at your request prior to entering into a contract with you, or for our legitimate interests to providing our services to our customers and the effective management of Expensify and to protect our property, rights or safety of Expensify, our customers or others.  If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

IV.  Your Privacy Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data, such as:  

The rights described above may not be absolute and are limited by applicable laws. 

You can exercise your privacy rights by contacting us via email at: [email protected]. We will handle your request under applicable law. When you make a request, we may verify your identity to protect your privacy and security.

International and Onward Transfers of Data

Information that our European users submit through the Expensify Service or the Site is sent to and stored on secure servers located in the United States of America and may be transferred by us to our other offices and/or to the third parties (such as our Partner Companies, as defined below), who may be situated in the United States of America or elsewhere outside the European Economic Area (EEA) and may be processed by staff operating outside the EEA. The US and other non-EEA countries do not have similar data protection laws to the European Union, and you should be aware in particular that the law and practice in the United States and some other non-EEA countries in respect of law enforcement and national security authority access to data is significantly different from Europe. However, we will ensure as reasonably as possible that where your personal information is to be transferred or shared outside the EEA, that it is only transferred or shared where we have appropriate safeguards in place, for example by agreeing standard contractual clauses adopted by the European Commission..

For individuals located in the European Economic Area (“EEA”), United Kingdom, or Switzerland (collectively the “Designated Countries”): Where personal data are transferred to a third country or to an international organisation, Expensify implements appropriate safeguards, such as contractual obligations, and standard contractual clauses adopted by the European Commission relating to the transfer.

You also have a right to lodge a complaint with a competent supervisory authority situated in a member state of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details here for individuals located in the EEA and here for individuals located in the United Kingdom.

Participation in the Privacy Shield

Please note, following recent decisions invalidating the adequacy of the EU-U.S. and Swiss-U.S. Privacy Shields, we no longer rely on the Privacy Shields for cross-border personal data transfers and instead rely on mechanisms set forth in Section 15(A)(1). However, Expensify, Inc. and its subsidiary company, Expensify Ltd. still comply with the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union and the United Kingdom and Switzerland to the United States in reliance on Privacy Shield. Expensify, Inc. and its subsidiary company, Expensify Ltd. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. Visit the Privacy Shield website to learn more about the program and view our certification. 

The Privacy Shield Framework and Privacy Shield Principles only apply to Members and Corporate Members located in the EU. Accordingly, Expensify, Inc. is not liable under the Privacy Shield Framework and Privacy Shield Principles to Members or Corporate Members located outside the EU.

Expensify likewise is responsible for the processing of Personal Data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. We comply with the Privacy Shield Principles for all onward transfers of Personal Data from the EU and Switzerland, including the onward transfer liability provisions. 

In compliance with the Privacy Shield Principles, Expensify Inc. commits to resolve complaints about our collection or use of your Personal Data. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Expensify Inc. via email at:: [email protected] or via post addressed to Operations Lead, 88 Kearny Street, San Francisco, CA 94108.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, you can file a report with our U.S.-based third party dispute resolution provider (free of charge). As further explained in the Privacy Shield Principles, a binding arbitration option also be made available to you in order to address residual complaints not resolved by any other means.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

B. Additional Disclosures for California Residents 

These Additional Disclosures for California Residents supplements the information contained in this Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”).

I.  CCPA Disclosures

We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice. This Privacy Policy contains Expensify’s required notices and disclosures including its Privacy Policy for California Residents, Notice of Collection, Notice of Opt Out Rights, and Notice of Financial Incentives requirements. 

This Notice does not apply to employment-related Personal Information collected from California-based employees, job applicants, contractors, or similar individuals, or to persons interacting with us in their capacity as a representative of a business.

Consumers who have a visual disability may be able to use a screen reader or other text-to-speech or text-to-Braille tool to review the contents of this notice.  If you need to access this Policy in an alternative format due to having a disability, please contact [email protected].

Definitions Specific to this Section

The CCPA includes definitions for terms specific to this California Privacy Policy that do not apply to the rest of this Privacy Policy, including the following terms:

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  Personal Information does not include publicly available information obtained from government records; deidentified or aggregated consumer information that cannot be reconstructed to identify you; any information covered under the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act, activities covered by the Fair Credit Reporting Act, or protected health information as defined under the Health Insurance Portability and Accountability Act.

“Sale” or “sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Information by the business to another business or a third party for monetary or other valuable consideration.

“Service Provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s Personal Information for a business purpose pursuant to a written contract.

Your Rights and Choices 

The CCPA provides consumers (California residents) with specific rights regarding their Personal Information. This section describes your CCPA rights and explains how to exercise those rights.

Personal Information of Minors

The Expensify Service is not intended for children or minors under the age of 18 years old without express consent or authorization from a parent or a legal guardian.  Accordingly, we do not knowingly collect or store information about minors under the age of 18, and we do not sell the Personal Information of minors.  If you believe that we have unintentionally received Personal Information about a minor under the age of 18 years old, please contact us at [email protected].

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months or delete certain information. Please note that there are circumstances in which we may not be able to comply with your request pursuant to the CCPA, including when we cannot verify your request and/or when there is a conflict with our own obligations to comply with other legal or regulatory requirements, or other reasons provide by law.  We will notify you following submission of your request if this is the case.

The disclosure rights include:

Right to Request Deletion 

You have the right to request that we delete your personal information. Under certain circumstances Expensify may be unable or otherwise not required to delete your personal information, for example, to comply with legal obligations, or to complete a business transaction that you have requested. 

Right to Non-Discrimination

You have a right not to receive discriminatory treatment for exercising your privacy rights as identified in this section of the privacy notice as conferred by the CCPA.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a consumer request to us via email at: [email protected] with the subject line “California Rights Request,” or via webform. We will handle your request under applicable law. When you make a request, we may verify your identity to protect your privacy and security. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account. If you request access to or deletion of your personal information and do not sign in to an account with us, we require you to provide the following information: name, email address, phone number, and postal address. In addition, if you do not have an account and you ask us to provide you with specific pieces of personal information, we reserve the option to require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.

Response Information

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

Authorized Agents

You may designate an authorized agent to exercise your rights under the CCPA on your behalf, however we may deny a request as permitted by the CCPA.  To designate an authorized agent, you must provide the agent, and the agent must present to us, written permission signed by you.  We may also require you to verify your identify directly with us and directly confirm with us that you provided the authorized agent permission to submit the request, unless your authorized agent provides us with power of attorney pursuant to Probate Code sections 4121-4130.  

Sale of Personal Information

We have not sold the personal information of California residents in the preceding twelve months. We do not sell the personal information of minors under the age of 16 years of age.  This fact notwithstanding, you can opt out of data sale by emailing a request to that effect to: [email protected].

Collection, Use and Disclosure of Personal Information

The categories of Personal Information that we collect and the sources from which we collect them are described above in Section 3 entitled Types of Personal Data We Collect and How It Is Collected.  These categories include identifiers, commercial information, financial data, internet activity information and professional or employment-related information as described in Section 1798.140(o) of the CCPA.  The business/commercial purposes for which we use these categories of Personal Information are described in Section 6 above entitled Use of Your Personal Data. The categories of third parties to which we share these categories of Personal Information are described in Section 7 above entitled Disclosure of Your Personal Data.  The foregoing describes our practices as of, and during the twelve-month period preceding, the effective date of the Privacy Policy.     

II.  Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits Members who are California residents to request and obtain from us once a year, free of charge, certain information about the Personal Data (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of Personal Data that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to[email protected].

The “Do Not Track” disclosure can be found above in Section 5 entitled  Expensify Cookie Policy and Use of Tracking Technologies.

C. Additional Disclosures for Nevada Residents 

Pursuant to Nevada law, you may direct a business that operates an internet website not to sell certain Personal Information a business has collected or will collect about you. Expensify does not sell your Personal Information pursuant to Nevada law. For more information about how we handle and share your Personal Information or your rights under Nevada law, contact us at [email protected].

D. Additional Disclosures for Australian Residents 

If you are in Australia, our collection, storage, use and disclosure of your Personal Data will be subject to this Privacy Policy and the Privacy Act 1988 (Cth) (Privacy Act). Any part of this Privacy Policy that is illegal, unenforceable or inconsistent with the Privacy Act may be severed from this Privacy Policy and the remaining terms or parts of the term of this Privacy Policy will continue in force. In addition, the following information applies to you.

Pseudonymity

If you are making a general enquiry only, you may deal with us through the use of a pseudonym. However, we will not be able to provide you with any specific information about your account if you fail to identify yourself to us. 

Data Transfer Disclosure

Personal Data provided to us by Members or Corporate Members located in Australia may be disclosed to service providers located outside Australia, including in the US, including providers of cloud or other types of networked or electronic storage.

Although these third parties are subject to privacy and confidentiality obligations imposed by contract or the regulatory frameworks of the jurisdiction in which those third parties are located, you acknowledge that:

Secondary Purpose

You acknowledge that we may use or disclose your Personal Data for a reason other than the reasons set forth in Section 6 or Section 7 (a “secondary purpose”) where the secondary purpose is connected to or associated with a purpose for collection set out in this Privacy Policy, or directly connected to or associated with a purpose for collection if the information is ‘sensitive information’ as that term is defined under the Privacy Act. 

16. QUERIES, CONCERNS, AND COMPLAINTS

If you have any queries, concerns or complaints about the manner in which we have collected, stored, used or disclosed your personal information, please contact the Data Protection Officer at [email protected]. We will treat your complaint confidentially and, after investigating your complaint, discuss the ways in which we can remedy the situation. We will ensure that we respond to your complaint within a reasonable time (and in any event within the time required by applicable law).

If your inquiries or complaints regarding our Privacy Policy or use of data that have not been resolved to your satisfaction within 30 days via the means set forth herein, please contact:

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy or our privacy practices, please contact our DPO at [email protected].