Privacy Policy 

Last Updated: August 18, 2021

TRUSTe

At Expensify.org, a California nonprofit public benefit corporation (“Expensify.org”, “we”, “us”, or “our”), our most important asset is our relationship with our user community. We are committed to maintaining the confidentiality, integrity and security of information about our users and their organizations. This privacy policy (“Privacy Policy”) describes how we collect, use, disclose, share and secure the personal and company information you provide when you make a donation, request a volunteer Reimbursement, or visit the Expensify.org website https://expensify.org (the “Site” and, together with any related software, tools and services provided in connection with the Site, the “Service”). It also describes your choices regarding the use, access and correction of your Personal Data (as defined in section 3 of this Privacy Policy) and how to contact us if you have any further queries or complaints about our management of your personal information.

In this Privacy Policy, “you” and “your” refers to individual users of the Service, as well as to Users and Corporate Users. “Users,” “Corporate Users,” and other capitalized terms not defined in this privacy policy are defined in the Expensify.org Terms of Service.

If you do not agree to the terms of this Privacy Policy, you must immediately leave the Site and discontinue your use our products and services. 

Important – Transfer to the US of European Personal Data

Information that our European users submit through the Service or the Site is sent to and stored on secure servers located in the United States of America and may be transferred by us to our other offices and/or to the third parties (such as our Partner Companies (as defined below)), who may be situated in the United States of America or elsewhere outside the European Economic Area (EEA) and may be processed by staff operating outside the EEA. The US and other non-EEA countries do not have similar data protection laws to the European Union, and you should be aware in particular that the law and practice in the United States in respect of law enforcement authority access to data is significantly different from Europe. Where we transfer your information we will take all reasonable steps to ensure that your privacy rights continue to be protected consistent with our obligations under local law. By submitting information via the Site, you agree to this storing, processing and/or transfer.

Expensify.org commits to resolve complaints about our collection or use of your Personal Data. European Union individuals with inquiries or complaints should first contact Expensify Inc. via email at: concierge@expensify.org or via post addressed to Operations Lead, 401 SW 5th Ave, Portland, OR 97204.

This Privacy Policy is incorporated into, and considered a part of, the Expensify.org Terms of Service.

1. USER CONSENT

By submitting or making available Personal Data (as defined below) through our Site or the Service, you confirm that you have read and accepted the terms of this Privacy Policy and you expressly consent to the collection, storage, use and disclosure of your Personal Data in accordance with this Privacy Policy. If you do not agree to the terms of this Privacy Policy, you must not use our products and services or our Site. Your Personal Data may be processed in the country in which it was collected and in other countries, including the United States, where laws regarding processing of Personal Data may be less stringent than the laws in your country.

2. A NOTE ABOUT CHILDREN

We do not intentionally gather Personal Data about individuals who are under the age of 18. If you become aware that we inadvertently hold or have access to Personal Data about anyone under 18, please let us know so we can delete it. 

3. TYPES OF PERSONAL DATA WE COLLECT

So that we can provide you with our products and services, we may need to collect Personal Data (as that term is defined below) about you or others. If you do not provide us with the Personal Data we request, we may not be able to supply you with some or all of our products and services. 

Expensify.org collects Personal Data from you when you visit our Site or when you send us information or communications in connection with your use of the Service. “Personal Data” means data that allows someone to identify or contact you or your employees, consultants, and independent contractors, including, for example, name, address, billing zip code, geographic location of your computer or mobile device, telephone number, credit card number, email address, bank account information, government identity document, and/or proof of vaccination. If you are accessing the Service from Australia, “Personal Data” also includes any information or opinion, whether true or not and whether recorded in material form or not, by which you may be reasonably identifiable. Expensify.org will not use your Personal Data except as agreed to in this Privacy Policy and in the Expensify.org Terms of Service

Personal Data You Provide To Us

We collect Personal Data from you, including name, email address, phone number, bank account number, routing number, bank account login information, IP address, expense data, receipts, photos, videos, government identity document, and/or proof of vaccination if you request a Reimbursement through the Volunteer Reimbursement Program. In addition, we (or our Payment Service Provider on our behalf) will collect Personal Data including your name, billing address, credit card number, phone number, email address, and IP address when you make a donation through the Site. Your payment information is automatically transferred to the Payment Service Provider, and Expensify.org does not see or store any such information. We also retain information on your behalf, such as the Personal Data described above and any correspondence. If you provide us feedback or contact us via email, we will collect your name and email address, IP address, as well as any other content included in the email, in order to send you a reply, and any information that you submit to us, such as a resume. If we conduct a survey in which you participate, we may collect additional profile information. We may also collect Personal Data at other instances in the Site where we state that Personal Data is being collected. 

Personal Data Collected by Third Parties

We will collect your Personal Data from you unless it is unreasonable or impracticable to do so. However, we may collect and receive Personal Data about you from companies that provide services (such as our affiliate, Expensify, Inc. and payment processing services) in connection with the Service (collectively, “Partner Companies”). Our Partner Companies may supply us with Personal Data, such as your name and email and mailing address information or your login credentials for such Partner Company’s website or service, in order to help us process donations or provide Reimbursements. We may also collect your Personal Data from public sources. We may add this information to the information we have already collected from you via our Site in order to perform and improve the Service. If you provide us Personal Data about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us.  

This Privacy Policy applies only to the use and disclosure of Personal Data that we collect while you use the Service. Our provision of a link to any other website or location is for your convenience and does not signify our endorsement of such other website or location or its contents. When you click on such a link, you will leave the Service and go to another site. During this process, a third party may collect Personal Data from you. We have no control over, do not review, do not endorse, and cannot be responsible for, these outside websites or their content. Please be aware that the terms of this Privacy Policy do not apply to these outside websites or content, or to any collection of data after you click on a link to a third party. If you submit Personal Data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit. 

Personal Data Collected via Technology

The Service (which may be hosted by a third-party service provider) collects Personal Data from you, such as browser type, your approximate geographic location of your mobile device or computer (from your Internet Protocol (IP) address), operating system and version, Internet Protocol (IP) address, domain name, information about your application, operating environment and hardware profiles and/or a date/time stamp for your visit. We may also use Identifiers (as defined below) and navigational data like Uniform Resource Locators (URL) to gather information regarding the date and time of your visit and/or access to the Service and your activity on the Site. Like most internet services, we automatically gather this Personal Data and store it in log files each time you visit the Site.

When you interact with the Site, we try to make that experience simple and useful. We and our partners use industry standard identifiers, such as cookies or other similar technologies. We also use mobile device identifiers which perform a similar role, like the IDFA used by Apple devices and the UDID used by Android devices. Cookies are small pieces of information which are issued to your computer or mobile device (as the case may be) when you visit a website or access or use a mobile application and which store and sometimes track information about your use of the Site. A number of cookies we use last only for the duration of your web session and expire when you close your browser. Other cookies are used to remember you when you return to the Site and will last for longer. We refer to cookies and the mobile device equivalents as “Identifiers”. 

We use Identifiers to:

  • remember that you have visited us before; this means we can identify the number of unique visitors we receive;

  • customize elements of the layout and/or content of the pages of the Site;

  • collect statistical information about how you use the Site (including how long you spend on the Site) and where you have come to the Site from, so that we can improve the Site and learn which parts of the Site are most popular with users.

Usage information may be linked to you in order to assist Expensify.org to provide services to you, for example analyzing data for the purposes of trouble shooting. Expensify.org will not sell or disclose usage data to any third party unless such usage data has been aggregated or de-identified and is no longer capable of identifying you as an individual.

Our Site includes Social Media Features, such as the Facebook “Like” button and Widgets, such as the “Share this” button or interactive mini-programs that run on our site. These Features may collect your IP address, which page you are visiting on our Site, and may set an Identifier to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Site. Your interactions with these Features are governed by the privacy policy of the company providing it.

Some of the Identifiers used by the Site are set or accessed (as appropriate) by us, and some by third parties who are delivering services on our behalf.

Most web and mobile device browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser or mobile device. Please note, however, that by blocking or deleting cookies used on the Site, you may not be able to take full advantage of the Service.

In addition to cookies, web beacons may be set by us or third parties in respect of your use of the Site. Web beacons are small image files within the content of the Site for analytics purposes so we or third parties can understand which parts of the Site are visited and which functions of the Site are used and whether particular content is of interest. 

When you use the Service, we automatically collect information about the type of device you use and operating system version.

3rd Party Tracking Technologies

We and our affiliates (including but not limited to Google Analytics) may use Identifiers and similar tracking technologies to monitor performance and usage on the site for internal analytics and performance monitoring. These Identifiers and similar tracking technologies are used to help the Site collect and store information regarding your visit, such as session state and authentication tokens. Users can control the use of cookies at the individual browser level but if you choose to disable cookies, it may limit your use of certain features or functions provided through the Service. To manage Flash cookies, please click here

The use of Identifiers by our affiliates is not covered by our privacy policy. We do not have access or control over these cookies.

4. USE OF YOUR PERSONAL DATA

Expensify.org and our Partner Companies may use your Personal Data in the following ways:

  • identify you as a User in our system;

  • to provide improved administration of the Service;

  • to improve the quality of experience when you interact with the Service, including staff training;

  • to send you administrative email notifications, such as security or support and maintenance advisories;

  • to collect donations, fees and payments owing to us;

  • to promote your story, identity, photograph, and/or video on the Site, in our Partner Companies’ communities, or in marketing for us or our Partner Companies, when you share your story with us;

  • to share your volunteer stories and connect you with our Partner Companies’ communities, Expensify.org donors, and participants in Expensify, Inc.’s Karma Program;

  • to respond to your inquiries related to employment opportunities or other requests and to resolve disputes;

  • to provide you with access to and information about customized features, new functionality, and partner integrations;

  • to provide you with surveys;

  • to make telephone calls to you, from time to time, as a part of secondary fraud protection or to solicit your feedback; 

  • to verify your identity as part of compliance with requirements of Partner Companies or applicable regulations; 

  • to confirm your entitlement to a volunteer Reimbursement; and

  • to compare information provided by you for accuracy and verification with third parties. 

We may provide certain limited Personal Data, including your name, address and email address, to the charities that accept your donations processed by Expensify.org or our Partner Companies.  

From time to time, we may also use your Personal Data to send important notices to you, such as communications about donations you have made or volunteer Reimbursements you have requested, or changes to our terms and conditions or other policies. This information is important to your interactions with us and you acknowledge that you may not opt out of receiving these communications.

If you provide feedback on the Service, we may use such feedback for any purpose, provided we will not associate such feedback with your Personal Data. Expensify.org will collect and store any information contained in such communication and will treat the Personal Data in such communication in accordance with this Privacy Policy. 

Any information, including Personal Data, which you elect to make publicly available on the Service will be available to other Users or the public. If you remove information that you have made public on the Service, copies may remain viewable in cached and archived pages of the Service, or if other Users have copied or saved that information.

In some cases we collect information provided by our Corporate Users, and in such cases, we have no direct relationship with the individuals whose Personal Data we process. If you believe your Personal Data has been collected by us in such circumstances, and would no longer like to be contacted as an employee or customer of one of our Corporate Users, please contact that Corporate User directly in order to request your removal.

5. DISCLOSURE OF YOUR PERSONAL DATA

We may share your Personal Data with Partner Companies to provide technical support or to provide specific services, such as hosting of our applications, maintenance services, database management or payment processing (including but not limited to Stripe and PayPal). Partner Companies will have access to your Personal Data only to perform these services on our behalf and are obligated not to disclose or use it for any other purpose. They may be located, or their data processing activities may take place, in the United States of America or elsewhere outside the European Economic Area (EEA). The US and other non-EEA countries do not have similar data protection laws to the European Union, and you should be aware in particular that the law and practice in the United States in respect of law enforcement authority access to data is significantly different from Europe.

Any subsidiaries, joint ventures, or other companies under common control with us (collectively, “Related Entities”), may share some or all of your Personal Data, in which case we will require our Related Entities to honor this Privacy Policy and your Personal Data will only be used for the purposes set out in this Privacy Policy.

Expensify.org may sell/divest/transfer the company (including any shares in the company), or any combination of its products, services, assets and/or businesses. Personal Data may be among the items sold or otherwise transferred in these types of transactions, you will be notified via email and/or a prominent notice on our Site of any change in ownership or uses of your Personal Data. We may also sell, assign or otherwise transfer such information in the course of corporate divestitures, mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of the company. 

In certain situations, Expensify.org may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Regardless of any choices you make regarding your Personal Data (if applicable), Expensify.org may disclose Personal Data if it believes in good faith that such disclosure is necessary to (a) comply with relevant laws or to respond to subpoenas or warrants or lawful requests from government authorities served on Expensify.org; or (b) protect or defend the rights, reputation or property of Expensify.org or users of the Service.

Sharing Your Story

If you share your story with us as part of the Volunteer Reimbursement Program or as part of a survey we send you, you may choose to send us narrative details about your work, photos/videos of those involved, and other information about your work. These stories are likely to include Personal Data, photography and/or video, your first name, last initial, and/or city and state (the “Likeness”). We or our Partner Companies may use your Likeness for any purpose including commercial or marketing purposes and in any medium, as further set forth in the Volunteer and Reimbursement Program Terms. If you share the Likeness of any third party pursuant to the Volunteer and Reimbursement Program or in response to a survey, you hereby represent and warrant that you have obtained such third party’s authorization and express consent to submit the third party’s Likeness to us and for us to use the third party’s Likeness in the same manner as we may use your Likeness. Please see the Volunteer and Reimbursement Program Terms for more information about sharing your story. 

When you provide feedback or post Content on our Site (e.g., if you respond to a survey request, post in our community, or post a photograph or video on our Site or comment on our social media channels), your information (e.g., your first name, last initial, state of residence, and your comments) may be displayed on our Site or on our social media pages. When you engage with us on social media, we may tag your social media account or the social media account of others (e.g., to give photo credit to another user).

In addition to the sharing described in this policy, we may share information about you with third parties whenever you consent to or direct such sharing.

Except as otherwise stated in this policy and our Terms of Service, we do not sell, trade, share, or rent the Personal Data collected from the Service to third parties. You expressly consent to the sharing of your Personal Data as described in this policy.

We may aggregate or de-identify any information collected through the Service so that such information is no longer directly identifiable to an individual. We may use and share such aggregated and de-identified information solely for marketing purposes or distribution to third party research firms.

Service Provider, Sub-Processors/Onward Transfer

Expensify.org may transfer Personal Data to companies that help us provide the Service. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our Clients.

6. CHOICE/OPT-OUT

Expensify.org offers you the choice of receiving different types of communication and information related to our company, products, and services. You may subscribe to e-newsletters or other publications; you may also elect to receive marketing communications and other special offers from us via email. If at any time you would like to change your communication preferences, we provide unsubscribe links and an opt-out mechanism for your convenience. 

7. PERSONAL DATA CHANGES

If you believe that the Personal Data we hold about you may not be complete, accurate and up-to-date, you may change aspects of any of your Personal Data by sending an email to us at concierge@expensify.org. You may request deletion of your information by us, but please note that we may be permitted or required (by law or otherwise) to keep this information and not delete or change it (or to keep this information for a certain time, in which case we will comply with your deletion request only after we have fulfilled such requirements). We will respond to your request to access within 30 days. We will retain your information for as long as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Access to Data Controlled by our Corporate Users

Upon request we will provide you with information about whether we hold any of your Personal Data. We also acknowledge that you have the right to access your Personal Data subject to any exceptions which may apply in the jurisdiction in which you reside. Where a User accesses the Service because their employer is a Corporate User, Expensify.org has no direct relationship with that User. In that situation, a User who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his query to the Expensify.org’s Corporate User (the data controller). If the Corporate User requests Expensify.org to remove the data, subject to our rights to retain the Personal Data as set out in this Privacy Policy, we will respond to their request within 30 business days. 

Data Retention

Expensify.org will retain data we process on behalf of our Corporate Users for as long as needed to provide services to our Corporate User. Expensify.org will retain and use this information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We ensure that Personal Data we dispose of is de-identified or destroyed in a secure fashion. 

8. CALIFORNIA PRIVACY RIGHTS

Users who are California residents may request and obtain from us once a year, free of charge, certain information about the Personal Data (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of Personal Data that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to concierge@expensify.org.

9. SECURITY OF YOUR PERSONAL DATA

Expensify.org is committed to protecting the security of your Personal Data. We use a variety of industry-standard security technologies and procedures to help protect your Personal Data from unauthorized access, use, or disclosure. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL). Despite these measures, you should know that Expensify.org cannot fully eliminate security risks associated with Personal Data. If you have any questions about the security of your Personal Data, you can contact us at concierge@expensify.org.

10. CONTACT INFORMATION

If you have any comments, questions or complaints about this Privacy Policy or if you feel that we have breached our obligations in the handling, use or disclosure of your personal information, feel free to email comments or questions to us at concierge@expensify.org or 401 SW 5th Ave, Portland, OR 97204.

If you have general enquiry type questions, you can choose to do this through use a pseudonym. However, if you require information which is specific to your circumstances then it may not be possible for you to deal with us by pseudonym. You acknowledge and agree that when contacting Expensify.org, whether by email, chat, or otherwise, you will not include any personally identifiable information in your communications, and that if such information is included in your communications with Expensify.org, Expensify.org will have no legal obligation or liability with regard to such information.

11. CHANGES TO THIS PRIVACY POLICY

If Expensify.org makes changes to this Privacy Policy, these changes will be posted on the Site in a timely manner. Expensify.org reserves the right to modify this Privacy Policy at any time, so please review it frequently. You acknowledge that the updated policy will apply to the collection, storage, use or disclosure of Personal Data from the date of publication and it is your responsibility to check the Site regularly for updates. You can determine when this Privacy Policy was last revised by referring to the “Last Updated” legend at the top of this page. Any changes to this Privacy Policy will become effective upon our posting of the revised Privacy Policy on the Site. If we make any material changes, we will notify you by email or by means of a notice on this Site prior to the change becoming effective. Use of the Service following such changes constitutes your acceptance of the revised Privacy Policy then in effect. We encourage you to periodically review this page for the latest information on our privacy practices. 

12. AUSTRALIAN PRIVACY RIGHTS

If you are in Australia, our collection, storage, use and disclosure of your Personal Data will be subject to this Privacy Policy and the Privacy Act 1988 (Cth) (Privacy Act). Any part of this Privacy Policy that is illegal, unenforceable or inconsistent with the Privacy Act may be severed from this Privacy Policy and the remaining terms or parts of the term of this Privacy Policy will continue in force.

In addition, the following information applies to you. 

Pseudonymity

If you are making a general enquiry only, you may deal with us through the use of a pseudonym. However, we will not be able to provide you with any specific information about your information if you fail to identify yourself to us.

Data Transfer Disclosure

Personal Data provided to us by Users or Corporate Users located in Australia may be disclosed to service providers located outside Australia, including in the US, including providers of cloud or other types of networked or electronic storage.

Although these third parties are subject to privacy and confidentiality obligations imposed by contract or the regulatory frameworks of the jurisdiction in which those third parties are located, you acknowledge that:

  • they may not always comply with those obligations, or those obligations may differ from the obligations imposed by privacy and data protection legislation in your jurisdiction; and

  • the third party may be subject to foreign laws which might compel further disclosures of personal information (e.g. to government authorities).

Secondary Purpose

You acknowledge that we may use or disclose your Personal Data for a reason other than the reasons set forth in Section 4 (secondary purpose) where the secondary purpose is connected to or associated with a purpose for collection set out in this Privacy Policy, or directly connected to or associated with a purpose for collection if the information is ‘sensitive information’ as that term is defined under the Privacy Act.

13. OVERSEAS DISCLOSURE

Expensify.org is based in the United States, and, unless we expressly agree otherwise, we may host, transfer, and process data, including Personal Information, in the United States and in other countries through Expensify.org and third parties that we use to operate and manage the Service. These countries may have data protection laws that are different from those of your country of residence. When you access or use the Service, or otherwise provide information to us, you are consenting, on behalf of you and your authorized agents, (and representing that you have the authority to provide such consent) to the processing and transfer of information in and to the United States and other countries which may have different privacy laws from your or their country of residence. Expensify.org takes appropriate measures to ensure such transfers are in compliance with applicable laws. 

14. DATA RETENTION

Other than in aggregated, de-identified form as permitted under the Expensify.org Terms of Service, and except as required by applicable law, we will delete or otherwise destroy your Personal Data as soon as practicably possible following your termination or cancellation of your use of the Service.

15. QUERIES, CONCERNS, AND COMPLAINTS

If you have any queries, concerns or complaints about the manner in which we have collected, stored, used or disclosed your personal information, please contact the Data Protection Officer at privacy@expensify.org. We will treat your complaint confidentially and, after investigating your complaint, discuss the ways in which we can remedy the situation. We will ensure that we respond to your complaint within a reasonable time (and in any event within the time required by applicable law). 

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. If your inquiries or complaints regarding our Privacy Policy or use of data that have still not been resolved to your satisfaction within 30 days via the means set forth herein, please contact: