Privacy Policy

Last updated: August 1, 2024

At Expensify, Inc. ("Expensify", "we", "us", or "our", which include our group and affiliated companies, including, without limitation, Expensify Payments LLC, Expensify Limited, Expensify Australia Pty Ltd, and Expensify Canada Inc., which such entities collect information from users from particular jurisdictions), our most important asset is our relationship with our user community. We are committed to maintaining the confidentiality, integrity and security of information about our users and their organizations. This privacy policy ("Privacy Policy" or "Policy") describes how we collect, use, disclose, share and secure the personal and company information you provide when you use our expense management, invoicing or bill processing software, through our mobile application (the "Application") or visit the Expensify websites www.expensify.com or use.expensify.com or new.expensify.com (collectively, the "Site" and, together with any related software, tools and services provided in connection with the Application or the Site, the "Expensify Service"). It also describes your choices regarding the use, access and correction of your Personal Data (as defined in Section 3 of this Privacy Policy) and how to contact us if you have any further queries or complaints about our management of your personal information.

In this Privacy Policy, "you" and "your" refers to individual users of the Expensify Service, as well as to Members and Corporate Members. "Members," "Corporate Members," and other capitalized terms not defined in this privacy policy are defined in the Expensify Terms of Service.

We process your Personal Data as set out in the Privacy Policy which you should read.

Please review the Jurisdiction-specific provisions below for more information if you are visiting from Europe, Australia, California, Colorado, Connecticut, Nevada, Utah, or Virginia.

1. Member Acknowledgment

By submitting or making available Personal Data (as defined below) through the Expensify Service, you confirm that you have read and acknowledged the terms of this Privacy Policy and you understand our practices around the collection, storage, use and disclosure of your Personal Data in accordance with this Privacy Policy.

2. A Note About Children

We do not intentionally gather Personal Data about individuals who are under the age of 18. If you become aware that we inadvertently hold or have access to Personal Data about anyone under 18, please let us know so we can delete it.

3. Types of Personal Data We Collect and How It Is Collected

Personal information or "Personal Data", means any information about an individual from which that person can be identified, or which when combined with other information which is in the possession of, or is likely to come into the possession of, Expensify could be used to identify that person. If you are accessing the Expensify Service from Australia, "Personal Data" also includes any information or opinion, whether true or not and whether recorded in material form or not, by which you may be reasonably identifiable. Expensify will not use your Personal Data except as set forth in this Privacy Policy and in the Terms of Service.

We may collect (both directly and indirectly), use, store and transfer different kinds of personal data about you. For specific details about how Expensify does this with cookies, identifiers and other tracking technologies please review the Expensify Cookie Policy below. The categories of Personal Data we collect, use, store and transfer have been grouped together as follows:

  • Registration Data. When you purchase or register for our Services or sign up for our Corporate Card Program or create an Expensify account, we collect directly from you (or for certain corporate accounts, from your employers) Personal Data, including your name, date of birth, billing and mailing address, email, professional title, company name, phone numbers, credit card, other payment information, and password and/or other sign-on mechanism. In addition, we (or our third-party credit card or payment processor on our behalf) will collect Personal Data including your credit card number or account information when you upgrade to a paid account or use a feature or function in the Expensify Service that requires payment, such as accessing a Workspace.

  • Transaction Data that Allows Us to Provide our Services to You. This includes current and historical financial information, such as bank account, payment card and other payment account, contact information (billing and mailing address, email address, and phone numbers), expense data, receipts, transaction data imported from third party financial service companies, and other details about reimbursements and payments to and from you and other details of products and services you have purchased from us. If you participate in the Corporate Card Program, Corporate Karma Program and/or Personal Karma Program (each subject to the Karma Program Terms), we may collect Personal Data including your name, contact information, and donation amount(s) and/or Karma Points balance, and share this information with Expensify.org, a California nonprofit public benefit corporation and a charitable affiliate of Expensify. Visit Expensify.org for more details. If you inquire about or participate in the Payroll Service (subject to the Payroll Terms), we may collect or receive from you, your employer, or your employer's Corporate Administrator, your Personal Data including financial information (such as bank account and routing number, bank account balance and transaction information); identification information (such as your name, mailing address, email address, phone number, birthdate, social security number, taxpayer identification number, and government-issued documentation, such as a driver's license or passport); and taxpayer information (such as your Federal Employer Identification Number and tax withholding selections, including the number of dependents you have, jobs you've worked in a year, and your tax filing status). We collect your location-based information for the purpose of mileage tracking, providing location specific features, and to confirm your Expensify cardholder status for specific events associated with the services. We may share your geo-location data with third parties for the sole purpose of providing these services. If you do not wish to allow us to collect and/or share your information in this manner please opt out by contacting us at concierge@expensify.com.

  • Technical Data. The Expensify Service (which may be hosted by a third-party service provider) collects Personal Data from you, such as browser type, your approximate geographic location of your mobile device or computer (from your Internet Protocol (IP) address), operating system and version, Internet Protocol (IP) address, domain name, information about your application, operating environment and hardware profiles and/or a date/time stamp for your visit. We may also use Identifiers (as defined below) and navigational data like Uniform Resource Locators (URL) to gather information regarding the date and time of your visit and/or access to the Expensify Service and your activity on the Site and the Application. Like most internet services, we automatically gather this Personal Data and store it in log files each time you visit the Site, use the Application or access your account on our network. We use mobile analytics software to allow us to better understand the functionality of our Mobile Software on your phone. This software may record information such as how often you use the Application, the events that occur within the Application, aggregated usage, performance data, and where the Application was downloaded from. We do not link the information we store within the analytics software to any Personal Data you submit within the mobile Application.

  • Information about your Interactions with Expensify. We collect information about your interactions with Expensify, which may include your use of our products, services, websites or apps, including information collected using Cookies and other technologies (for further information on how we use Cookies and the information we collect using Cookies, see our cookies policy in Section 5 below). It may also include communications with us, such as if you contact our customer service centers, including recording calls and the contents of your device screen (by Expensify itself or using a third-party service) for quality and training purposes. This may also include data about your participation in promotions or programs. This may also include data about how you exercise rights or preferences regarding your data. We also retain information on your behalf, such as the Personal Data described above and any correspondence. If you provide us feedback or contact us via email, we will collect your name and email address, IP address, as well as any other content included in the email, in order to send you a reply, and any information that you submit to us, such as a resume. If we conduct a survey in which you participate, we may collect additional profile information. We may also collect Personal Data at other instances in the Site or Application user experience where we state that Personal Data is being collected.

  • Other Self-Reported Information. You have the option to provide us with additional information about yourself and others through surveys, forms, features and applications. Where such information is not required by Expensify for the purposes of providing the services to you, you acknowledge that Expensify may store, use and disclose such Personal Data in accordance with this Privacy Policy.

  • Member-Generated Content. Some of our Services allow you to create and post or upload content, such as data, text, SMS, software, music, audio, photographs, graphics, video, messages, or other materials that you create or provide to us or to other Members or Non-Members through either a public or private transmission. For example, Member-Generated Content includes any discussions, posts, or messages you send on our Forums, as well as messages or SMS you send using Expensify Chat. Our Site offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them, as well as by our third party service providers such as OpenAI, L.L.C., to ensure compliance with our Acceptable Use Policy and Content Standards through our Enforcement Policy, or third-party suppliers such as Spotnana Technology, Inc..

  • Referral Information and Sharing. When you refer a person to Expensify, we will ask for that person's name, phone number and/or email address and collect this information directly from you. By participating in a referral program or by choosing to share information with another person, you confirm that the person has given you permission for Expensify to communicate with him or her. If you choose to use our referral service to tell a friend about Expensify, or if, as a Corporate Administrator, you refer an employee or other authorized service provider to connect with your Workspace (each such individual, a "Referred Party"), you must seek permission of the Referred Party so that Expensify may use their name, phone number and/or email address to contact them about the Expensify Service. By providing us with the Referred Party's name and email address, you warrant that the Referred Party agrees to such contact. We will automatically send your friend a one-time email or SMS message inviting him or her to visit the site. If you were referred by a friend or a Corporate Administrator, and you activate an Account, Expensify shall treat such Personal Data as if you had directly provided it to Expensify, which such Personal Data will be processed as set forth in this Privacy Policy. If your friend is a resident of the European Economic Area, the United Kingdom or Australia, please make sure they are happy to be contacted by us.

  • Social Media Features and Widgets. Our Site includes Social Media Features, such as the Facebook "Like" button and Widgets ("Features"). These Features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Feature to function properly. They may also allow third party social media services to provide us information about you, including your name, email address, and other contact information. The information we receive is dependent upon your privacy settings with the third-party social media service. Features are either hosted by a third party or hosted directly on our site. Your interactions with these Features are governed by the privacy statements of the third-party companies providing them. You should always review and, if necessary, adjust your privacy settings on third party websites and services before linking or connecting them to our website or Service.

  • Third-Party Data. We will collect your Personal Data from you unless it is unreasonable or impracticable to do so. However, we may collect, receive, and retain Personal Data about you from the following non-publicly accessible sources: (i) companies that distribute the Expensify Service by way of a co-branded or private-labeled website, (ii) companies that offer their products and/or services via the Expensify Service, (iii) companies affiliated with Expensify, such as Expensify.org, (iv) companies that provide services (such as payment processing services) in connection with the Expensify Service, including without limitation Issuers and Card Networks (as such terms are defined in the Corporate Card Program Terms); or (iv) financial institutions or credit bureaus (collectively, "Partner Companies"). Our Partner Companies may supply us with Personal Data, such as your name and email and mailing address, bank account, credit, or financial information or your login credentials for such Partner Company's website or service, in order to help us establish the account or fulfil our obligations to you. We may also collect your Personal Data if necessary from public sources (such as LinkedIn, Corporate Subscribers Websites, Clearbit, Lexis Nexus). We may add this information to the information we have already collected from you via our Site or Application in order to perform and improve the Expensify Service. If you provide us Personal Data about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us.

We also collect, use, and share aggregated or de-identified data, such as statistical or demographic data. This information has either been de-identified or otherwise combined with that of other users and analyzed or evaluated as a whole, such that no specific individual may be identified. We may use aggregated or de-identified data for purposes such as research and marketing purposes and may also share such data with any third parties, including advertisers, promotional partners, sponsors, event promoters, and/or others.

We do not collect any "Special Categories of Personal Data" about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data) nor do we collect any information about criminal convictions and offences.

4. Third-Party Links

This Privacy Policy applies only to the use and disclosure of Personal Data that we collect while you use the Expensify Service. Our provision of a link to any other website or location is for your convenience and does not signify our endorsement of such other website or location or its contents. When you click on such a link, you will leave the Expensify Service and go to another site. During this process, a third party may collect Personal Data from you. We have no control over, do not review, do not endorse, and cannot be responsible for, these outside websites or their content. Please be aware that the terms of this Privacy Policy do not apply to these outside websites or content, or to any collection of data after you click on a link to a third party. If you submit Personal Data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.

5. Expensify Cookie Policy and Use of Tracking Technologies

When you interact with the Site or the Application, we try to make that experience simple and useful. We and our partners use industry standard identifiers, such as cookies or other similar technologies. We will generally refer to cookies, web beacons, flash cookies, and pixels collectively as "cookies", "tracking technology" or "identifiers" in this policy. By using our Services, you are agreeing that we can use cookies and other tracking technologies described in this Cookie Policy.

5.1 What are cookies and how long are they stored?

Cookies are small pieces of information which are issued to your computer or mobile device (as the case may be) when you visit a website or access or use a mobile application and which store and sometimes track information about your use of the Site or Application (as the case may be). A number of cookies we use last only for the duration of your web or Application session and expire when you close your browser or exit the Application (known as "session cookies). Other cookies are used to remember you when you return to the Site or Application and will last for longer (known as persistent cookies). A persistent cookie lasts until you or your browser deletes the cookies or they expire.

Cookies set by us are called "first party cookies", while cookies set by parties other than Expensify are called "third party cookies". The parties that set third party cookies can recognize your device, both when you use the Services and when you use other websites or mobile apps. You should check the third party's website for more information about how they use cookies and other tracking technologies. Both first party and third party cookies can serve a number of different functions, such as analytics, marketing and advertising.

5.2 What other similar tracking technologies does Expensify use?

  • Web Beacons: In addition to cookies, web beacons may be set by us or third parties in respect of your use of the Site or Application. Web beacons are small image files within the content of the Site or Application for analytics purposes so we or third parties can understand which parts of the Site or Application are visited and which functions of the Site or Application are used and whether particular content is of interest.

  • Flash cookies: We may also use so-called "flash cookies" (also known as "Local Shared Objects" or "LSOs") to collect and store information about your use of our Services.

  • Mobile Device Identifiers: We also use mobile device identifiers which perform a similar role, like the IDFA used by Apple devices and the UDID used by Android devices.

5.3 How do we use cookies?

We use cookies to provide our Site, gather information about your usage patterns when you navigate the Sites in order to enhance your personalized experience, and to understand usage patterns to improve our Sites, products, and services. We also allow certain third parties to place cookies on our Site in order to collect information about your online activities on our Sites over time and across different websites you visit. This information is used to provide advertising tailored to your interests on websites you visit, also known as interest based advertising, and to analyze the effectiveness of such advertising.

Usage information may be linked to your account in order to assist Expensify to provide services to your account, for example analyzing data for the purposes of trouble shooting. Expensify will not sell or disclose usage data to any third party unless such usage data has been aggregated or de-identified.

Cookies on our Sites are generally divided into the following categories:

  • Strictly necessary cookies. These are cookies that are required for the operation of our website or provide necessary functions relating to the services you request. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.

  • Analytical or performance cookies. These allow us to recognize and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. These cookies also allow us to collect statistical information about how you use the Site or App (including how long you spend on the Site or Application) and where you have come to the Site or Application from, so that we can improve the Site and learn which parts of the Site and which functions of the Application are most popular with users.

  • Functionality cookies. These cookies enable helpful but non-essential website functions that improve your website experience. By recognizing you when you return to our website, they may, for example, allow us to personalize our content for you, greet you by name, or remember your preferences (for example, your choice of language or region). This also enables us to customize elements of the promotional layout and/or content of the pages of the Site or Application We also use functional social media plug ins, such as the Facebook "Like" button and Widgets, such as the "Share this" button or interactive mini-programs that run on our site. These Features may collect your IP address, which page you are visiting on our Site, and may set an Identifier to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Site. Your interactions with these Features are governed by the Privacy Policy of the company providing it.

  • Targeting cookies. These cookies enable different advertising related functions. They may allow us to record information about your visit to our website, such as pages visited, links followed, and videos viewed so we can make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

5.4 Your Choices

5.4.1 Cookies

Most web and mobile device browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. Here are links to information from some of the larger browsers about how you can control your browser cookies: Chrome, Firefox, Safari, Microsoft Edge. Visit All About Cookies.org to learn more cookies and how to block cookies using different types of browser or mobile device. Please note, however, that by blocking or deleting cookies used on the Site or Application, you may not be able to take full advantage of the Expensify Service.

5.4.2 Behavioral Advertising

We may partner with a third party to either display advertising on our Site or Application or to manage our advertising on other sites. Our third-party partner may use technologies such as cookies to gather information about your activities on this website and other sites in order to provide you advertising based upon your browsing activities and interests. If you wish to opt -out of interest-based advertising click https://optout.networkadvertising.org/?c=1 or https://youradchoices.com/control (or if located in the European Union click Union click here). Please note you will continue to receive generic ads.

If you would like more information about cookies and targeted advertisements or to opt out of having this information used by companies that are part of the Network Advertising Initiative, please click here or the Digital Advertising Alliance, please click here.

5.4.3 Analytics

We and our vendors (including but not limited to Google Analytics) may use Identifiers and similar tracking technologies to monitor performance and usage on the site for internal analytics and performance monitoring. These Identifiers and similar tracking technologies are used to help the Site collect and store information regarding your visit, such as session state and authentication tokens. Users can control the use of cookies at the individual browser level but if you choose to disable cookies, it may limit your use of certain features or functions provided through the Expensify Service. To manage Flash cookies, please click here.

To opt out of Google Analytics you can download a Browser Add-On.

The use of Identifiers by our vendors is not covered by our Privacy Policy. We do not have access or control over these cookies.

We use mobile analytics software to allow us to better understand the functionality of our Mobile Software on your phone. This software may record information such as how often you use the Application, the events that occur within the Application, aggregated usage, performance data, and where the Application was downloaded from. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile Application.

5.5 Do Not Track Statement

Some browsers have a "do not track" feature that allows you to tell websites that you do not want to have your online activities tracked. At this time, due to a lack of industry standards, we do not respond to browser "do not track" signals.

6. Use of Your Personal Data

Expensify and our Partner Companies may use your Personal Data in the following ways:

  • to facilitate the creation of and secure your account on our network;

  • identify you as a Member or Non-Member in our system;

  • to administer and provide improved administration of the Expensify Service;

  • to improve the quality of experience when you interact with the Expensify Service, including staff training;

  • to send you a welcome email to verify ownership of the email address provided when your account was created;

  • to send you administrative email and/or chat notifications, such as security or support and maintenance advisories;

  • to collect fees and payments owing to us;

  • to respond to your inquiries related to employment opportunities or other requests and to resolve disputes;

  • to provide you with access to and information about customized features, new functionality, and partner integrations;

  • to determine your eligibility to use the various programs part of the Expensify Service;

  • to send promotional communications newsletters, personal interest pieces, interests for the Expensify community, and news about events, elections, and campaigns;

  • to connect Members with each other and volunteers of Expensify.org as part of the Karma Program;

  • to provide you with hardcopy or electronic newsletters, or surveys;

  • to operate our business, including to process payment transactions, manage and enforce contracts with you or with third parties, manage our corporate governance, compliance and auditing practices, and generate anonymized or aggregated data;

  • to send with your consent (or where a friend has referred you to us) upgrades and special offers related to the Expensify Service and for other marketing purposes of Expensify or our Partner Companies;

  • to prevent and identify fraud and other illegal activity including but not limited to making telephone calls to you, from time to time, as a part of secondary fraud protection or to solicit your feedback;

  • to verify your identity as part of compliance with requirements of Partner Companies or applicable regulations;

  • to resolve disputes and protect the rights of Members and third parties;

  • to respond to claims and legal process (such as subpoenas and court orders);

  • to monitor and enforce compliance with the applicable Terms of Service;

  • to prevent or stop any activity that may be illegal, unethical, or legally actionable;

  • to compare information provided by you for accuracy and verification with third parties;

  • to provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses and responding to consumer rights requests;

  • with respect to Bancorp, as set forth in the Bancorp Privacy Notice below;

  • as otherwise described to you when collecting your personal information; directed by you; needed to comply with laws; and

  • to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our consumers is among the assets transferred.

From time to time, we may also use your Personal Data to send important notices to you, such as communications about purchases you have made, or changes to our terms and conditions or other policies. This information is important to your interactions with us, and you acknowledge that if you opt out of receiving these communications, where permitted by applicable law, Expensify reserves its right to discontinue its services to you.

If you provide feedback on the Expensify Service, we may use such feedback for any purpose. Expensify will collect and store any information contained in such communication and will treat the Personal Data in such communication in accordance with this Privacy Policy.

Any information, including Personal Data, which you elect to make publicly available on the Expensify Service will be available to other Members or the public. If you remove information that you have made public on the Expensify Service, copies may remain viewable in cached and archived pages of the Expensify Service, or if other Members have copied or saved that information.

In some cases we collect information provided by our Corporate Members, and in such cases, we have no direct relationship with the individuals whose Personal Data we process. If you believe your Personal Data has been collected by us in such circumstances, and would no longer like to be contacted as an employee or customer of one of our Corporate Members, please contact that Corporate Member directly in order to request your removal.

We may send you push notifications from time-to-time in order to update you about any events or promotions that we may be running. If you no longer wish to receive these types of communications, you turn them off at the device level. To ensure you receive proper notifications, we will need to collect certain information about your device such as operating system and user identification information.

7. Disclosure of Your Personal Data

We may share your Personal Data with Partner Companies to provide technical support or to provide specific services, such as hosting of your applications, maintenance services, database management or payment processing for purchases, reimbursements, payroll, or other payments (including but not limited to PayPal and Bancorp), and with your consent, to register you for participation in the Corporate Card Program. Partner Companies will have access to your Personal Data only to perform these services on our behalf and are obligated not to disclose or use it for any other purpose, other than Bancorp as set forth in the notice below. They may be located, or their data processing activities may take place, in the United States of America or elsewhere outside the European Economic Area (EEA).

Any subsidiaries, joint ventures, or other companies under common control with us (collectively, "Related Entities"), may share some or all of your Personal Data, in which case we will require our Related Entities to honor this Privacy Policy and your Personal Data will only be used for the purposes set out in this Privacy Policy.

A key feature of Expensify's Karma Program is the opportunity for those enrolled in the Karma Program to receive emails and chats from Expensify and participants in the Karma Program. Whether you signed up for the program on your own behalf or if you are a member of the Karma Program through your Corporate Member, as part of administering this program we will disclose your chosen login credentials (e-mail address or phone number, depending on your chosen registration method) to volunteers of the Karma Program and other Members participating in the Karma program.

Expensify may sell/divest/transfer the company (including any shares in the company), or any combination of its products, services, assets and/or businesses. Personal Data may be among the items sold or otherwise transferred in these types of transactions, you will be notified via email and/or a prominent notice on our Site of any change in ownership of your Personal Data. We may also sell, assign or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of the company.

In certain situations, Expensify and its Partner Companies may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Expensify may disclose Personal Data if it is necessary to (a) comply with relevant laws or to respond to subpoenas or warrants or lawful requests from government authorities served on Expensify; or (b) protect or defend the rights, reputation or property of Expensify or users of the Expensify Service. We look for opportunities to be an advocate for you when law enforcement or other third parties subject to a legal process seek to encroach on your privacy. If we receive requests from law enforcement or private parties seeking information, we are prepared to take a stand when appropriate. We have various tools at our disposal that we may elect to rely on to do so depending on the circumstances, for example: our legal team reviewing these requests to ensure that parties are following applicable laws and statutes; rejecting or challenging requests that have no legal basis or are unclear, overbroad, or otherwise inappropriate; construing legal process as narrowly as possible; encouraging parties to look elsewhere for the information. We are prepared to ensure that requests have a legal basis.

Except as otherwise stated in this policy and our Terms of Service, we do not sell, trade, share, or rent the Personal Data collected from the Expensify Service to third parties.

We may aggregate or de-identify information collected through the Expensify Service so that such information is no longer directly identifiable to an individual. We may use and share such aggregated or de-identified information solely for marketing purposes or distribution to third party research firms.

7.1 Expensify Payments LLC Privacy Notice

FACTS WHAT DOES EXPENSIFY PAYMENTS LLC DO WITH YOUR PERSONAL INFORMATION?
Why? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.
What? The types of personal information we collect, and share depend on the product or service you have with us. This information can include:
  • Name and date-of-birth
  • Social Security number
  • Personal and/or business address
  • Account balances and transaction history
When you are no longer our customer, we continue to share your information as described in this notice.
How? All financial companies need to share customers' personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers' personal information; the reasons Expensify Payments chooses to share; and whether you can limit this sharing.
Reasons we can share your personal information Does The Expensify Payments share? Can you limit this sharing?
For our everyday business purposes—
such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus
Yes No
For our marketing purposes—
to offer our products and services to you
Yes No
For joint marketing with other financial companies No We don't share
For our affiliates' everyday business purposes—
information about your transactions and experiences
No We don't share
For our affiliates' everyday business purposes—
information about your creditworthiness
No We don't share
For nonaffiliates to market to you No We don't share
Who we are
Who is providing this notice? This notice is provided by the business units of Expensify Payments LLC, and its affiliates, including, but not limited to, Expensify Inc.
What we do
How does Expensify Payments protect my personal information? To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.
We also limit access to information to those employees for whom access is necessary.
How does Expensify Payments collect my personal information? We collect your personal information, for example, when you
  • open an account or apply for a loan
  • pay your bills or make a wire transfer
  • provide account information
We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.
Why can't I limit all sharing? Federal law gives you the right to limit only
  • sharing for affiliates' everyday business purposes— information about your creditworthiness
  • affiliates from using your information to market to you
  • sharing for nonaffiliates to market to you
State laws and individual companies may give you additional rights to limit sharing.
Definitions
Affiliates Companies related by common ownership or control. They can be financial and nonfinancial companies.
Nonaffiliates Companies not related by common ownership or control. They can be financial and nonfinancial companies.
  • Expensify Payments does not share with nonaffiliates so they can market to you.
Joint marketing A formal agreement between nonaffiliated financial companies that together market financial products or services to you.
  • Expensify Payments doesn't jointly market.
Other Important Information
Vermont Residents: In accordance with Vermont law, we will not share personal information about you other than transaction experience information, with other Expensify companies or affiliates, nor will we share any personal financial information about you with other Expensify companies for marketing purposes.
Nevada Residents: Nevada law requires that we provide you with the following contact information: Bureau of Consumer Protection, Office of the Nevada Attorney General, 555 E. Washington Ave., Suite 3900, Las Vegas, NV 89101; Phone number: 702-486-3132; email: agInfo@ag.nv.gov
California Residents: Effective January 1, 2020, the California Consumer Privacy Act (CCPA) permits consumers who are California residents to (a) ask a covered business which categories and pieces of personal information it collects and how the information is used; (b) request deletion of the information; and (c) opt out of the sale of such information, if applicable. These provisions of the CCPA do not apply to personal information collected, processed, shared, or disclosed by financial institutions pursuant to federal law. To contact us with questions about our compliance with the CCPA, please reach out to privacy@expensify.com.

7.2 Service Provider, Sub-Processors/Onward Transfer

Expensify may transfer Personal Data to companies that help us provide the Expensify Service and related programs. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our Clients.

7.3 Bancorp Privacy Notice

As a Partner Company, Bancorp may have access to Personal Information. Below is a notice from Bancorp of how such Personal Information may be used. For purposes of this "Bancorp Privacy Notice" subsection only, "we" or "us" refers to The Bancorp, Inc., and its affiliates.

FACTS WHAT DOES THE BANCORP DO WITH YOUR PERSONAL INFORMATION?
Why? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.
What? The types of personal information we collect, and share depend on the product or service you have with us. This information can include:
  • Social Security number and income
  • Account balances and transaction history
  • Credit history and credit scores
When you are no longer our customer, we continue to share your information as described in this notice.
How? All financial companies need to share customers' personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers' personal information; the reasons The Bancorp chooses to share; and whether you can limit this sharing.
Reasons we can share your personal information Does The Bancorp share? Can you limit this sharing?
For our everyday business purposes—
such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus
Yes No
For our marketing purposes—
to offer our products and services to you
Yes No
For joint marketing with other financial companies No We don't share
For our affiliates' everyday business purposes—
information about your transactions and experiences
No We don't share
For our affiliates' everyday business purposes—
information about your creditworthiness
No We don't share
For nonaffiliates to market to you No We don't share
Who we are
Who is providing this notice? This notice is provided by the business units of The Bancorp, Inc., and its affiliates, including, but not limited to, The Bancorp Bank, Bancorp Card Services, Inc., and TBBK Direct Leasing, LLC.
What we do
How does The Bancorp protect my personal information? To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.
We also limit access to information to those employees for whom access is necessary.
How does The Bancorp collect my personal information? We collect your personal information, for example, when you
  • open an account or apply for a loan
  • pay your bills or make a wire transfer
  • provide account information
We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.
Why can't I limit all sharing? Federal law gives you the right to limit only
  • sharing for affiliates' everyday business purposes— information about your creditworthiness
  • affiliates from using your information to market to you
  • sharing for nonaffiliates to market to you
State laws and individual companies may give you additional rights to limit sharing.
Definitions
Affiliates Companies related by common ownership or control. They can be financial and nonfinancial companies.
  • The Bancorp does not share with our affiliates.
Nonaffiliates Companies not related by common ownership or control. They can be financial and nonfinancial companies.
  • The Bancorp does not share with nonaffiliates so they can market to you.
Joint marketing A formal agreement between nonaffiliated financial companies that together market financial products or services to you.
  • The Bancorp doesn't jointly market.
Other Important Information
Vermont Residents: In accordance with Vermont law, we will not share personal information about you other than transaction experience information, with other Bancorp companies or affiliates, nor will we share any personal financial information about you with other Bancorp companies for marketing purposes.
Nevada Residents: Nevada law requires that we provide you with the following contact information: Bureau of Consumer Protection, Office of the Nevada Attorney General, 555 E. Washington Ave., Suite 3900, Las Vegas, NV 89101; Phone number: 702-486-3132; email: agInfo@ag.nv.gov
California Residents: Effective January 1, 2020, the California Consumer Privacy Act (CCPA) permits consumers who are California residents to (a) ask a covered business which categories and pieces of personal information it collects and how the information is used; (b) request deletion of the information; and (c) opt out of the sale of such information, if applicable. These provisions of the CCPA do not apply to personal information collected, processed, shared, or disclosed by financial institutions pursuant to federal law. To contact us with questions about our compliance with the CCPA, call 1-833-981-1080; visit our website: thebancorpbank.com; or write to: The Bancorp/CCPA, PO Box 5017, Sioux Falls, SD 57117-5017.

7.4 Sharing with Corporate Members

When a Member connects to a Workspace, such Member understands and agrees that the Corporate Member has access and a right to the Member Data related to transactions associated with the Workspace (including any Personal Data) for its internal bookkeeping purposes. A Corporate Member will maintain the following information when you connect with a Workspace: full name, email, phone number, and expense data. Please contact the Corporate Member directly for more information about what Personal Data the Corporate Member maintains.

8. Choice/Opt-out

Expensify offers you the choice of receiving different types of communication and information related to our company, products and services. You may subscribe to e-newsletters or other publications; you may also elect to receive marketing communications and other special offers from us via email or SMS messaging. You may also opt-in to communicate with other Members and Non-Members via SMS messaging. If at any time you would like to change your communication preferences, we provide unsubscribe links and an opt-out mechanism for your convenience where available. You may also access and manage your preferences from your account.

9. Personal Data Changes

If you believe that the Personal Data we hold about you may not be complete, accurate and up-to-date, you may change aspects of any of your Personal Data in your account by editing your profile within the registration portion of the Site. You may request deletion of your account information by us, but please note that we may be permitted or required (by law or otherwise) to keep this information and not delete or change it (or to keep this information for a certain time, in which case we will comply with your deletion request only after we have fulfilled such requirements). If you request deletion, subject to our rights to retain the Personal Data as set out in this Privacy Policy and the rights of any Corporate Member to retain the Personal Data as set forth below, we will respond to your request within 1 month. We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

9.1 Access to Data Controlled by our Corporate Members

You have the right to access your Personal Data subject to any exceptions which may apply in the jurisdiction in which you reside. If you have connected to a Workspace and shared your Personal Data with the Corporate Member administering such Workspace, you acknowledge that some Personal Data shared with a Corporate Member may not be able to be deleted as it pertains to their records. Upon request, we will provide you with information about whether any of your Personal Data is shared with a Corporate Member administering a connected Workspace.

9.2 Blog / Forum

Our Site offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them, as well as by our third-party service providers such as OpenAI, L.L.C., to ensure compliance with our Acceptable Use Policy and Content Standards through our Enforcement Policy. To request removal of your Personal Data from our blog or community forum, contact us at concierge@expensify.com. In some cases, we may not be able to remove your Personal Data, in which case we will let you know if we are unable to do so and why.

10. Security of Your Application And Personal Data

Expensify is committed to protecting the security of your Personal Data. We use a variety of industry-standard security technologies and procedures to help protect your Personal Data from unauthorized access, use, or disclosure. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL). We also require you to enter a password and/or other sign-on mechanism to access your account information. Please do not disclose your account password and/or other sign-on mechanism to unauthorized people. Despite these measures, you should know that Expensify cannot fully eliminate security risks associated with Personal Data. If you have any questions about the security of your Personal Data, you can contact us at concierge@expensify.com.

11. Contact Information

If you have any comments, questions or complaints about this Privacy Policy or if you feel that we have breached our obligations in the handling, use or disclosure of your Personal Data, feel free to email comments or questions to us at concierge@expensify.com or 401 SW 5th Ave, Portland, OR 97204.

If you have general enquiry type questions, you can choose to use a pseudonym. However, if you require information which is specific to your circumstances then it may not be possible for you to deal with us by pseudonym. You acknowledge and agree that when contacting Expensify, whether by email, chat, or otherwise, you will not include any personally identifiable information in your communications, and that if such information is included in your communications with Expensify, Expensify will have no legal obligation or liability with regard to such information.

12. Changes to this Privacy Policy

If Expensify makes changes to this Privacy Policy, these changes will be posted on the Site and Application in a timely manner. Expensify reserves the right to modify this Privacy Policy at any time, so please review it frequently. You acknowledge that the updated policy will apply to the collection, storage, use or disclosure of Personal Data from the date of publication and it is your responsibility to check the Site and Application regularly for updates. You can determine when this Privacy Policy was last revised by referring to the "Last Updated" legend at the top of this page. Any changes to this Privacy Policy will become effective upon our posting of the revised Privacy Policy on the Site and Application. If we make any material changes, we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this Site prior to the change becoming effective. Use of the Expensify Service following such changes constitutes your acceptance of the revised Privacy Policy then in effect. We encourage you to periodically review this page for the latest information on our privacy practices.

13. Overseas Disclosure

Expensify is based in the United States, and, unless we expressly agree otherwise, we may host, transfer, and process data, including Personal Data, in the United States and in other countries through Expensify and third parties that we use to operate and manage the Service. These countries may have data protection laws that are different from those of your country of residence. When you access or use the Service, or otherwise provide information to us, you understand and acknowledge that the processing and transfer of information in and to the United States and other countries which may have different privacy laws from your or their country of residence. Expensify takes appropriate measures to ensure such transfers are in compliance with applicable laws and subject to the additional jurisdictional terms set forth in Section 15(A) and 15(C) below.

14. Data Retention

Other than in aggregated or de-identified form as permitted under the Expensify Terms of Service, and except as required by applicable law, we will delete or otherwise destroy your Personal Data as soon as practicably possible following your termination or cancellation of your use of the Expensify Service.

Expensify will retain data licensed to our Corporate Members as set forth in the Expensify Terms of Service for as long as needed to provide services to our Corporate Member. Expensify will retain and use this information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We ensure that Personal Data we dispose of is de-identified or destroyed in a secure fashion.

The Corporate Member with which you are affiliated with may have specific policies concerning the retention of data including Member-Generated Content. Please consult the entity or organization with which you are affiliated with for additional detail about its specific data retention policies.

15. Jurisdiction-Specific Provisions

15.1 Additional Disclosures for Data Subjects in the United Kingdom, European Economic Area (EEA), and Switzerland

15.1.1 International Transfers

Where we transfer your Personal Data to another country outside the UK, EEA and / or Switzerland, we will ensure that it is protected and transferred in a manner consistent with legal requirements. In relation to data being transferred outside the UK and / or EEA, for example, this may be done in one of the following ways:

  1. the country that we send the data to might be approved by relevant data protection authorities as offering an adequate level of protection for Personal Data;

  2. the recipient might have signed up to a contract based on "model contractual clauses" approved by relevant data protection authorities, obliging them to protect your Personal Data;

  3. the recipient may have adhered to binding corporate rules (only for intragroup transfers); or

  4. in other circumstances the law may permit us to otherwise transfer your Personal Data outside Europe.

You can obtain more details of the protection given to your Personal Data when it is transferred outside the UK, EEA and / or Switzerland (including a copy of the standard data protection clauses which we have entered into with recipients of your Personal Data) by contacting us as described in Section 16 below. Please note, following recent decisions invalidating the adequacy of the EU-U.S. and Swiss-U.S. Privacy Shields, we no longer rely on the Privacy Shields for cross-border personal data transfers. However, Expensify participates in the EU-U.S. Data Privacy Framework with UK Extension, and Swiss-U.S. Data Privacy Framework, and more information about these programs is also provided below.

15.1.2 Our Relationship with You

Expensify is made up of different legal entities, Expensify Inc., the parent company, and Expensify Ltd., a subsidiary. This Privacy Policy is issued on behalf of the Expensify Group so when we mention "Expensify", "we", "us" or "our" in this Privacy Policy, we are referring to the relevant company in the Expensify Group responsible for processing your data. Expensify, Inc. is the controller for all of your Personal Data unless explicitly otherwise identified in the applicable contracts.

We have appointed an Expensify Group entity based in the Netherlands to act as our representative in the EU. If you are located in the EU, you may address this entity to raise any issues or queries relating to our processing of your Personal Data. Our EU representative is Expensify Netherlands B.V. and can be contacted in the manner set out at Section 16 below.

15.1.3 Legal Basis for Processing

We have listed the use of your Personal Data by us in Section 6 above. The legal grounds on which we process the Personal Data for those uses includes; if you consent to the processing, to satisfy our legal obligations, if it is necessary to carry out our obligations arising from any contracts we entered with you or to take steps at your request prior to entering into a contract with you, or for our legitimate interests to providing our services to our customers and the effective management of Expensify and to protect our property, rights or safety of Expensify, our customers or others. If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

15.1.4 Your Privacy Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data, such as:

  • Access: The right to request access to the Personal Data that Expensify has about you;

  • Rectification: The right to rectify or correct any Personal Data that is inaccurate or incomplete;

  • Portability: The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that Expensify directly transfer your Personal Data to one more third parties;

  • Objection: The right to object to the processing of your Personal Data for certain purposes;

  • Erasure: The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.

  • Restriction: You have the right to request that we restrict our processing of your Personal Data where you believe such data to be inaccurate; our processing is unlawful; or we no longer need to process such data for a particular purpose, but where we are not able to delete the data due to a legal or other obligation or because you do not want us to delete it.

  • Consent: the right to withdraw your consent to the processing of your Personal Data at any time. Please note, however, that we may still be entitled to process your Personal Data if we have another legitimate reason for doing so. For example, we may need to retain Personal Data to comply with a legal obligation

The rights described above may not be absolute and are limited by applicable laws.

You can exercise your privacy rights by contacting us via email at: concierge@expensify.com. We will handle your request under applicable law. When you make a request, we may verify your identity to protect your privacy and security.

15.1.5 International and Onward Transfers of Data

Information that our European users submit through the Expensify Service or the Site is sent to and stored on secure servers located in the United States of America and may be transferred by us to our other offices and/or to the third parties (such as our Partner Companies, as defined below), who may be situated in the United States of America or elsewhere outside the European Economic Area (EEA) and may be processed by staff operating outside the EEA. The US and other non-EEA countries do not have similar data protection laws to the European Union, and you should be aware in particular that the law and practice in the United States and some other non-EEA countries in respect of law enforcement and national security authority access to data is significantly different from Europe. However, we will ensure as reasonably as possible that where your personal information is to be transferred or shared outside the EEA, that it is only transferred or shared where we have appropriate safeguards in place, for example by agreeing to the standard contractual clauses adopted by the European Commission.

For individuals located in the European Economic Area ("EEA"), United Kingdom, or Switzerland (collectively the "Designated Countries"): Where personal data are transferred to a third country or to an international organisation, Expensify implements appropriate safeguards, such as contractual obligations, and standard contractual clauses adopted by the European Commission relating to the transfer.

You also have a right to lodge a complaint with a competent supervisory authority situated in a member state of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details here for individuals located in the EEA and here for individuals located in the United Kingdom.

15.1.6 EU-U.S. Data Privacy Framework with UK Extension, and Swiss-U.S. Data Privacy Framework

Expensify, Inc. and its subsidiary company, Expensify, Ltd., comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Expensify, Inc. and its subsidiary company, Expensify, Ltd., have certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) under the UK Extension to the EU-U.S. DPF. Expensify, Inc. and its subsidiary company, Expensify, Ltd., have certified to the U.S. Department of Commerce that they adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Expensify, Inc. and its subsidiary company, Expensify, Ltd., are responsible for the processing of personal data they receive, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. Expensify, Inc. and its subsidiary company, Expensify, Ltd., comply with the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over Expensify's compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, Expensify, Inc. and its subsidiary company, Expensify, Ltd., may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Expensify, Inc. and its subsidiary company, Expensify, Ltd., commit to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. These dispute resolution services are provided at no cost to you.

For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website https://www.dataprivacyframework.gov/.

15.2 Additional Disclosures for Data Subjects in California, Colorado, Connecticut, Nevada, Utah, and Virginia

This Statement is designed to be consistent with California, Colorado, Connecticut, Nevada, Utah, and Virginia privacy laws. When addressing California law, this Statement uses certain terms that have the meanings given to them by the California Consumer Privacy Act (CCPA), as amended, unless otherwise specified.

15.2.1 Definitions Specific to this Section for California Residents

The CCPA includes definitions for terms specific to this California Privacy Policy that do not apply to the rest of this Privacy Policy, including the following terms:

  • "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information does not include publicly available information obtained from government records; deidentified or aggregated consumer information that cannot be reconstructed to identify you; any information covered under the Gramm-Leach-Bliley Act or the California Financial Information Privacy Act, activities covered by the Fair Credit Reporting Act, or protected health information as defined under the Health Insurance Portability and Accountability Act.

  • "Sale" or "sell" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's Personal Information by the business to another business or a third party for monetary or other valuable consideration.

  • "Service Provider" means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's Personal Information for a business purpose pursuant to a written contract.

15.2.2 Collection and Use
15.2.2(a) Collection

During the 12-month period prior to the effective date of this Statement, we may have collected the following categories of personal information, including sensitive personal information, about you:

  • Identifiers: identifiers such as a real name, alias, postal address, unique personal identifier (such as customer number, unique pseudonym, or user alias), email address, account name, Social Security number, driver's license number, and other similar identifiers, physical characteristics or description, state identification card number, and signature

  • Identifiers (Online): a device identifier; cookies, beacons, pixel tags, mobile ad identifiers and similar technology; other forms of persistent or probabilistic identifiers, and Internet Protocol address

  • Other Financial, Medical, and Health Information: bank account number, credit card number, debit card number, insurance policy number, and other financial information, medical information, and health insurance information

  • Information Related to Characteristics Protected Under California or Federal Law: characteristics of protected classifications under California or federal law, such as race, color, national origin, religion, age, sex, gender, gender identity, gender expression, sexual orientation, marital status, medical condition, ancestry, genetic information, disability, citizenship status, and military and veteran status

  • Commercial Information: including records of personal property, products or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies

  • Internet and Other Electronic Network Activity Information: including, but not limited to, browsing history, search history, and information regarding your interaction with websites, applications or advertisements

  • Geolocation Data

  • Sensory Information: Audio, electronic, visual, thermal, and similar information

  • Professional or Employment-Related Information

  • Education Information

  • Profile Inferences: inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and/or aptitude

15.2.2(b) Sources of collection

We collected personal information about you from the following sources:

  • You

  • Expensify

  • Device(s) You Used

  • Service Providers

15.2.2(c) Purposes for collection/use

We collected and used personal information about you for the following purposes:

  • Performing services you have purchased from or contracted for with us, including maintaining or servicing accounts, as well as providing customer service, processing transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytics services, or providing similar services

  • Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance

  • Detecting and responding to security incidents, protecting against and responding to malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity

  • Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of your interactions with our digital properties

  • Debugging to identify and repair errors that impair existing intended functionality

  • Undertaking internal research for technological development and demonstration

  • Undertaking activities to verify or maintain the quality or safety of a service that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us

  • Displaying advertisements intended for you based on personal information, related to your activities over time and across nonaffiliated websites or online applications, used to predict your preferences or interests (targeted advertising)

  • Customizing your experience on our digital properties

  • Processing liability claims

  • Complying with and enforcing applicable legal requirements, relevant industry standards and our policies

15.2.3 Disclosures
  1. We may have disclosed the following categories of personal information for a business purpose:

    • Identifiers

    • Identifiers (Online)

    • Other Financial, Medical and Health Information

    • Information Related to Characteristics Protected Under California or Federal Law

    • Commercial Information

    • Biometrics

    • Internet and Other Electronic Network Activity Information

    • Geolocation Data

    • Sensory Information

    • Professional or Employment-Related Information

    • Education Information

    • Profile Inferences

  2. We may share personal information about you for cross-context behavioral advertising — seeking to place ads to you on others' digital properties based, at least in part, on personal information obtained from your activity on others' digital properties.

  3. We may have sold (as defined under California, Colorado and Connecticut laws) the following categories of personal information:

    • Identifiers (online) associated with a device used to interact with our digital properties or advertisements (such as a device identifier; cookies, beacons, pixel tags, mobile ad identifiers and similar technology)

    • Internet and other electronic network activity information associated with a device used to interact with Digital Properties or advertisements

    • Profile inferences (solely as sale is defined under California rules)

  4. We do not sell the personal information of consumers under the age of 16 if we have actual knowledge of the individual's age.

  5. We do not sell personal information as the term is traditionally understood or as defined under Nevada, Utah, or Virginia law. For example, we do not exchange for money personal information to data brokers or third parties for their marketing purposes independent of us.

  6. Sensitive Personal Information: We do not share sensitive personal information for cross-context behavioral advertising. We do not sell sensitive personal information.

  7. We may have disclosed personal information about you with the following categories of third parties:

    • Our affiliates

    • Our business partners

    • Third-party marketing partners

    • Government entities, including law enforcement

Information we disclose to third parties:

3rd party categories
Personal Information Categories Our Affiliates Our Business Partners Third-party Marketing Partners Government Entities, Including Law Enforcement *See Disclosure
Information Related to Characteristics Protected Under California or Federal Law No No No Yes
Commercial Information Yes Yes No Yes
Biometrics No No No Yes
Internet and Other Electronic Network Activity Information Yes No Yes Yes
Geolocation Data No No No Yes
Sensory Information No No No Yes
Professional or Employment Related Information No No No Yes
Education Information No No No Yes
Profile Inferences Yes No No Yes

Please note: Expensify shares Personal Information with government entities, including law enforcement, only in the following circumstances: (1) when required to do so as a matter of law; (2) to assist in the investigation of a potential crime impacting Expensify, its employees, its customers, or the communities we serve; or (3) when required in response to legal process (e.g., subpoena, search warrant).

15.2.4 Retention — California Residents

Expensify has in place a records-retention schedule reflecting our intended retention periods for certain types of information. The following reflects the longest applicable intended retention period by personal-information category for information related to California consumers acquired on or after January 1, 2023. Once the intended retention period has passed, subject information is to be deleted or modified such that it is no longer personal information.

Personal Information Categories Intended Retention Period
Biometrics Up to 10 years after last activity, subject to contractual obligations
Commercial Information 10 years after expiration of contractual obligations
Education Information 10 Years after termination of employment
Geolocation Data Up to 3 Years
Identifiers Up to 10 years after last activity, subject to contractual obligations
Identifiers (Online) Up to 3 years
Information Related to Characteristics Protected Under California or Federal Law Up to 3 years
Internet and Other Electronic Network Activity Information Up to 3 years
Other Financial, Medical and Health Information Up to 10 years after last activity, subject to contractual obligations
Professional or Employment Related Information 10 Years after termination of employment
Profile Inferences Up to 3 years
Sensory Information Up to 40 Days

There are a number of reasons personal information may be retained longer than the intended retention period. For example, deletion or modification does not happen immediately after a retention period has passed and instead executes periodically, no less frequently than annually. Additionally, some information systems or information may be placed on legal holds due to potential litigation or regulatory review and information, therefore, is not deleted or modified.

15.2.5 Consumer Privacy Rights

You have certain choices regarding our use and disclosure of personal information about you, as described below.

  • Access: You have the right to request, twice in a 12-month period, that we disclose to you the personal information related to you we have collected during the past 12 months. This may include:

    • The categories and specific pieces of personal information we have collected about you

    • The categories of sources from which we collected the personal information

    • The business or commercial purpose for which we collected or sold the personal information

    • The categories of third parties with whom we shared the personal information

    • The categories of personal information about you that we sold or disclosed for a business purpose, and the categories of third parties to whom we sold or disclosed that information for a business purpose

  • Correction: You have the right to request that we correct certain personal information we have collected, taking into account the nature of the personal information and the purposes of the processing of the personal information. If you make a correction request, we may correct or instead delete information as allowed by law. Exceptions apply.

  • Deletion: You have the right to request that we delete certain personal information we have collected from you. Exceptions apply.

  • Opt-Out of Sale: You have the right to opt-out of the sale of your personal information.

15.2.6 How to Submit a Request
  • Submit an access request by emailing concierge@expensify.com with the subject line "[applicable state] Rights Request," or via webform

    • The report you receive containing personal information we have on file will provide instructions on how to pursue correction of applicable information.

    • Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable

  • Submit a deletion request by emailing concierge@expensify.com with the subject line "[applicable state] Rights Request," or via webform

California Residents

  • Limit the Use or Disclosure of Sensitive Personal Information. You have the right to request that we limit our use or disclosure of Sensitive Personal Information (as defined by California law) about you to certain uses authorized by the CCPA. We do not disclose Sensitive Personal Information beyond such authorizations.

  • Do Not Share My Personal Information. You have the right to opt out of our sharing of personal information for cross-context behavioral advertising.

  • Shine the Light Request: You also may have the right to request that we provide you with (a) a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year and (b) the identity of those third parties. To submit a Shine the Light Request, email us concierge@expensify.com with the subject line "California Rights Request," or via webform

Colorado Residents

  • Opt Out of Targeted Advertising: You have the right to opt out of "Targeted Advertising."

  • Appeal a Refusal to Take Action: Colorado law requires that we establish a process for a consumer to appeal our refusal to take action on certain requests. If you are not satisfied with the outcome of that process, you may contact the Colorado Attorney General to submit a complaint.

  • Other Options not Relevant: We do not use your data for the purpose of profiling to make decisions that would have legal or similarly significant effects on you. We do not knowingly process "sensitive data" concerning Colorado residents, as defined under Colorado law, unless required as a matter of law.

Connecticut Residents

  • Opt Out of Targeted Advertising: You have the right to opt out of "Targeted Advertising."

  • Appeal a Refusal to Take Action: Connecticut law requires that we establish a process for a consumer to appeal our refusal to take action on certain requests. If you are not satisfied with the outcome of that process, you may contact the Connecticut Attorney General to submit a complaint.

Nevada Residents

  • Opt Out of the Sale of Personal Information. You have the right to request that we not sell your Personal Information (as defined by Nevada law) for monetary consideration to certain other parties. This right applies even if your Personal Information is not currently being sold.

Utah Residents

  • Opt Out of Targeted Advertising: You have the right to opt out of "Targeted Advertising."

  • Other Options not Relevant. We do not sell personal information as "sale" is defined under Utah law.

Virginia Residents

  • Opt Out of Targeted Advertising: You have the right to opt out of "Targeted Advertising."

  • Appeal a Refusal to Take Action: Virginia law requires that we establish a process for a consumer to appeal our refusal to take action on certain requests. If you are not satisfied with the outcome of that process, you may contact the Virginia Attorney General to submit a complaint.

  • Other Options not Relevant. We do not sell personal information as "sale" is defined under Virginia law. We do not knowingly process "sensitive data" concerning Virginia residents, as defined under Virginia law, unless required as a matter of law.

15.2.7 Verifying Requests

Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected or otherwise authenticated account sufficiently verified when the request relates to Personal Information associated with that specific account. If you request access to or deletion of your personal information and do not sign in to an account with us, we require you to provide the following information: name, email address, phone number, and postal address. In addition, if you do not have an account and you ask us to provide you with specific pieces of personal information, we reserve the option to require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.

15.2.8 Authorized Agents

California residents may designate an authorized agent to exercise your rights under the CCPA on your behalf, however we may deny a request as permitted by the CCPA. To designate an authorized agent, you must provide the agent, and the agent must present to us, written permission signed by you. We may also require you to verify your identify directly with us and directly confirm with us that you provided the authorized agent permission to submit the request, unless your authorized agent provides us with power of attorney pursuant to Probate Code sections 4121-4130.

15.2.9 Additional Information

If you choose to exercise any of your rights, you have the right not to receive, and will not receive, discriminatory treatment by us. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request. Employees and contractors are provided notice via different statements.

15.2.10 Other California Privacy Rights

California's "Shine the Light" law (Civil Code Section § 1798.83) permits Members who are California residents to request and obtain from us once a year, free of charge, certain information about the Personal Data (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of Personal Data that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to concierge@expensify.com.

The "Do Not Track" disclosure can be found above in Section 5 entitled Expensify Cookie Policy and Use of Tracking Technologies.

15.3 Additional Disclosures for Australian Residents

If you are in Australia, our collection, storage, use and disclosure of your Personal Data will be subject to this Privacy Policy and the Privacy Act 1988 (Cth) (Privacy Act). Any part of this Privacy Policy that is illegal, unenforceable or inconsistent with the Privacy Act may be severed from this Privacy Policy and the remaining terms or parts of the term of this Privacy Policy will continue in force. In addition, the following information applies to you.

15.4 Pseudonymity

If you are making a general enquiry only, you may deal with us through the use of a pseudonym. However, we will not be able to provide you with any specific information about your account if you fail to identify yourself to us.

15.5 Data Transfer Disclosure

Personal Data provided to us by Members or Corporate Members located in Australia may be disclosed to service providers located outside Australia, including in the US, including providers of cloud or other types of networked or electronic storage.

Although these third parties are subject to privacy and confidentiality obligations imposed by contract or the regulatory frameworks of the jurisdiction in which those third parties are located, you acknowledge that:

  • they may not always comply with those obligations, or those obligations may differ from the obligations imposed by privacy and data protection legislation in your jurisdiction; and

  • the third party may be subject to foreign laws which might compel further disclosures of personal information (e.g. to government authorities).

15.6 Secondary Purpose

You acknowledge that we may use or disclose your Personal Data for a reason other than the reasons set forth in Section 6 or Section 7 (a "secondary purpose") where the secondary purpose is connected to or associated with a purpose for collection set out in this Privacy Policy, or directly connected to or associated with a purpose for collection if the information is "sensitive information" as that term is defined under the Privacy Act.

16. Queries, Concerns, and Complaints

If you have any queries, concerns or complaints about the manner in which we have collected, stored, used or disclosed your personal information, please contact the Data Protection Officer at privacy@expensify.com. We will treat your complaint confidentially and, after investigating your complaint, discuss the ways in which we can remedy the situation. We will ensure that we respond to your complaint within a reasonable time (and in any event within the time required by applicable law).

If your inquiries or complaints regarding our Privacy Policy or use of data that have not been resolved to your satisfaction within 30 days via the means set forth herein, please contact:

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy or our privacy practices, please contact our DPO at privacy@expensify.com.