Last Updated: August 18, 2021
EXPENSIFY GLOBAL PRIVACY POLICY
At Expensify, Inc. (“Expensify”, “we”, “us”, or “our” which include our group and affiliated companies, including, without limitation, Expensify Limited, Expensify Australia Pty Ltd, and Expensify Canada Inc., which such entities collect information from users from particular jurisdictions), our most important asset is our relationship with our user community. We are committed to maintaining the confidentiality, integrity and security of information about our users and their organizations. This privacy policy (“Privacy Policy” or “Policy”) describes how we collect, use, disclose, share and secure the personal and company information you provide when you use our expense management, invoicing or bill processing software, through our mobile application (the “Application”) or visit the Expensify websites www.expensify.com or www.use.expensify.com or new.expensify.com (collectively, the “Site” and, together with any related software, tools and services provided in connection with the Application or the Site, the “Expensify Service”). It also describes your choices regarding the use, access and correction of your Personal Data (as defined in Section 3 of this Privacy Policy) and how to contact us if you have any further queries or complaints about our management of your personal information.
In this Privacy Policy, “you” and “your” refers to individual users of the Expensify Service, as well as to Members and Corporate Members. “Members,” “Corporate Members,” and other capitalized terms not defined in this privacy policy are defined in the Expensify Terms of Service.
We process your Personal Data as set out in the Privacy Policy which you should read.
Please review the Jurisdiction-specific provisions below for more information if you are visiting from Europe, Australia, California, or Nevada.
1. MEMBER ACKNOWLEDGMENT
By submitting or making available Personal Data (as defined below) through our Site, the Expensify Software or the Expensify Service, you confirm that you have read and acknowledged the terms of this Privacy Policy and you understand our practices around the collection, storage, use and disclosure of your Personal Data in accordance with this Privacy Policy.
2. A NOTE ABOUT CHILDREN
We do not intentionally gather Personal Data about individuals who are under the age of 18. If you become aware that we inadvertently hold or have access to Personal Data about anyone under 18, please let us know so we can delete it.
3. TYPES OF PERSONAL DATA WE COLLECT AND HOW IT IS COLLECTED
Personal information or “Personal Data”, means any information about an individual from which that person can be identified, or which when combined with other information which is in the possession of, or is likely to come into the possession of, Expensify could be used to identify that person. If you are accessing the Expensify Service from Australia, “Personal Data” also includes any information or opinion, whether true or not and whether recorded in material form or not, by which you may be reasonably identifiable. Expensify will not use your Personal Data except as set forth in this Privacy Policy and in the Terms of Service.
We may collect (both directly and indirectly), use, store and transfer different kinds of personal data about you. For specific details about how Expensify does this with cookies, identifiers and other tracking technologies please review the Expensify Cookie Policy below. The categories of Personal Data we collect, use, store and transfer have been grouped together as follows:
Registration Data when you purchase or register for our Services or sign up for our Corporate Card Program or create an Expensify account, we collect directly from you (or for certain corporate accounts, from your employers) Personal Data, including your name, date of birth, billing and mailing address, email, professional title, company name, phone numbers, credit card, other payment information, and password. In addition, we (or our third-party credit card or payment processor on our behalf) will collect Personal Data including your credit card number or account information when you upgrade to a paid account.
Transaction Data that Allows Us to Provide our Services to You. This includes financial information, such as bank account, payment card and other payment account, contact information (billing and mailing address, email address, and phone numbers), expense data, receipts, transaction data imported from third party financial service companies, and other details about reimbursements and payments to and from you and other details of products and services you have purchased from us. If you participate in the Corporate Card Program, Corporate Karma Program and/or Personal Karma Program (each subject to the Karma Program Terms), we may collect Personal Data including your name, contact information, and donation amount(s) and/or Karma Points balance, and share this information with Expensify.org, a California nonprofit public benefit corporation and a charitable affiliate of Expensify. Visit Expensify.org for more details. We collect your location-based information for the purpose of mileage tracking, providing location specific features, and to confirm your Expensify cardholder status for specific events associated with the services. We may share your geo-location data with third parties for the sole purpose of providing these services. If you do not wish to allow us to collect and/or share your information in this manner please opt out by contacting us at [email protected].
Technical Data. The Expensify Service (which may be hosted by a third-party service provider) collects Personal Data from you, such as browser type, your approximate geographic location of your mobile device or computer (from your Internet Protocol (IP) address), operating system and version, Internet Protocol (IP) address, domain name, information about your application, operating environment and hardware profiles and/or a date/time stamp for your visit. We may also use Identifiers (as defined below) and navigational data like Uniform Resource Locators (URL) to gather information regarding the date and time of your visit and/or access to the Expensify Service and your activity on the Site and the Application. Like most internet services, we automatically gather this Personal Data and store it in log files each time you visit the Site, use the Application or access your account on our network. We use mobile analytics software to allow us to better understand the functionality of our Mobile Software on your phone. This software may record information such as how often you use the Application, the events that occur within the Application, aggregated usage, performance data, and where the Application was downloaded from. We do not link the information we store within the analytics software to any Personal Data you submit within the mobile Application.
Information about your Interactions with Expensify. We collect information about your interactions with Expensify, which may include your use of our products, services, websites or apps, including information collected using Cookies and other technologies (for further information on how we use Cookies and the information we collect using Cookies, see our cookies policy in Section 5 below). It may also include communications with us, such as if you contact our customer service centers, including recording calls and the contents of your device screen (by Expensify itself or using a third-party service) for quality and training purposes. This may also include data about your participation in promotions or programs. This may also include data about how you exercise rights or preferences regarding your data. We also retain information on your behalf, such as the Personal Data described above and any correspondence. If you provide us feedback or contact us via email, we will collect your name and email address, IP address, as well as any other content included in the email, in order to send you a reply, and any information that you submit to us, such as a resume. If we conduct a survey in which you participate, we may collect additional profile information. We may also collect Personal Data at other instances in the Site or Application user experience where we state that Personal Data is being collected.
Other Self-Reported Information. You have the option to provide us with additional information about yourself and others through surveys, forms, features and applications. Where such information is not required by Expensify for the purposes of providing the services to you, you acknowledge that Expensify may store, use and disclose such Personal Data in accordance with this Privacy Policy.
User Content. Some of our Services allow you to create and post or upload content, such as data, text, software, music, audio, photographs, graphics, video, messages, or other materials that you create or provide to us or to other Members through either a public or private transmission. For example, User Content includes any discussions, posts, or messages you send on our Forums, as well as messages you send using Expensify Chat. Our Site offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Data from our blog or community forum, contact us at [email protected]. In some cases, we may not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.
Referral Information and Sharing. When you refer a person to Expensify, we will ask for that person’s name, phone number and/or email address and collect this information directly from you. By participating in a referral program or by choosing to share information with another person, you confirm that the person has given you permission for Expensify to communicate with him or her. If you choose to use our referral service to tell a friend about Expensify, or if, as a Corporate Administrator, you refer an employee or other authorized service provider to connect with your Corporate Policy (each such individual, a “Referred Party”), you must seek permission of the Referred Party so that Expensify may use their name, phone number and/or email address to contact them about the Expensify Service. By providing us with the Referred Party’s name and email address, you warrant that the Referred Party agrees to such contact. We will automatically send your friend a one-time email inviting him or her to visit the site. If you were referred by a friend or a Corporate Administrator, and you activate an Account, Expensify shall treat such Personal Data as if you had directly provided it to Expensify, which such Personal Data will be processed as set forth in this Privacy Policy. If your friend is a resident of the European Economic Area, the United Kingdom or Australia, please make sure they are happy to be contacted by us.
Social Media Features and Widgets. Our Site includes Social Media Features, such as the Facebook “Like” button and Widgets, (“Features”). These Features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Feature to function properly. They may also allow third party social media services to provide us information about you, including your name, email address, and other contact information. The information we receive is dependent upon your privacy settings with the third party social media service. Features are either hosted by a third party or hosted directly on our site. Your interactions with these Features are governed by the privacy statements of the third party companies providing them. You should always review and, if necessary, adjust your privacy settings on third party websites and services before linking or connecting them to our website or Service.
Third Party Data: We will collect your Personal Data from you unless it is unreasonable or impracticable to do so. However, we may collect and receive Personal Data about you from the following non-publicly accessible sources: (i) companies that distribute the Expensify Service by way of a co-branded or private-labeled website, (ii) companies that offer their products and/or services via the Expensify Service, (iii) companies affiliated with Expensify, such as Expensify.org, or (iv) companies that provide services (such as payment processing services) in connection with the Expensify Service, including without limitation Issuers and Card Networks (as such terms are defined in the Corporate Card Program Terms) (collectively, “Partner Companies”). Our Partner Companies may supply us with Personal Data, such as your name and email and mailing address information or your login credentials for such Partner Company’s website or service, in order to help us establish the account or fulfil orders. We may also collect your Personal Data if necessary from public sources (such as LinkedIn, Corporate Subscribers Websites, Clearbit, Lexis Nexus). We may add this information to the information we have already collected from you via our Site or Application in order to perform and improve the Expensify Service. If you provide us Personal Data about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us.
We also collect, use and share aggregated or de-identified, such as statistical or demographic data. This information has either been de-identified or otherwise combined with that of other users and analyzed or evaluated as a whole, such that no specific individual may be identified. We may use aggregated or de-identified data for purposes such as research and marketing purposes and may also share such data with any third parties, including advertisers, promotional partners, sponsors, event promoters, and/or others.
We do not collect any “Special Categories of Personal Data” about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data) nor do we collect any information about criminal convictions and offences.
4. THIRD PARTY LINKS
This Privacy Policy applies only to the use and disclosure of Personal Data that we collect while you use the Expensify Service. Our provision of a link to any other website or location is for your convenience and does not signify our endorsement of such other website or location or its contents. When you click on such a link, you will leave the Expensify Service and go to another site. During this process, a third party may collect Personal Data from you. We have no control over, do not review, do not endorse, and cannot be responsible for, these outside websites or their content. Please be aware that the terms of this Privacy Policy do not apply to these outside websites or content, or to any collection of data after you click on a link to a third party. If you submit Personal Data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.
5. EXPENSIFY COOKIE POLICY AND USE OF TRACKING TECHNOLOGIES
When you interact with the Site or the Application, we try to make that experience simple and useful. We and our partners use industry standard identifiers, such as cookies or other similar technologies. We will generally refer to cookies, web beacons, flash cookies, and pixels collectively as “cookies”, “tracking technology” or “identifiers” in this policy. By using our Services, you are agreeing that we can use cookies and other tracking technologies described in this Cookie Policy.
A. What are cookies and how long are they stored?
Cookies are small pieces of information which are issued to your computer or mobile device (as the case may be) when you visit a website or access or use a mobile application and which store and sometimes track information about your use of the Site or Application (as the case may be). A number of cookies we use last only for the duration of your web or Application session and expire when you close your browser or exit the Application (known as “session cookies). Other cookies are used to remember you when you return to the Site or Application and will last for longer (known as persistent cookies). A persistent cookie lasts until you or your browser deletes the cookies or they expire.
Cookies set by us are called “first party cookies”, while cookies set by parties other than Expensify are called “third party cookies”. The parties that set third party cookies can recognize your device, both when you use the Services and when you use other websites or mobile apps. You should check the third party’s website for more information about how they use cookies and other tracking technologies. Both first party and third party cookies can serve a number of different functions, such as analytics, marketing and advertising.
B. What other similar tracking technologies does Expensify use?
Web Beacons: In addition to cookies, web beacons may be set by us or third parties in respect of your use of the Site or Application. Web beacons are small image files within the content of the Site or Application for analytics purposes so we or third parties can understand which parts of the Site or Application are visited and which functions of the Site or Application are used and whether particular content is of interest.
Flash cookies: We may also use so-called “flash cookies” (also known as “Local Shared Objects” or “LSOs”) to collect and store information about your use of our Services.
Mobile Device Identifiers: We also use mobile device identifiers which perform a similar role, like the IDFA used by Apple devices and the UDID used by Android devices.
C. How do we use cookies?
We use cookies to provide our Site, gather information about your usage patterns when you navigate the Sites in order to enhance your personalized experience, and to understand usage patterns to improve our Sites, products, and services. We also allow certain third parties to place cookies on our Site in order to collect information about your online activities on our Sites over time and across different websites you visit. This information is used to provide advertising tailored to your interests on websites you visit, also known as interest based advertising, and to analyze the effectiveness of such advertising.
Usage information may be linked to your account in order to assist Expensify to provide services to your account, for example analyzing data for the purposes of trouble shooting. Expensify will not sell or disclose usage data to any third party unless such usage data has been aggregated or de-identified.
Cookies on our Sites are generally divided into the following categories:
Strictly necessary cookies. These are cookies that are required for the operation of our website or provide necessary functions relating to the services you request. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
Analytical or performance cookies. These allow us to recognize and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. These cookies also allow us to collect statistical information about how you use the Site or App (including how long you spend on the Site or Application) and where you have come to the Site or Application from, so that we can improve the Site and learn which parts of the Site and which functions of the Application are most popular with users.
Functionality cookies. These cookies enable helpful but non-essential website functions that improve your website experience. By recognizing you when you return to our website, they may, for example, allow us to personalize our content for you, greet you by name, or remember your preferences (for example, your choice of language or region). This also enables us to customize elements of the promotional layout and/or content of the pages of the Site or Application We also use functional social media plug ins, such as the Facebook “Like” button and Widgets, such as the “Share this” button or interactive mini-programs that run on our site. These Features may collect your IP address, which page you are visiting on our Site, and may set an Identifier to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Site. Your interactions with these Features are governed by the Privacy Policy of the company providing it.
Targeting cookies. These cookies enable different advertising related functions. They may allow us to record information about your visit to our website, such as pages visited, links followed, and videos viewed so we can make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
D. Your Choices
Cookies
Most web and mobile device browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. Here are links to information from some of the larger browsers about how you can control your browser cookies: Chrome, Firefox, Safari, Internet Explorer. Visit the All About Cookies.org to learn more cookies and how to block cookies using different types of browser or mobile device. Please note, however, that by blocking or deleting cookies used on the Site or Application, you may not be able to take full advantage of the Expensify Service.
Behavioral Advertising
We may partner with a third party to either display advertising on our Site or Application or to manage our advertising on other sites. Our third-party partner may use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you advertising based upon your browsing activities and interests. If you wish to opt -out of interest-based advertising click https://optout.networkadvertising.org/?c=1 or https://youradchoices.com/control (or if located in the European Union click Union click here). Please note you will continue to receive generic ads.
If you would like more information about cookies and targeted advertisements or to opt out of having this information used by companies that are part of the Network Advertising Initiative, please click here or the Digital Advertising Alliance, please click here.
Analytics
We and our vendors (including but not limited to Google Analytics) may use Identifiers and similar tracking technologies to monitor performance and usage on the site for internal analytics and performance monitoring. These Identifiers and similar tracking technologies are used to help the Site collect and store information regarding your visit, such as session state and authentication tokens. Users can control the use of cookies at the individual browser level but if you choose to disable cookies, it may limit your use of certain features or functions provided through the Expensify Service. To manage Flash cookies, please click here.
To opt out of Google Analytics you can download a Browser Add-On.
The use of Identifiers by our vendors is not covered by our Privacy Policy. We do not have access or control over these cookies.
We use mobile analytics software to allow us to better understand the functionality of our Mobile Software on your phone. This software may record information such as how often you use the Application, the events that occur within the Application, aggregated usage, performance data, and where the Application was downloaded from. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile Application.
E. Do Not Track Statement
Some browsers have a “do not track” feature that allows you to tell websites that you do not want to have your online activities tracked. At this time, due to a lack of industry standards, we do not respond to browser “do not track” signals.
6. USE OF YOUR PERSONAL DATA
Expensify and our Partner Companies may use your Personal Data in the following ways:
to facilitate the creation of and secure your account on our network;
identify you as a Member in our system;
to administer and provide improved administration of the Expensify Service;
to improve the quality of experience when you interact with the Expensify Service, including staff training;
to send you a welcome email to verify ownership of the email address provided when your account was created;
to send you administrative email and/or chat notifications, such as security or support and maintenance advisories;
to collect fees and payments owing to us;
to respond to your inquiries related to employment opportunities or other requests and to resolve disputes;
to provide you with access to and information about customized features, new functionality, and partner integrations;
to send promotional communications newsletters, personal interest pieces, interests for the Expensify community, and news about events, elections, and campaigns;
to connect Members with each other and volunteers of Expensify.org as part of the Karma Program;
to provide you with hardcopy or electronic newsletters, or surveys;
to send with your consent (or where a friend has referred you to us) upgrades and special offers related to the Expensify Service and for other marketing purposes of Expensify or our Partner Companies;
to prevent and identify fraud and other illegal activity including but not limited to making telephone calls to you, from time to time, as a part of secondary fraud protection or to solicit your feedback;
to verify your identity as part of compliance with requirements of Partner Companies or applicable regulations;
to compare information provided by you for accuracy and verification with third parties;
to provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses and responding to consumer rights requests;
as otherwise: described to you when collecting your personal information; directed by you; needed to comply with laws; and
to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our consumers is among the assets transferred.
From time to time, we may also use your Personal Data to send important notices to you, such as communications about purchases you have made, or changes to our terms and conditions or other policies. This information is important to your interactions with us, and you acknowledge that if you opt out of receiving these communications, where permitted by applicable law, Expensify reserves its right to discontinue its services to you.
If you provide feedback on the Expensify Service, we may use such feedback for any purpose. Expensify will collect and store any information contained in such communication and will treat the Personal Data in such communication in accordance with this Privacy Policy.
Any information, including Personal Data, which you elect to make publicly available on the Expensify Service will be available to other Members or the public. If you remove information that you have made public on the Expensify Service, copies may remain viewable in cached and archived pages of the Expensify Service, or if other Members have copied or saved that information.
In some cases we collect information provided by our Corporate Members, and in such cases, we have no direct relationship with the individuals whose Personal Data we process. If you believe your Personal Data has been collected by us in such circumstances, and would no longer like to be contacted as an employee or customer of one of our Corporate Members, please contact that Corporate Member directly in order to request your removal.
We may send you push notifications from time-to-time in order to update you about any events or promotions that we may be running. If you no longer wish to receive these types of communications, you turn them off at the device level. To ensure you receive proper notifications, we will need to collect certain information about your device such as operating system and user identification information.
7. DISCLOSURE OF YOUR PERSONAL DATA
We may share your Personal Data with Partner Companies to provide technical support or to provide specific services, such as hosting of your applications, maintenance services, database management or payment processing for purchases, reimbursements or other payments (including but not limited to PayPal and the Bancorp), and with your consent, to register you for participation in the Corporate Card Program. Partner Companies will have access to your Personal Data only to perform these services on our behalf and are obligated not to disclose or use it for any other purpose. They may be located, or their data processing activities may take place, in the United States of America or elsewhere outside the European Economic Area (EEA).
Any subsidiaries, joint ventures, or other companies under common control with us (collectively, “Related Entities”), may share some or all of your Personal Data, in which case we will require our Related Entities to honor this Privacy Policy and your Personal Data will only be used for the purposes set out in this Privacy Policy.
A key feature of Expensify’s Karma Program is the opportunity for those enrolled in the Karma Program to receive emails and chats from Expensify and participants in the Karma Program. Whether you signed up for the program on your own behalf or if you are a member of the Karma Program through your Corporate Member, as part of administering this program we will disclose your chosen login credentials (e-mail address or phone number, depending on your chosen registration method) to volunteers of the Karma Program and other Members participating in the Karma program.
Expensify may sell/divest/transfer the company (including any shares in the company), or any combination of its products, services, assets and/or businesses. Personal Data may be among the items sold or otherwise transferred in these types of transactions, you will be notified via email and/or a prominent notice on our Site of any change in ownership of your Personal Data. We may also sell, assign or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of the company.
In certain situations, Expensify may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Expensify may disclose Personal Data if it is necessary to (a) comply with relevant laws or to respond to subpoenas or warrants or lawful requests from government authorities served on Expensify; or (b) protect or defend the rights, reputation or property of Expensify or users of the Expensify Service. We look for opportunities to be an advocate for you when law enforcement or other third parties subject to a legal process seek to encroach on your privacy. If we receive requests from law enforcement or private parties seeking information, we are prepared to take a stand when appropriate. We have various tools at our disposal that we may elect to rely on to do so depending on the circumstances, for example: our legal team reviewing these requests to ensure that parties are following applicable laws and statutes; rejecting or challenging requests that have no legal basis or are unclear, overbroad, or otherwise inappropriate; construing legal process as narrowly as possible; encouraging parties to look elsewhere for the information. We are prepared to ensure that requests have a legal basis.
Except as otherwise stated in this policy and our Terms of Service, we do not sell, trade, share, or rent the Personal Data collected from the Expensify Service to third parties.
We may aggregate or de-identify information collected through the Expensify Service so that such information is no longer directly identifiable to an individual. We may use and share such aggregated or de-identified information solely for marketing purposes or distribution to third party research firms.
Service Provider, Sub-Processors/Onward Transfer
Expensify may transfer Personal Data to companies that help us provide the Expensify Service and related programs. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our Clients.
Sharing with Corporate Members
When a Member connects to a Corporate Policy, such Member understands and agrees that the Corporate Member has access and a right to the Member Data related to transactions associated with the Corporate Policy (including any Personal Data) for its internal bookkeeping purposes. A Corporate Member will maintain the following information when you connect with a Corporate Policy: full name, email, phone number, and expense data. Please contact the Corporate Member directly for more information about what Personal Data the Corporate Member maintains.
8. CHOICE/OPT-OUT
Expensify offers you the choice of receiving different types of communication and information related to our company, products and services. You may subscribe to e-newsletters or other publications; you may also elect to receive marketing communications and other special offers from us via email. If at any time you would like to change your communication preferences, we provide unsubscribe links and an opt-out mechanism for your convenience where available. You may also access and manage your preferences from your account.
9. PERSONAL DATA CHANGES
If you believe that the Personal Data we hold about you may not be complete, accurate and up-to-date, you may change aspects of any of your Personal Data in your account by editing your profile within the registration portion of the Site. You may request deletion of your account information by us, but please note that we may be permitted or required (by law or otherwise) to keep this information and not delete or change it (or to keep this information for a certain time, in which case we will comply with your deletion request only after we have fulfilled such requirements). If you request deletion, subject to our rights to retain the Personal Data as set out in this Privacy Policy and the rights of any Corporate Member to retain the Personal Data as set forth below, we will respond to your request within 1 month. We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Access to Data Controlled by our Corporate Members
You have the right to access your Personal Data subject to any exceptions which may apply in the jurisdiction in which you reside. If you have connected to a Corporate Policy and shared your Personal Data with the Corporate Member administering such Corporate Policy, you acknowledge that some Personal Data shared with a Corporate Member may not be able to be deleted as it pertains to their records. Upon request, we will provide you with information about whether any of your Personal Data is shared with a Corporate Member administering a connected Corporate Policy.
Blog / Forum
Our Site offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Data from our blog or community forum, contact us at [email protected]. In some cases, we may not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.
10. SECURITY OF YOUR APPLICATION AND PERSONAL DATA
Expensify is committed to protecting the security of your Personal Data. We use a variety of industry-standard security technologies and procedures to help protect your Personal Data from unauthorized access, use, or disclosure. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL). We also require you to enter a password to access your account information. Please do not disclose your account password to unauthorized people. Despite these measures, you should know that Expensify cannot fully eliminate security risks associated with Personal Data. If you have any questions about the security of your Personal Data, you can contact us at [email protected].
11. CONTACT INFORMATION
If you have any comments, questions or complaints about this Privacy Policy or if you feel that we have breached our obligations in the handling, use or disclosure of your Personal Data, feel free to email comments or questions to us at [email protected] or 401 SW 5th Ave, Portland, OR 97204.
If you have general enquiry type questions, you can choose to use a pseudonym. However, if you require information which is specific to your circumstances then it may not be possible for you to deal with us by pseudonym. You acknowledge and agree that when contacting Expensify, whether by email, chat, or otherwise, you will not include any personally identifiable information in your communications, and that if such information is included in your communications with Expensify, Expensify will have no legal obligation or liability with regard to such information.
12. CHANGES TO THIS PRIVACY POLICY
If Expensify makes changes to this Privacy Policy, these changes will be posted on the Site and Application in a timely manner. Expensify reserves the right to modify this Privacy Policy at any time, so please review it frequently. You acknowledge that the updated policy will apply to the collection, storage, use or disclosure of Personal Data from the date of publication and it is your responsibility to check the Site and Application regularly for updates. You can determine when this Privacy Policy was last revised by referring to the “Last Updated” legend at the top of this page. Any changes to this Privacy Policy will become effective upon our posting of the revised Privacy Policy on the Site and Application. If we make any material changes, we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this Site prior to the change becoming effective. Use of the Expensify Service following such changes constitutes your acceptance of the revised Privacy Policy then in effect. We encourage you to periodically review this page for the latest information on our privacy practices.
13. OVERSEAS DISCLOSURE
Expensify is based in the United States, and, unless we expressly agree otherwise, we may host, transfer, and process data, including Personal Data, in the United States and in other countries through Expensify and third parties that we use to operate and manage the Service. These countries may have data protection laws that are different from those of your country of residence. When you access or use the Service, or otherwise provide information to us, you understand and acknowledge that the processing and transfer of information in and to the United States and other countries which may have different privacy laws from your or their country of residence. Expensify takes appropriate measures to ensure such transfers are in compliance with applicable laws and subject to the additional jurisdictional terms set forth in Section 15(A) and 15(D) below.
14. DATA RETENTION
Other than in aggregated or de-identified, form as permitted under the Expensify Terms of Service, and except as required by applicable law, we will delete or otherwise destroy your Personal Data as soon as practicably possible following your termination or cancellation of your use of the Expensify Service.
Expensify will retain data licensed to our Corporate Members as set forth in the Expensify Terms of Service for as long as needed to provide services to our Corporate Member. Expensify will retain and use this information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We ensure that Personal Data we dispose of is de-identified or destroyed in a secure fashion.
The Corporate Member with which you are affiliated with may have specific policies concerning the retention of data including User Content. Please consult the entity or organization with which you are affiliated with for additional detail about its specific data retention policies.
15. JURISDICTION-SPECIFIC PROVISIONS
A. Additional Disclosures for Data Subjects in the United Kingdom, European Economic Area (EEA), and Switzerland
I. International Transfers
Where we transfer your Personal Data to another country outside the UK, EEA and / or Switzerland, we will ensure that it is protected and transferred in a manner consistent with legal requirements. In relation to data being transferred outside the UK and / or EEA, for example, this may be done in one of the following ways:
1. the country that we send the data to might be approved by relevant data protection authorities as offering an adequate level of protection for Personal Data;
2. the recipient might have signed up to a contract based on “model contractual clauses” approved by relevant data protection authorities, obliging them to protect your Personal Data;
3. the recipient may have adhered to binding corporate rules (only for intragroup transfers); or
4. in other circumstances the law may permit us to otherwise transfer your Personal Data outside Europe.
You can obtain more details of the protection given to your Personal Data when it is transferred outside the UK, EEA and / or Switzerland (including a copy of the standard data protection clauses which we have entered into with recipients of your Personal Data) by contacting us as described in Section 16 below. Please note, following recent decisions invalidating the adequacy of the EU-U.S. and Swiss-U.S. Privacy Shields, we no longer rely on the Privacy Shields for cross-border personal data transfers. However, Expensify still participates in the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks and more information about this program is also provided below.
II. Our Relationship with You
Expensify is made up of different legal entities, Expensify Inc., the parent company, and Expensify Ltd., a subsidiary. This Privacy Policy is issued on behalf of the Expensify Group so when we mention “Expensify”, “we”, “us” or “our” in this Privacy Policy, we are referring to the relevant company in the Expensify Group responsible for processing your data. Expensify, Inc. is the controller for all of your Personal Data unless explicitly otherwise identified in the applicable contracts.
We have appointed an Expensify Group entity based in the Netherlands to act as our representative in the EU. If you are located in the EU, you may address this entity to raise any issues or queries relating to our processing of your Personal Data. Our EU representative is Expensify Netherlands B.V. and can be contacted in the manner set out at Section 16 below.
III. Legal Basis for Processing
We have listed the use of your Personal Data by us in Section 6 above. The legal grounds on which we process the Personal Data for those uses includes; if you consent to the processing, to satisfy our legal obligations, if it is necessary to carry out our obligations arising from any contracts we entered with you or to take steps at your request prior to entering into a contract with you, or for our legitimate interests to providing our services to our customers and the effective management of Expensify and to protect our property, rights or safety of Expensify, our customers or others. If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.
IV. Your Privacy Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, such as:
Access: The right to request access to the Personal Data that Expensify has about you;
Rectification: The right to rectify or correct any Personal Data that is inaccurate or incomplete;
Portability: The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that Expensify directly transfer your Personal Data to one more third parties;
Objection: The right to object to the processing of your Personal Data for certain purposes;
Erasure: The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.
Restriction: You have the right to request that we restrict our processing of your Personal Data where you believe such data to be inaccurate; our processing is unlawful; or we no longer need to process such data for a particular purpose, but where we are not able to delete the data due to a legal or other obligation or because you do not want us to delete it.
Consent: the right to withdraw your consent to the processing of your Personal Data at any time. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason for doing so. For example, we may need to retain Personal Data to comply with a legal obligation
The rights described above may not be absolute and are limited by applicable laws.
You can exercise your privacy rights by contacting us via email at: [email protected]. We will handle your request under applicable law. When you make a request, we may verify your identity to protect your privacy and security.
International and Onward Transfers of Data
Information that our European users submit through the Expensify Service or the Site is sent to and stored on secure servers located in the United States of America and may be transferred by us to our other offices and/or to the third parties (such as our Partner Companies, as defined below), who may be situated in the United States of America or elsewhere outside the European Economic Area (EEA) and may be processed by staff operating outside the EEA. The US and other non-EEA countries do not have similar data protection laws to the European Union, and you should be aware in particular that the law and practice in the United States and some other non-EEA countries in respect of law enforcement and national security authority access to data is significantly different from Europe. However, we will ensure as reasonably as possible that where your personal information is to be transferred or shared outside the EEA, that it is only transferred or shared where we have appropriate safeguards in place, for example by agreeing standard contractual clauses adopted by the European Commission..
For individuals located in the European Economic Area (“EEA”), United Kingdom, or Switzerland (collectively the “Designated Countries”): Where personal data are transferred to a third country or to an international organisation, Expensify implements appropriate safeguards, such as contractual obligations, and standard contractual clauses adopted by the European Commission relating to the transfer.
You also have a right to lodge a complaint with a competent supervisory authority situated in a member state of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details here for individuals located in the EEA and here for individuals located in the United Kingdom.
Participation in the Privacy Shield
Please note, following recent decisions invalidating the adequacy of the EU-U.S. and Swiss-U.S. Privacy Shields, we no longer rely on the Privacy Shields for cross-border personal data transfers and instead rely on mechanisms set forth in Section 15(A)(1). However, Expensify, Inc. and its subsidiary company, Expensify Ltd. still comply with the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union and the United Kingdom and Switzerland to the United States in reliance on Privacy Shield. Expensify, Inc. and its subsidiary company, Expensify Ltd. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. Visit the Privacy Shield website to learn more about the program and view our certification.
The Privacy Shield Framework and Privacy Shield Principles only apply to Members and Corporate Members located in the EU. Accordingly, Expensify, Inc. is not liable under the Privacy Shield Framework and Privacy Shield Principles to Members or Corporate Members located outside the EU.
Expensify likewise is responsible for the processing of Personal Data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. We comply with the Privacy Shield Principles for all onward transfers of Personal Data from the EU and Switzerland, including the onward transfer liability provisions.
In compliance with the Privacy Shield Principles, Expensify Inc. commits to resolve complaints about our collection or use of your Personal Data. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Expensify Inc. via email at:: [email protected] or via post addressed to Operations Lead, 88 Kearny Street, San Francisco, CA 94108.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, you can file a report with our U.S.-based third party dispute resolution provider (free of charge). As further explained in the Privacy Shield Principles, a binding arbitration option also be made available to you in order to address residual complaints not resolved by any other means.
With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
B. Additional Disclosures for California Residents
These Additional Disclosures for California Residents supplements the information contained in this Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”).
I. CCPA Disclosures
We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice. This Privacy Policy contains Expensify’s required notices and disclosures including its Privacy Policy for California Residents, Notice of Collection, Notice of Opt Out Rights, and Notice of Financial Incentives requirements.
This Notice does not apply to employment-related Personal Information collected from California-based employees, job applicants, contractors, or similar individuals, or to persons interacting with us in their capacity as a representative of a business.
Consumers who have a visual disability may be able to use a screen reader or other text-to-speech or text-to-Braille tool to review the contents of this notice. If you need to access this Policy in an alternative format due to having a disability, please contact [email protected].
Definitions Specific to this Section
The CCPA includes definitions for terms specific to this California Privacy Policy that do not apply to the rest of this Privacy Policy, including the following terms:
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information does not include publicly available information obtained from government records; deidentified or aggregated consumer information that cannot be reconstructed to identify you; any information covered under the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act, activities covered by the Fair Credit Reporting Act, or protected health information as defined under the Health Insurance Portability and Accountability Act.
“Sale” or “sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Information by the business to another business or a third party for monetary or other valuable consideration.
“Service Provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s Personal Information for a business purpose pursuant to a written contract.
Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their Personal Information. This section describes your CCPA rights and explains how to exercise those rights.
Personal Information of Minors
The Expensify Service is not intended for children or minors under the age of 18 years old without express consent or authorization from a parent or a legal guardian. Accordingly, we do not knowingly collect or store information about minors under the age of 18, and we do not sell the Personal Information of minors. If you believe that we have unintentionally received Personal Information about a minor under the age of 18 years old, please contact us at [email protected].
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months or delete certain information. Please note that there are circumstances in which we may not be able to comply with your request pursuant to the CCPA, including when we cannot verify your request and/or when there is a conflict with our own obligations to comply with other legal or regulatory requirements, or other reasons provide by law. We will notify you following submission of your request if this is the case.
The disclosure rights include:
The categories of Personal Information we collected about you.
The categories of sources for the Personal Information we collected about you.
Our business or commercial purpose for collecting or selling that Personal Information.
The categories of third parties with whom we share that Personal Information.
The specific pieces of Personal Information we collected about you (and access thereto, also called a data portability request).
Whether we have disclosed your personal information for a business purpose and if so, the categories of personal information that each category of recipient received.
Right to Request Deletion
You have the right to request that we delete your personal information. Under certain circumstances Expensify may be unable or otherwise not required to delete your personal information, for example, to comply with legal obligations, or to complete a business transaction that you have requested.
Right to Non-Discrimination
You have a right not to receive discriminatory treatment for exercising your privacy rights as identified in this section of the privacy notice as conferred by the CCPA.
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a consumer request to us via email at: [email protected] with the subject line “California Rights Request,” or via webform. We will handle your request under applicable law. When you make a request, we may verify your identity to protect your privacy and security. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account. If you request access to or deletion of your personal information and do not sign in to an account with us, we require you to provide the following information: name, email address, phone number, and postal address. In addition, if you do not have an account and you ask us to provide you with specific pieces of personal information, we reserve the option to require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.
Response Information
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
Authorized Agents
You may designate an authorized agent to exercise your rights under the CCPA on your behalf, however we may deny a request as permitted by the CCPA. To designate an authorized agent, you must provide the agent, and the agent must present to us, written permission signed by you. We may also require you to verify your identify directly with us and directly confirm with us that you provided the authorized agent permission to submit the request, unless your authorized agent provides us with power of attorney pursuant to Probate Code sections 4121-4130.
Sale of Personal Information
We have not sold the personal information of California residents in the preceding twelve months. We do not sell the personal information of minors under the age of 16 years of age. This fact notwithstanding, you can opt out of data sale by emailing a request to that effect to: [email protected].
Collection, Use and Disclosure of Personal Information
The categories of Personal Information that we collect and the sources from which we collect them are described above in Section 3 entitled Types of Personal Data We Collect and How It Is Collected. These categories include identifiers, commercial information, financial data, internet activity information and professional or employment-related information as described in Section 1798.140(o) of the CCPA. The business/commercial purposes for which we use these categories of Personal Information are described in Section 6 above entitled Use of Your Personal Data. The categories of third parties to which we share these categories of Personal Information are described in Section 7 above entitled Disclosure of Your Personal Data. The foregoing describes our practices as of, and during the twelve-month period preceding, the effective date of the Privacy Policy.
II. Other California Privacy Rights
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits Members who are California residents to request and obtain from us once a year, free of charge, certain information about the Personal Data (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of Personal Data that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to[email protected].
The “Do Not Track” disclosure can be found above in Section 5 entitled Expensify Cookie Policy and Use of Tracking Technologies.
C. Additional Disclosures for Nevada Residents
Pursuant to Nevada law, you may direct a business that operates an internet website not to sell certain Personal Information a business has collected or will collect about you. Expensify does not sell your Personal Information pursuant to Nevada law. For more information about how we handle and share your Personal Information or your rights under Nevada law, contact us at [email protected].
D. Additional Disclosures for Australian Residents
If you are in Australia, our collection, storage, use and disclosure of your Personal Data will be subject to this Privacy Policy and the Privacy Act 1988 (Cth) (Privacy Act). Any part of this Privacy Policy that is illegal, unenforceable or inconsistent with the Privacy Act may be severed from this Privacy Policy and the remaining terms or parts of the term of this Privacy Policy will continue in force. In addition, the following information applies to you.
Pseudonymity
If you are making a general enquiry only, you may deal with us through the use of a pseudonym. However, we will not be able to provide you with any specific information about your account if you fail to identify yourself to us.
Data Transfer Disclosure
Personal Data provided to us by Members or Corporate Members located in Australia may be disclosed to service providers located outside Australia, including in the US, including providers of cloud or other types of networked or electronic storage.
Although these third parties are subject to privacy and confidentiality obligations imposed by contract or the regulatory frameworks of the jurisdiction in which those third parties are located, you acknowledge that:
they may not always comply with those obligations, or those obligations may differ from the obligations imposed by privacy and data protection legislation in your jurisdiction; and
the third party may be subject to foreign laws which might compel further disclosures of personal information (e.g. to government authorities).
Secondary Purpose
You acknowledge that we may use or disclose your Personal Data for a reason other than the reasons set forth in Section 6 or Section 7 (a “secondary purpose”) where the secondary purpose is connected to or associated with a purpose for collection set out in this Privacy Policy, or directly connected to or associated with a purpose for collection if the information is ‘sensitive information’ as that term is defined under the Privacy Act.
16. QUERIES, CONCERNS, AND COMPLAINTS
If you have any queries, concerns or complaints about the manner in which we have collected, stored, used or disclosed your personal information, please contact the Data Protection Officer at [email protected]. We will treat your complaint confidentially and, after investigating your complaint, discuss the ways in which we can remedy the situation. We will ensure that we respond to your complaint within a reasonable time (and in any event within the time required by applicable law).
If your inquiries or complaints regarding our Privacy Policy or use of data that have not been resolved to your satisfaction within 30 days via the means set forth herein, please contact:
The Office of Australian Information Commissioner (if you are an Australia individual);
The Information Commissioner’s Office (if you are a United Kingdom individual);
These EEA offices (if you are a European Union individual); or
The Federal Trade Commission (if you are a United States individual).
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy or our privacy practices, please contact our DPO at [email protected].