GDPR Privacy Notice

For the Service offered directly to end users or to business customers, the data controller is:

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on Personal Data (e.g., collection, storage, use, disclosure).
• Controller: Entity that determines purposes and means of processing Personal Data.
• Processor: Entity that processes Personal Data on behalf of a controller.

• Account & Profile: Name, email, role, company, authentication details, preferences.
• Expense & Time Data: Report titles, categories, amounts, receipts, time entries, project codes, comments.
• Usage & Device: Log data, IP address, browser type, device identifiers, interaction events.
• Support: Messages, feedback, and contact details when you reach out to us.
• Cookies/Similar Tech: See our Cookie Policy for details on categories and lifetimes.

We process Personal Data for the purposes and under the legal bases listed below:

• Provide & Operate the Service: Performance of a contract (Art. 6(1)(b)), Legitimate interests (Art. 6(1)(f)).
• Authentication & Security: Legitimate interests; Compliance with legal obligations (Art. 6(1)(c)).
• Billing & Account Management: Performance of a contract; Legal obligations.
• Support & Communications: Performance of a contract; Legitimate interests; Consent where required.
• Analytics & Improvements: Legitimate interests; Consent for non-essential cookies (Art. 6(1)(a)).
• Legal & Compliance: Compliance with legal obligations; Establishment, exercise or defense of legal claims.

We share Personal Data with service providers acting as processors under written agreements that require appropriate safeguards and processing only on our documented instructions. We may also share data with professional advisors, authorities, or other third parties where legally required or to protect our rights.

Where available, you can review our list of sub-processors in-app or by contacting us.

If Personal Data is transferred outside the EEA/UK/Switzerland, we implement appropriate safeguards such as the EU Standard Contractual Clauses and the UK Addendum/IDTA, or rely on adequacy decisions, as applicable. Copies of relevant safeguards may be requested using the contact details below.

We keep Personal Data only as long as necessary for the purposes described in this notice, including to provide the Service, comply with legal obligations (e.g., financial record-keeping), resolve disputes, and enforce agreements. Retention periods vary by data category and context.

We employ technical and organizational measures designed to protect Personal Data, including access controls, encryption in transit where appropriate, least-privilege principles, and monitoring. No method of transmission or storage is 100% secure.

Subject to conditions and exceptions under GDPR, you may have the following rights regarding your Personal Data:

• Access (to know whether we process your data and obtain a copy).
• Rectification (correct inaccurate or incomplete data).
• Erasure (delete data) in certain circumstances.
• Restriction of processing in certain circumstances.
• Data portability where processing is based on consent or contract and carried out by automated means.
• Objection to processing based on legitimate interests and to direct marketing.
• Withdraw consent at any time where processing is based on consent.

To exercise your rights, contact us using the details below and indicate the right you wish to exercise. We may request information to verify your identity and will respond within applicable timeframes. If your employer is the controller, please direct your request to them first.

We do not make decisions producing legal or similarly significant effects solely based on automated processing, including profiling, without human involvement. If this changes, we will update this notice and, where required, obtain consent.

The Service is intended for business use and not directed to children. We do not knowingly collect Personal Data from children under applicable age thresholds. If you believe a child has provided Personal Data, contact us to request deletion.

We may update this GDPR Privacy Notice from time to time. If changes are material, we will provide additional notice (e.g., via the Service) and update the “Last updated” date above.

If you have questions or concerns about this notice or our data practices, contact us: