Spendesk, a simplified joint stock company registered with the Paris Trade and Companies Register under number 821 893 286 and having its registered office at 51, rue de Londres - 75008 Paris (France), provides an expense management platform for businesses, available on the web and as a mobile app (hereinafter the “Platform”), and publishes the websites accessible at www.spendesk.com and www.cfoconnect.eu/en/ (hereinafter the “Website”).
A. Overview / Introduction
Capitalised terms in this policy have the meaning attributed to them (a) in the General terms and conditions, or (b) failing that, in the General Data Protection Regulation (GDPR).
As part of its activities, Spendesk is required to process Personal Data belonging to various categories of persons.
Personal Data means any information relating to an identified or identifiable natural person; an “identifiable natural person” is deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a telephone number, an email address, location data or an online identifier.
By subscribing to and/or using the Website and/or the Platform, you acknowledge and accept that Spendesk processes certain Personal Data concerning you, as well as certain information on expenses incurred with the tools and/or recorded via the Platform. In addition, Spendesk puts in place security measures aimed at guaranteeing the confidentiality, integrity and availability of your Personal Data and limiting access only to persons with a need to know.
This Privacy Policy aims to describe how Spendesk processes your Personal Data for the purposes indicated below and to inform you of your rights in this respect. It may be subject to updates, particularly in the event of changes to the Personal Data Regulation or in the event of processing updates. The applicable version is the one available on the Website on the day you use the latter and/or the Platform.
Below you will find the main answers to the questions you may have about Spendesk’s Personal Data protection commitments.
B. Spendesk Data Protection Officer
To supervise Spendesk’s commitments and its compliance with the Personal Data Regulation, Spendesk has appointed a Data Protection Officer (DPO), who can be contacted by email (privacy@spendesk.com).
C. Processing description
As part of the processing of your Personal Data, Spendesk may have the status of Data Controller or data processor. The specific terms of these statuses are set out below.
1. Spendesk, as independent Data Controller
In accordance with the Personal Data Regulation, the Data Controller is the legal or natural person that determines, alone, the means and purposes of processing Personal Data.
Spendesk processes the following Personal Data in its capacity as Data Controller:
| Processing purpose(s) | Data subject categories | Nature of the data processed | Legal basis | Retention period(s) |
|---|---|---|---|---|
| Monitoring of the recruitment process | Candidates | Last name, first name, phone number, email address, CV | Spendesk’s legitimate interest, Consent | If consent, up to two (2) years after the end of recruitment |
| Tracking of browsing on the Website (see details in the Cookies Policy*) | Internet users | Cookie ID, IP address, browsing information | Consent | Details of the retention periods are provided in the Cookies Policy*) |
| Management of the marketing relationship: invitation to events, newsletters, recategorisation as a prospect | Marketing contact | Last name, first name, telephone number, email address | Spendesk’s legitimate interest, Consent | Up to three (3) years after the last contact |
| Relationship management in Spendesk communities | Member(s) of the community | Last name, first name, email address, telephone number, company, position, Slack ID | Spendesk’s legitimate interest, Consent | Up to three (3) years after the last contact |
| Commercial prospection | Prospects | Last name, first name, email address, phone number, company, position | Spendesk’s legitimate interest, Consent | Up to three (3) years after the last contact |
| Sales and contract management with the Spendesk Customer | Customer’s sales contact | Last name, first name, phone number, email address, company, position | Spendesk’s legitimate interest, Performance of pre-contractual measures | For the duration of the contractual relationship and up to five (5) years after the end of the business relationship |
| Research and development | Internet users, Users | Browsing data, cookie ID or other tracker(s), device ID(s) (IP address, IDFA, ADID, etc.), session | Spendesk’s legitimate interest, Consent | Depending on the project |
| Video and audio recording of calls for the purposes of improving Services, training and monitoring Spendesk staff performance | Employee, Prospect, Customer, User | Last name, first name, phone number, email address, voice, image | Spendesk’s legitimate interest, Consent | Up to six (6) months after the date of the recording |
| Notification of incidents via the page https://spendesk.statuspage.io/ | Person who subscribed to the notification | Phone number, email address, Slack identifier | Consent | Until opting out of notifications |
| Supervision of User accounts | Users | Last name, first name, company, position, financial transactions | Spendesk’s legitimate interest, Consent | During account’s supervision |
| Systems’ security / Detection, prevention and mitigation of fraudulent or other illegal activities | Candidates, Employees, Users | Login data (User ID, device ID, logs), IP address | Spendesk’s legitimate interest | Up to three hundred and sixty-five (365) days after collection of the login logs |
*Cookies Policy: https://www.spendesk.com/en/legals/cookies-policy/.
With regard to the management of the Spendesk community (CFO Connect), members authorise Spendesk to use their data for the purposes of commercial prospecting and advertising targeting, in compliance with their rights as set out in this Data Protection Policy.
The Personal Data processed by Spendesk as an independent Data Controller, is collected either directly from you or indirectly under partnership agreements, services mandated by Spendesk, via social networks (Personal Data that you have made public) or through the use of cookies, pixels, trackers and similar items. For more information on Cookies and other trackers, Spendesk invites you to view the Cookies Policy.
2. Spendesk as joint Data Controller with Spendesk Financial Services (EEA Customers and Users)
In accordance with the Personal Data Regulation, Joint Data Controllers are the entities that jointly determine the purposes and means of a Processing.
For the provision of Payment Services and in accordance with applicable regulations, Spendesk and SFS SAS also process Personal Data as joint Data Controllers. The respective roles of each of the joint Data Controllers are defined in a joint controllership agreement in accordance with the applicable regulations, which useful information for the Customer is provided in the information note available on Spendesk website.
3. Spendesk as Data Processor
In accordance with the Personal Data Regulation, the data processor is the legal or natural person that processes the Personal Data on behalf of and on the instructions of the Data Controller.
With regard to the Processing carried out in the context of and for the purposes of using the Platform, Spendesk processes Users' Personal Data as a Data Processor on behalf of its Customer acting as Data Controller. Details of the Processing carried out by Spendesk as Data Processor are available in Appendix A of the Data Processing Agreement concluded with the Customer, which can be accessed here.
Personal Data is collected either directly from Users entering their personal information in their User account, or indirectly through the Customer, as Data Controller, who imports Users' Personal Data to enable them to access their User account (in particular in the context of API integration of third-party platforms into the Platform).
D. Recipient of Personal Data
In order to provide you with the Services, Spendesk may transmit some of your Personal Data to third parties.
1. Transmission of you Personal Data to Data Processors
Your Personal Data may be transmitted to service providers which Spendesk uses to carry out all or part of the Processing described above.
Spendesk chooses its subcontractors with the utmost care and uses only subcontractors that provide sufficient guarantees in terms of GDPR and security compliance. Data Processors only have access to Personal Data that is strictly necessary to perform their tasks and are not authorised to use your Personal Data for any other purpose. In addition, we have concluded agreements with each of them to ensure the protection and confidentiality of your Personal Data, as well as their Processing in compliance with the GDPR.
As a Customer and User of the Platform, you can find the list of Data Processors involved in the provision of the Services on the following page: https://www.spendesk.com/en/legals/subprocessors.
2. Transmission of your Personal Data to Independent Data Controllers
Some of your Personal Data may also be transmitted to service providers who act as independent Data Controllers when you wish to access certain services.
These Data Controllers are separate entities from our organisation, which autonomously determine the purposes and means of the Processing of Personal Data that we transmit to them in order to provide the services. When we share your Personal Data with these entities, we ensure that this transmission is carried out securely.
You will find below the list of service providers acting as independent Data Controllers for certain services:
Payment service providers:
Customers and Users in the United Kingdom: Adyen (https://www.adyen.com/privacy-policy);
Customers and Users in the United States: Sutton Bank (https://suttonbank.com/_/kcms-doc/85/84421/PrivacyPolicy2024.pdf) or Dwolla (https://www.dwolla.com/legal/privacy);
Digital wallet providers:
Customers and Users in the United Kingdom: Apple Pay (https://support.apple.com/en-gb/101554)
We invite you to consult their data protection policies (links above) to find out more about the Processing carried out by these partners.
3. Transmission of your Personal Data to Spendesk Financial Services, as joint Data Controller (EEA Customers and Users)
As part of the use of the Platform, Spendesk SAS and Spendesk Financial Services SAS are required to process together, as joint Data Controllers, specific Customer Personal Data in order to provide the Payment Services and to meet their legal and contractual obligations.
We invite you to consult the Information Notice on the Processing of Personal Data carried out by Spendesk Financial Services SAS and Spendesk SAS to find out more about these Data Processing.
4. Transmission of your Personal Data to the authorities
Spendesk may be required to communicate all or part of your Personal Data to public authorities, government bodies or other financial institutions, in accordance with a law, a regulation or a decision of a competent regulatory or judicial authority.
We undertake to comply with all legal rules that may prevent, restrict or regulate the disclosure of information or data and in particular to comply with applicable data protection regulations.
E. Security measures
Spendesk places the utmost importance on the security of the Personal Data entrusted to it. In accordance with the Personal Data Regulation, Spendesk undertakes to take all necessary precautions to preserve the security of the Personal Data and, in particular, to protect it against accidental or unlawful destruction, accidental loss, corruption, dissemination or unauthorised access, as well as against any other form of unlawful processing or disclosure to unauthorised persons.
As such, Spendesk:
implements security practices and measures in accordance with our industry standards to ensure the integrity, availability and confidentiality of your Personal Data;
implements a policy for managing rights to access your Personal Data based on the principle of least privilege, need to know and function (Role based Access Control);
implements technical and organisational measures and procedures to safeguard and preserve the Personal Data processed and ensures its confidentiality, in line with the access management policy;
ensures that it only uses partners and/or subcontractors that meet the security requirements requested by Spendesk;
performs regular security controls and audits on its systems to be able to attest to their robustness.
F. Hosting and transfer of Personal Data
The Personal Data processed by Spendesk is hosted on secure servers within the European Union.
In the event that Personal Data is transferred outside the European Union, Spendesk undertakes to implement the measures required by the Personal Data Regulation (transfer to a country designated as adequate by the European Commission, signature of the European Commission's Standard Contractual Clauses, additional security measures, etc.).
G. Your rights over your Personal Data
In accordance with the Personal Data Regulation, you have at any time a right of access, rectification, restriction, erasure and deletion of Personal Data concerning you, as well as a right to object and a right to portability.
You may also send us in advance your instructions regarding how your Personal Data is handled after your death.
To exercise your rights, or to learn more about them, you can contact our Data Protection Officer:
by post: Spendesk SAS - Data Protection Officer (DPO) - 51 rue de Londres, 75008 Paris, France;
by email: privacy@spendesk.com
We will respond to your request within thirty (30) days, possibly renewable, and may request a copy of your identity document for verification only.
However, we may not respond to some of your requests to exercise rights, in particular where the processing of your Personal Data is necessary for the performance of the current contract or the processing is carried out pursuant to a legal obligation applicable to Spendesk.
Regarding requests relating to the Personal Data processed as part of the Platform, you may at any time edit your personal identification data (title, first name, last name, email, telephone number, password) by logging into the “My profile” section of your account, in accordance with the Platform identification and use policy possibly implemented by your employer.
You can request the exercise of your rights by contacting your employer (data controller), as well as by writing to us directly at privacy@spendesk.com. We will inform your employer of the nature of your request and the action to take.
If you consider that Spendesk is not complying with its obligations regarding the protection of Personal Data or is failing to respond to your requests satisfactorily, You may refer the matter to the French supervisory authority - National Commission for Information Technology and Civil Liberties (CNIL) - via its website (www.cnil.fr/en) or by post (CNIL, Service des Plaintes, 3 place de Fontenoy - TSA 80715 -75334 Paris Cedex 07).
Lastly, in accordance with the provisions of article L.561-45 of the French Monetary and Financial Code, you must send your right of access request relating to the processing carried out as part of our obligations relating to AML-CFT indirectly to the French supervisory authority, the National Commission for Information Technology and Civil Liberties (CNIL).
To learn more about your Personal Data protection rights, visit the CNIL website at www.cnil.fr/en.