Join Now
Join Now

Privacy Policy

shape-icon

Introduction

Welcome to Xpendless! We are a global fintech company (Xpendless LLC, registered in the Qatar Financial Centre) providing expense management, petty cash handling, out-of-pocket reimbursement solutions, and physical/virtual Mastercard® services for businesses based in the State of Qatar. We are committed to protecting your privacy and handling your personal information in a transparent and secure manner. This Privacy Policy explains what data we collect, how we use and protect it, with whom we share it, and the rights and choices you have. We adhere to international data protection standards, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to ensure your data is handled lawfully and responsibly. By using Xpendless’s websites or mobile applications (“Services”), you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please do not use our Services.

As a company registered in the Qatar Financial Centre (QFC), we are primarily governed by and adhere to the QFC Data Protection Regulations of 2021. We also comply with Qatar's Law No. 13 of 2016 concerning the Protection of Personal Data where applicable. This policy is designed to meet the high standards of these local regulations in addition to global frameworks like the GDPR.

Our Commitment to Regulatory and Security Standards

"Xpendless is regulated as a Payment Service Provider by the Qatar Central Bank (QCB). We operate in strict compliance with all applicable QCB regulations and directives concerning data protection, security, and financial services.

Furthermore, we are certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS). This is the global standard for securing payment card data. Our PCI DSS compliance means we adhere to stringent technical and operational controls to protect cardholder information. For instance, we do not store your full corporate card number on our systems; instead, we utilize secure tokenization technologies provided by our certified partners.

Information We Collect

We collect personal information that you or others provide to us, as well as data automatically generated when you use our Services. The types of personal data we collect include:

  • Account and Contact Information: When a business owner or administrator creates an account for themselves or their employees on our platform, we collect information such as name, work email address, phone number, company name, job title/role, and login credentials (username and password). If you provide us personal data about another individual (e.g. an employee you register), you confirm that you have the authority or consent to do so and have informed them as required.
  • Identification and Verification Data: To comply with legal requirements (such as Know-Your-Customer (KYC) and anti-money laundering laws) and to issue corporate cards, we may collect identity data. This can include government-issued identification details (e.g. national ID or passport number, driver’s license, date of birth) and any necessary financial identifiers (tax ID or VAT number).

    For identity verification, we use third-party providers such as IdWise to securely process your identity documents and perform eKYC checks. This means IdWise may receive and process your personal information (like your ID document and a live selfie) on our behalf to confirm your identity. IdWise is contractually bound to process this information only for verification purposes and to maintain appropriate security safeguards.

  • Financial and Transaction Information: In providing spend management services, we collect data about expenses and transactions. This includes details of purchases made with Xpendless corporate cards or logged in our platform (merchant name, date, amount, currency, location of transaction if available, and category of expense). It also includes petty cash records and reimbursement requests (e.g. expense descriptions, amounts, dates). If employees submit out-of-pocket expenses for reimbursement, we may collect bank account details or payment information needed to facilitate reimbursement. All corporate card transaction data, including cardholder name and card details, is processed to manage your spending and provide real-time tracking.
  • Receipts and Uploads: Our platform allows users to upload receipts or invoices as part of expense tracking. If you upload a receipt image or other documentation, we will collect and store that content. Such Receipt Data may include information visible on receipts (merchant info, items purchased) and any notes or metadata you add. We use this information to verify expenses and attach records for your accounting convenience.
  • Communications and Support: If you contact us for support, sales inquiries, or other reasons (via email, phone, or chat), we will collect the information you choose to share in those communications. This may include your contact details and the content of your messages. We retain these communications to address your inquiries and improve our customer service.
  • Device and Usage Data: When you interact with our website or mobile apps, we automatically collect certain technical data. This includes your device type, operating system, browser type, IP address, device identifiers, and usage statistics such as pages or screens visited, features used, links clicked, and time spent. We collect this information to understand how our Services are used, to troubleshoot issues, and to secure our platform. We may also infer your general location from your IP address for fraud prevention and to optimize our service (e.g. language or regional settings).
  • Cookies and Similar Technologies: Xpendless uses cookies and session tokens to provide and secure our Services. For example, when you log in, we place a session cookie to keep you authenticated and automatically log you out after a period of inactivity for security. We also use cookies or similar trackers to remember your preferences and to gather analytics about our web traffic. These technologies collect information like browser type, pages viewed, and referral links. We do not use cookies for advertising or profiling purposes at this time (no third-party ad or marketing cookies). You can control or delete cookies through your browser settings; however, essential cookies (like login sessions) are necessary for our site to function. (Please see our Cookies Notice for more details, if applicable.)

We may also obtain information from third-party sources in connection with our Services. For instance, if your company integrates Xpendless with other systems (such as an accounting software or HR system), we might receive relevant data from those systems (e.g. employee lists or expense records) to sync accounts. Additionally, our card issuing partner and payment processors (e.g. banks, card network) may share information with us related to card issuance and transactions (such as card activation status, transaction authorizations, or fraud alerts). We treat any personal information obtained from third parties in line with this Privacy Policy and any additional restrictions imposed by the source.

Sensitive Personal Data: We do not actively seek to collect sensitive personal data unless necessary. Sensitive data may include information like race or ethnic origin, health details, precise geolocation, etc. Our Services are focused on business expense data, and we ask that you refrain from storing any unnecessary sensitive personal information on our platform. If we do need to process any sensitive data (for example, a government ID for KYC), we will do so in compliance with applicable laws and only for the required purpose.

Please note that providing personal data is often necessary for us to serve you. If certain information is not provided (such as identity verification or account setup details), we may not be able to offer the requested Services or features. We will indicate what information is optional and what is required during collection.

How We Use Your Information

Xpendless uses personal information solely for legitimate business purposes and as required by law. The primary purposes for which we process your data include:

  • Providing and Improving the Service: We use collected information to operate Xpendless and deliver our features to you. This includes using personal data to register your account, authenticate you at login, and facilitate your expense management activities (e.g. recording transactions, administering corporate card programs, processing reimbursements, and generating expense reports). We also analyze usage data and feedback to understand performance and improve our platform’s functionality, user interface, and offerings. This processing is generally necessary to fulfill our contract with you (or your company) and to continually enhance our service.
  • Card Issuance and Transactions: If your company utilizes Xpendless corporate cards, we use personal and company information to issue and administer these cards in partnership with our licensed card issuing partner (such as NymCard) and our verification provider IdWise. For example, we provide IdWise with the necessary identification data to perform eKYC verification checks before a card can be issued.
  • Compliance with Legal Obligations: As a fintech service, we are often required by law to process certain personal data. We will use your information to meet obligations under financial regulations, such as anti-money laundering (AML), KYC identity verification, sanctions screening, and record-keeping requirements. For instance, identification documents or personal identifiers may be processed to verify your identity and to allow us to open or maintain an account in compliance with banking regulations. We also retain transaction records as mandated by law for auditing and financial reporting. Additionally, if we receive lawful requests from public authorities (e.g. law enforcement or regulatory agencies), we may process and disclose personal data as required to comply.
  • Security and Fraud Prevention: Keeping your data secure is a top priority. We process personal and usage data to monitor for and prevent fraudulent transactions, unauthorized access, hacking attempts, or other malicious activities. This includes using things like device information, login history, and IP addresses to detect anomalies and enforce security (for example, we might alert you or block a login if it appears suspicious). We also use your information to implement security features such as multi-factor authentication or automatic logouts (based on session cookies) to protect your account.
  • Communications and Customer Support: We use contact information (like your email and phone number) to send you critical Service-related communications. These include confirmations of account actions, notifications about transactions or approvals, alerts about policy or security updates, and responses to your support inquiries. Such communications are considered part of our Services. Currently, we do not send any promotional or marketing emails without your explicit consent. If you have opted to subscribe to our news or updates, we will use your email to provide those newsletters, but you can opt out at any time. Rest assured, we do not engage in spam and we will not contact you for advertising purposes.
  • Analytics and Product Development: We may use aggregated and de-identified data (data that cannot identify you personally) to analyze trends, track the overall usage of our Services, understand how features are performing, and develop new products or features. This helps us make informed business decisions and improve user experience without using personal information in an identifiable way.
  • Enforcing Terms and Legal Claims: We may process personal data as needed to enforce our Terms & Conditions and other agreements, to investigate potential violations, and to protect the rights and safety of Xpendless, our users, or others. This includes using information to assert or defend against legal claims and to resolve disputes.

Legal Bases for Processing (GDPR): If you are located in the European Economic Area (EEA), United Kingdom, or a country with similar data protection laws, we only process your personal data when we have a valid legal basis. These bases include: (a) fulfilling a contract with you or your company (providing the Services you requested); (b) complying with our legal obligations; (c) our legitimate interests (such as improving our Services, preventing fraud, securing our system, or communicating with you as a business contact), except where those interests are overridden by your data protection rights; and (d) your consent, where applicable. For example, we would seek your consent before using your data for any purpose that requires consent (like sending optional marketing communications or using certain non-essential cookies). Where we rely on consent, you have the right to withdraw it at any time.

We do not use your personal information for automated decision-making that produces legal or similarly significant effects on you without human involvement. In other words, we are not profiling you or making algorithmic decisions about eligibility for services, creditworthiness, or the like, solely based on your data. All processing of your information involves appropriate human oversight and is done only for the purposes outlined above.

Cookies and Tracking Technologies

As noted, Xpendless uses cookies and similar technologies in our web and mobile interfaces. Cookies are small text files placed on your device to store information, which our website can read on subsequent visits. We use cookies to:

  • Maintain Sessions: We utilize session cookies to keep you logged in as you navigate through our site or app. These cookies are essential for allowing you to use authenticated areas of the service. For security, session cookies will expire or invalidate after a set time, requiring you to log in again (this helps protect your account if you step away). We also use cookies to implement features like remembering that you have logged in before (so you don’t always have to re-enter credentials within a short timeframe).
  • Security: Certain cookies or similar tokens help us prevent fraudulent use of the platform. For example, we may use cookies to throttle repeated failed login attempts or to track login patterns that could indicate misuse. These are part of our broader security measures to safeguard your data.
  • Preferences and Functionality: We may use cookies to remember your preferences (such as your chosen language or display settings) to provide a more personalized experience. These ensure that when you return to the site, we can recall your custom settings.
  • Analytics: To understand how our website and Services are performing, we may use first-party or third-party analytics tools (for example, Google Analytics) that deploy cookies or similar technologies. These analytics cookies collect information about your usage of our site (pages viewed, actions taken, time on page, etc.) and help us improve functionality and user experience. The information collected is typically aggregated and does not directly identify you. You can opt-out of many analytics providers by using browser or device settings or dedicated opt-out mechanisms provided by those providers.

Importantly, we do not use advertising cookies and do not allow third-party advertisers to track you on our site. We do not share cookie data with third parties for their own marketing or targeting purposes. At this time, we also do not respond to “Do Not Track” signals from web browsers because there is no standardized industry protocol for such signals; however, we only use cookies as described above.

You have choices in managing cookies. Most browsers allow you to refuse new cookies, delete existing cookies, or be notified before a cookie is set. Please note that if you disable or delete cookies, some features of our Service (particularly those requiring login) may not function properly. For more information on cookies and how to control them, see our Cookies Policy or your browser’s help documentation.

How We Share Personal Data

We value your privacy and do not sell your personal information to third parties. However, in order to run our business and provide Services, we sometimes need to share personal data with third parties, as detailed below. Whenever we share data, we ensure there is a valid legal basis for the sharing and that appropriate safeguards are in place to protect your information. The categories of recipients of personal data include:

  • Service Providers ("Processors"): These are third-party companies we engage to perform services on our behalf, who need access to certain personal information to carry out their tasks. Examples include cloud hosting providers, IT infrastructure and database services, email and notification delivery services, analytics providers, customer support software, and verification/KYC service providers. We use Google Cloud Platform (GCP) as our primary cloud hosting provider, which means your data may be stored on GCP’s secure servers. Our service providers are bound by confidentiality and data protection obligations; they are not allowed to use your data for any purpose other than to provide services to Xpendless, and they must meet high security standards.

    Examples include cloud hosting providers, IT infrastructure services, analytics providers, customer support software, and verification/KYC service providers. In particular, we use IdWise as a trusted eKYC partner to verify user identities. IdWise processes identity documents and biometric data on our behalf strictly for verification and compliance purposes.

  • Card Issuing and Payment Partners: If your company uses the Xpendless card program or any payment services through our platform, we share relevant information with our banking and card issuance partners. For example, we partner with a regulated card issuer (such as NymCard) to issue our prepaid Mastercards. We provide them with the necessary personal and business data for card issuance (cardholder name, company, and KYC info) and they process card transactions over the Mastercard network. Similarly, if we facilitate reimbursements or other payments, we may share data with the payment processor or bank handling the transfer (e.g. employee name, account number, and the transaction amount for a reimbursement). These partners are also required to protect your data and use it only as needed to provide their services. All sharing of cardholder data is done in a secure, tokenized manner that complies with PCI DSS requirements to ensure your payment details are protected at all times.
  • Business’s Authorized Users: If your account is part of an organization’s Xpendless subscription (for instance, you are an employee of a company using Xpendless), certain data will be shared with other authorized users in your organization. For example, your managers or administrators may see your submitted expenses, transaction details, or profile information in order to manage the company’s expenses. All users within a company are generally bound by internal policies and our Terms to handle any personal data viewed through the Service appropriately.
  • Integration Partners: Xpendless offers integration with third-party applications (for example, accounting software or HR systems) to streamline your workflows. If you choose to connect Xpendless with another service, we will, with your direction, share the necessary data with the specified third-party integration. For instance, if you integrate an accounting system, we might transfer expense records or receipt images to that system as you instruct. We will only share data with integration partners at your request and as needed to fulfill the integration. Please note that any data sent to a third-party platform will be governed by that platform’s privacy practices.
  • Affiliates and Corporate Transactions: At present, Xpendless is a standalone company. If in the future we establish subsidiaries, affiliates, or go through a business transaction such as a merger, acquisition, or asset sale, your personal data may be shared with the parties involved (e.g. a new owner or merged entity) as part of that process. If such a transfer occurs, we will ensure the recipient of the data commits to the same level of privacy protection outlined in this Policy, and we will notify you of any change of ownership or use of your personal information.
  • Legal and Regulatory Disclosures: We may disclose personal information to courts, law enforcement, regulators, government authorities, or other third parties when we believe it is legally required to do so or when necessary to protect our rights. Examples include responding to subpoenas or court orders, cooperating with regulatory examinations, or disclosing data to detect and address fraud or security issues. We will make such disclosures only to the extent we are compelled or permitted by applicable law, and we will always consider your privacy rights in these situations.
  • Professional Advisors: In certain cases, we may need to share data with our professional advisors such as attorneys, auditors, insurers, or consultants. This would only be done on a need-to-know basis and under strict duties of confidentiality. For instance, if we seek legal advice on a compliance issue that involves personal data, we might have to disclose limited information to our lawyers. Similarly, during an audit or insurance claim review, relevant data might be reviewed by auditors or insurers. These parties are bound to keep the information confidential and use it only for the purpose of providing their services to us.

In all cases of sharing, we strive to minimize the personal data disclosed to what is directly relevant and necessary for the specific purpose. We do not allow any third party with whom we share data to use it for their own marketing or other unrelated purposes. For example, our service providers cannot add your information to their marketing lists, and our card issuing partner will not use your details to market to you independently. If we ever want to share your information for any purpose outside of those described above, we will obtain your consent where required or provide you with an opportunity to opt out.

Data Residency and International Transfers

Xpendless is committed to protecting your data and complying with local data residency requirements. Our primary cloud infrastructure is hosted on Google Cloud's data centers located within the State of Qatar. This means that the personal and financial data for our Qatar-based clients is processed and stored locally.

In limited and specific circumstances, we may need to share data with service providers or payment partners located outside of Qatar to provide our Services. For example, processing an international card transaction involves sharing data across the global Mastercard network. When such a transfer is necessary, we ensure it is done in compliance with the QFC Data Protection Regulations and Qatari law. To provide an adequate level of protection for your data, these transfers may rely on safeguards such as European Commission-approved Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements with the receiving party, which legally obligate them to protect your data to EU/UK standards. We may also rely on other valid transfer mechanisms, such as where the transfer is necessary for the performance of a contract with you, or with your explicit consent in certain cases.

You can request more information about our international data transfer safeguards (or copies of relevant agreements, where applicable) by contacting us. Our aim is to ensure that your personal data enjoys robust protection and security, no matter where it is handled.

Note for Users in Qatar and Other Regions: Note for Users in Qatar: As a QCB-regulated entity, Xpendless complies with all applicable data transfer and data localization laws in the State of Qatar. Where required by regulation, specific data, particularly sensitive financial and customer verification data, is processed and stored in-country. For all other data, by using our service, you acknowledge that your data may be transferred internationally as described in this policy and protected by the safeguards mentioned Data Security

We take data security very seriously at Xpendless. We implement a variety of technical and organizational measures to protect your personal information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. These measures include encryption of data in transit (e.g., using HTTPS/TLS protocols for our website and apps) and encryption at rest where applicable, firewalls and network security controls to safeguard our infrastructure, and access controls ensuring that personal data can only be accessed by employees or contractors who have a legitimate business need (and even then, doing so under strict confidentiality). We also maintain a robust authentication system – including options for strong passwords and multi-factor authentication – to prevent unauthorized account access.

Our commitment to security is validated by our compliance with the Payment Card Industry Data Security Standard (PCI DSS)

Our platform and its infrastructure undergo regular security assessments and penetration testing. We ensure our developers follow secure coding practices and our systems are kept up-to-date with security patches. We leverage the enterprise-grade security of our cloud hosting provider (Google Cloud Platform) which includes physical security at data centers, redundancy, and built-in protections. Additionally, we monitor our systems for unusual activity and have incident response plans in place to handle any potential security breaches swiftly.While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, we cannot guarantee absolute security. However, in the unlikely event of a data breach affecting your personal information, we will notify you and the relevant authorities as required by law, and we will take all necessary steps to mitigate the impact and prevent recurrence.

You also play a role in keeping your data secure. We encourage you to maintain the confidentiality of your login credentials, use a strong unique password, and notify us immediately if you suspect any unauthorized access to your account.

Data Retention

We will retain your personal data for as long as necessary to fulfill the purposes we collected it for, including to provide you the Xpendless Services and as required to satisfy any legal, accounting, or reporting obligations. The specific retention periods can vary depending on the type of data and the context of processing:

  • Account Information: If you have an account with Xpendless, we keep your account data while your organization remains an active customer. This allows us to provide the service continuously. If your company’s subscription ends or your user account is deleted, we will either delete or anonymize personal data within a reasonable period after account closure, unless we need to keep it for legal reasons.
  • Transaction and Financial Records: As a regulated entity, Xpendless is required by the Qatar Central Bank (QCB) to retain financial records for a minimum of 10 years after the end of the business relationship or the date of the last transaction. Therefore, all expense records, transaction histories, invoices, KYC documentation, and related financial data will be securely retained for this mandated period, even after an account is closed. This retention is necessary to comply with our legal and regulatory obligations for audit, anti-money laundering (AML), and fraud prevention purposes.
  • Communications: If you correspond with us (support tickets, emails), we may retain those communications as long as needed to address your request and for our training or quality assurance purposes. Chat logs or call recordings (if any) will be kept only as long as necessary and then deleted or anonymized according to our policies.
  • Logs and Analytics: Usage logs and analytics data are generally retained for a shorter period for performance analysis and security monitoring, then either deleted or aggregated. For instance, web server logs containing IP addresses may be kept for a few months and then purged or anonymized, unless we need to retain them longer (e.g., for an ongoing security investigation).
  • Legal Holds: In the event of a dispute, investigation, or legal proceeding, we may need to preserve relevant information beyond our standard retention periods. In such cases, we will retain the data until it is no longer needed for the legal matter, after which we will securely delete it.

Once we have no ongoing legitimate need or legal obligation to keep your personal data, we will ensure it is either securely erased or irreversibly anonymized (so that it can no longer be associated with you). If deletion is not feasible (for example, because the data is stored in secure backups), we will isolate and protect the data from further use until deletion is possible.

Please note that, due to the way our systems are designed with backups and archival systems, residual copies of your information might not be immediately removed from all storage systems when you delete data or when we fulfill a deletion request. However, we will ensure that your data is no longer active in our production systems and will remove or overwrite such data from backups according to our deletion practices.

Your Privacy Rights and Choices

You have rights and choices regarding your personal information. Xpendless is committed to enabling you to exercise these rights:

Rights for EEA, UK, and Other Regions (GDPR and Similar Laws)

If you are in the European Union, United Kingdom, or other jurisdictions with comparable data protection laws, you have the following data subject rights regarding your personal information:

  • Right to Access: You can request confirmation of whether we are processing your personal data, and if so, request a copy of the data we hold about you. We will provide this information, along with details on the purposes of processing, the categories of data, and the parties with whom it’s shared, subject to some exceptions (for example, we might not be able to disclose information that would violate another person’s privacy or that we are legally prevented from sharing).
  • Right to Rectification: If any of your personal information is inaccurate or incomplete, you have the right to ask us to correct or update it. We encourage you to correct basic details by logging into your account settings (where possible), and you can also contact us for assistance to ensure your data is up to date.
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances (this is sometimes called the “right to be forgotten”). For example, you can ask us to erase data if it’s no longer necessary for the purpose we collected it, or if you withdraw consent and we have no other legal basis to keep it, or if you object to processing and we have no overriding legitimate grounds. Please note that this right is not absolute – sometimes we may retain certain information if required for legal obligations or legitimate interests (we will inform you if such an exception applies).
  • Right to Restrict Processing: You can ask us to limit the processing of your personal information in certain scenarios. This could apply if you contest the accuracy of your data (for a period enabling us to verify it), or if you believe our processing is unlawful but you prefer restriction over deletion, or if you need us to keep data solely for legal claims while we would otherwise delete it. When processing is restricted, such data will be marked and only processed for the limited reasons applicable.
  • Right to Data Portability: You have the right to receive a copy of certain personal data in a structured, commonly used, machine-readable format, and to have that information transmitted to another service provider (when technically feasible). This right applies to personal data you provided to us, which we process by automated means and on the legal basis of your consent or for performance of a contract. For example, you may request an export of the personal information you provided in your account profile.
  • Right to Object: You have the right to object to our processing of your personal data when such processing is based on our legitimate interests (or those of a third party) and you have a specific situation that makes you object. If you raise an objection, we will evaluate whether our legitimate grounds for processing override your privacy rights. You can always object to personal data being used for direct marketing purposes – in practice, Xpendless does not send marketing communications without consent, but if you receive any, you can opt-out easily (e.g., by using the “unsubscribe” link or contacting us).
  • Right to Withdraw Consent: In cases where we rely on your consent to process personal data (for example, if you explicitly agreed to receive a newsletter), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it will not affect processing under other legal bases. If you withdraw consent, we will stop the relevant processing activity that was based on consent.

To exercise any of these rights, please contact us using the contact information in the the Contact Uslink section. We may need to verify your identity and residency to ensure we are fulfilling requests from the correct individual. We will respond to your request within the timeframes required by law (generally within one month for GDPR, with the possibility of an extension in certain cases). Some rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep. We will inform you if we cannot fulfill any part of your request due to such limitations.

Additionally, if you believe we have infringed your data protection rights, you have the right to lodge a complaint with a supervisory authority. For EU users, this would typically be the data protection authority in your country (for example, in France the CNIL, in Germany the BfDI, etc.). For UK users, it is the Information Commissioner’s Office (ICO). We encourage you to contact us first, and we will do our best to address your concerns.

Additional Disclosures and Rights for California Residents

If you are a resident of California, U.S.A., you are protected by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Under the CCPA/CPRA, California consumers have specific rights regarding their personal information, including:

  • Right to Know: You have the right to know what personal information we collect, use, disclose, and sell or share (note: Xpendless does not sell your data, as explained below). This includes the right to request that we disclose the categories of personal information we have collected about you, the categories of sources of that information, the business or commercial purpose for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information we have collected about you. Essentially, you can request a report outlining your personal data that we have handled in the past 12 months.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions. Once we receive and confirm a verifiable consumer request from you, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. For example, we may deny your deletion request if retaining the information is necessary for us or our service providers to complete a transaction you requested, detect security incidents, comply with a legal obligation, or other exceptions permitted by CCPA. We will inform you of any such exceptions that apply.
  • Right to Correct: You have the right to request that we correct any inaccurate personal information that we maintain about you[14]. Upon verifying your identity and the accuracy issue, we will correct the information as you direct, taking into account the nature of the personal information and the purpose for which we process it.
  • Right to Opt Out of Sale or Sharing: The CCPA gives you the right to opt out of the “sale” of your personal information to third parties, as well as the right to opt out of “sharing” your personal information for cross-context behavioral advertising purposes. However, Xpendless does not sell personal information to third parties for monetary consideration, and we also do not share your personal information for targeted advertising. In other words, we do not exchange your data with third parties for them to market to you. Because we do not engage in selling or sharing as defined by CCPA, we do not provide a “Do Not Sell or Share My Info” link at this time. If our practices change, we will update this Policy and provide appropriate opt-out mechanisms.
  • Right to Limit Use of Sensitive Personal Information: If we collect “sensitive personal information” (as defined by CPRA – e.g. government ID numbers, financial account login, precise geolocation, race/ethnicity, etc.), California residents have the right to limit our use or disclosure of that sensitive data to only what is necessary to perform the services or provide the goods (or other exempt purposes). Xpendless’s use of sensitive personal info is already limited to essential purposes (for example, using an ID number strictly for compliance checks). We do not use sensitive information for purposes like profiling or secondary uses that would trigger this right. Should that ever change, we will honor your right to limit use of such data.
  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment by us for exercising any of your CCPA rights. This means we will not deny you our services, charge you a different price, or provide a lesser quality of service just because you exercised your privacy rights. The CCPA does allow businesses to offer certain financial incentives that might relate to the value of your data (for example, a loyalty program), but we will not do so without providing you a clear notice and obtaining your opt-in consent to such a program. At this time, Xpendless does not offer financial incentive programs in exchange for personal information.

Submitting CCPA Requests: If you are a California resident and would like to exercise your Right to Know, Right to Delete, or Right to Correct, you (or an authorized agent acting on your behalf) can submit a verifiable consumer request to us through the contact methods listed in the Contact Uslink section. Please indicate that you are making a “CCPA Request” and specify the nature of your request (access/knowledge, deletion, correction, etc.). We will need to verify your identity to process the request – this may involve matching information you provide with the data we have on file (such as confirming your email address or other basics). In some cases, we might ask for additional information to confirm you are the person (or an authorized agent of the person) whose data is the subject of the request. You can designate an authorized agent (for example, someone with power of attorney or a registered agent with the California Secretary of State) to make requests on your behalf, but we will require proof of such authority and still verify your identity directly in most cases. We aim to respond to verifiable requests within 45 days as required by CCPA (or up to 90 days if we notify you of the need for an extension).

Shine the Light: Separately from CCPA, California’s “Shine the Light” law (Civil Code § 1798.83) allows residents to request certain information regarding disclosure of personal data to third parties for their direct marketing purposes in the preceding calendar year. Xpendless does not disclose personal information to third parties for their own direct marketing purposes without consent. Nevertheless, if you are a California resident you may submit a request to the contact address below to receive information about any such activities in the prior year, and we will provide a response as required by law.

Children’s Privacy

Our Services are not directed to children, nor do we knowingly collect personal information from individuals under the age of 18. Xpendless is a business-oriented platform meant to be used by companies and their authorized employees; it is not intended for personal household use by minors. If you are under 18, you should not use Xpendless or provide any personal information to us. In the unlikely event that we have collected personal data from a child under 18 (for example, if a minor attempts to register or is erroneously added as an employee by a company without our knowledge of their age), please contact us immediately. We will promptly take steps to delete such information from our records. Parents or legal guardians who believe their child under 18 may have provided personal data to us can also reach out to request deletion. We do not sell the personal data of minors under 16 years of age without affirmative authorization, in accordance with CCPA.

Updates to this Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the “Last Updated” date at the top of this Privacy Policy. If the changes are significant, we will provide a more prominent notice, such as via email notification to account owners or a notice on our website or in the app. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Your continued use of Xpendless Services after any updates to this Policy constitutes your acknowledgment of the changes and consent to the updated terms, to the extent permitted by law. If you do not agree with any updated terms, you should discontinue using the Services and may request that we delete your personal data as per your rights described above.