Update: July, 2022
Spendesk, a simplified joint stock company registered in the Paris Trade and Companies Register under No. 821 893 286, having its registered office at 51 rue de Londres - 75008 Paris (France), offers an intuitive solution that helps companies to better manage, pay and monitor their professional expenses (hereinafter the “Spendesk Solution”) and publishes the websites at www.spendesk.com, blog.spendesk.com et www.cfoconnect.eu (hereinafter the “Website”).
The provision and use of the Spendesk Solution and the Website require the processing of certain Personal Data. Personal Data may include information that we collect relating to (i) persons who visit the Website and/or transmit Personal Data via the Website, and/ or (ii) employees and collaborators authorised by their employer to use the Spendesk Solution to manage their professional expenses (hereinafter the “Users”, the “User”, “You”, “Your” (plural) and “Your” (singular)).
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an email address, location data, an online identifier.
By subscribing to and/or using the Website and/or the Spendesk Solution, You acknowledge and agree that Spendesk may process certain Personal Data concerning You, as well as certain information about the expenses made with the tools and/or recorded via the Spendesk Solution.
Spendesk places the greatest importance on the security and integrity of the Personal Data entrusted to it. Spendesk undertakes to take all necessary precautions to preserve the security of Personal Data and, in particular, to protect Personal Data against any accidental or unlawful destruction, accidental loss, corruption, distribution or unauthorised access, as well as against any other form of unlawful processing or disclosure to unauthorised individuals.
To this end, Spendesk implements security measures that comply with our industry’s standards to protect Personal Data from unauthorised disclosure. In addition, to avoid any unauthorised access and to guarantee the accuracy and proper use of Personal Data, Spendesk has implemented appropriate electronic, technical and organisational measures to safeguard and preserve the Personal Data collected through its services.
Spendesk has appointed a Data Protection Officer (DPO), who can be contacted by email (email@example.com) and whose role is, in particular, to ensure that Spendesk complies with the French Data Protection Act of January 6th 1978 (as amended), the EU General Data Protection Regulation of April 27th 2016 and any other applicable laws regulating the processing of Personal Data (hereinafter the “Data Protection Regulations”), and to respond to any requests and questions that are submitted.
Please find below the main answers to the questions You may ask about Spendesk’s commitments to the protection of Personal Data.
I. How is Your Personal Data collected and processed by Spendesk?
1) Personal Data collected by Spendesk
Spendesk is the “data controller” of Personal Data collected via e.g. its Website.
1. What Personal Data is collected?
In addition, Personal Data relating to Your identity (surname, first name, email address (professional and/or personal), telephone number, if applicable Your CV) may be sent to us by You via the Website when You contact us using contact forms, request a demonstration, or if You respond to a Spendesk job opening.
If You send Personal Data, documents or information to us via the Website, please check that this information does not contain any unnecessary confidential or sensitive data (for example, social security number, driver's license number, medical data, confidential information about Your company or employer, etc.).
In certain specific cases, Spendesk may need to ask for a copy of Your identity document, for example to verify Your right to use the Website, or any request You make to exercise Your rights under the Data Protection Regulations.
2. Why is this Personal Data being collected?
The main purpose of collecting Your Personal Data is to provide You with an optimal, efficient and personalised experience when You use our Website and its features.
The processing of Your Personal Data is based on Your consent and its purpose is to give You access to the Website and its various features, to respond to Your requests, but also to improve Your navigation, our services and offers, and to keep You informed about our offers and news.
You can naturally, at any time, contact us in this regard and exercise Your rights under the Data Protection Regulations (see “What are Your rights?” below).
3. How long is the Personal Data stored?
Spendesk has defined retention periods for Personal Data collected.
With regard to Your browsing data, you will find their retention period in the “Cookies Policy”.
In the case of requests for information, contact or a demonstration, Your Personal Data is kept for 36 months since our last contact.
With regard to Your responses to our job openings or if You make a spontaneous online application, we retain Your Personal Data for the entire duration of our recruitment procedure or the duration necessary for the review of Your application and, with Your approval, an additional period of 2 years. If Your application is successful, we will retain Your Personal Data for the entire duration of the employment contract and for an additional period of 5 years after the end of our employment relationship.
These retention periods apply subject to the exercise of Your rights under the Data Protection Regulations, as indicated above.
2) Processing of Personal Data related to the use of the Spendesk Solution
The Spendesk Solution is made available to Users (employees or staff) at the request of their employer. In this context, the processing of Personal Data is carried out by Spendesk in its capacity as data processor within the meaning of the Data Protection Regulations, and on behalf of the employer in its capacity as “data controller”.
1. What Personal Data is collected for the use of the Spendesk Solution?
As part of the use of the Spendesk Solution, Spendesk may collect and store information that can securely identify Users, keep the history of their visits to the Website and their use of the Spendesk Solution, and in particular their transactions (payments using the Spendesk tools, refund requests, transmission of supporting documents), in accordance with the expenses policy and authorisations defined by the employer.
In particular, the following may be processed:
professional contact details and User identification information: first and last name, gender, business email address, telephone number, photograph (with the approval of the person concerned), job or position;
data required to provide access to the Spendesk Solution: username and password, IP address;
payment information, refund requests and expenses recorded in connection with the use of the Spendesk Solution;
invoices, expense reports and receipts sent via the Spendesk Solution.
For certain processing operations, Spendesk may use subcontractors, in compliance with its commitments to the data controller and its obligations under the Data Protection Regulations.
Spendesk undertakes to ensure the utmost security and confidentiality of the information, including Personal Data, whose processing is entrusted to it by the data controller.
Users of the Spendesk Solution are responsible for using it in compliance with the expense policy and authorisations defined by their employer and for ensuring that their access to the Spendesk Solution is secure, in particular by not sharing their personal usernames and passwords, regularly renewing them and immediately informing their employer and/or Spendesk of any fraudulent loss, disclosure or intrusion.
2. Why is Personal Data collected?
Spendesk needs to collect this Personal Data to perform the contract with the employer who subscribed to the Spendesk Solution and, consequently, to provide Users with access to the Spendesk Solution in accordance with that contract, but also to comply with its legal obligations (in particular accounting and tax obligations), in compliance with the Data Protection Regulations.
To apply the principle of data minimisation, Spendesk limits its collection and processing to the Personal Data and purposes that are strictly necessary to perform its contractual and legal obligations.
the contact details of Users are processed to allow for the sending of information relating to the Spendesk Solution, its operation or use, security codes and instructions;
the User login data guarantee the connection of employees, identify them and provide them with access to the Spendesk Solution, and Spendesk invoice their employer for the Spendesk Solution;
the identification of the post or position of the Users allows user rights and authorisations to be applied as set out by the employer;
data relating to payment information is collected to ensure full payment or reimbursement of the User's business expenses, and their accounting treatment by the employer;
the invoices, expense reports and receipts sent by the Users are collected to retain evidence and accounting information necessary for payments and reimbursements, and for their accounting treatment.
3. How long will Your Personal Data be stored?
Spendesk retains Personal Data necessary for the use of the Spendesk Solution for as long as You use it and for an additional 24 months from the end of such use, to provide the necessary Personal Data to the data controller and to meet its contractual and legal obligations.
Payment and reimbursement data and supporting documents sent via the Spendesk Solution are archived for 11 years, in compliance with the Data Protection Regulations and any special regulation applicable to Spendesk.
II. What are Your rights?
1) How to exercise Your rights?
In accordance with the Data Protection Regulations, You have the right to access, rectify, limit, erase and delete Personal Data concerning You, as well as the right to object and a right to portability.
You can also submit your instructions regarding management of your Personal Data after Your death.
To exercise Your rights, or to find out more about these rights, You can contact our Data Protection Officer:
by post : Spendesk SAS - Délégué à la protection des données (DPD) - 51 rue de Londres, 75008 Paris, France ;
by email : firstname.lastname@example.org
We will respond to your request within a 30 day period, which may be extended, and may request a copy of Your ID for verification purposes only.
Regarding the requests related to the Personal Data processed within the Spendesk Solution, You may at any time modify your Personal Identification Data (title, first name, last name, email address, telephone number, password) by logging in to the "My Profile" section of Your account, in compliance with the identification and use policy of the Spendesk Solution implemented by Your employer.
You may request to exercise Your rights through Your employer (data controller), but also by writing directly to us at: email@example.com. We will inform Your employer of the nature of Your request and the actions to be taken.
If You consider that Spendesk does not respect its obligations in terms of protection of Personal Data or does not respond to Your requests in a satisfactory manner, You may contact the National Commission for Data Protection and Liberties (CNIL-France) via its website (www.cnil.fr) or by post (CNIL, Service des Plaintes, 3 place de Fontenoy - TSA 80715 -75334 Paris Cedex 07).
To learn more about Your rights regarding privacy rights, You may consult the CNIL website: www.cnil.fr.
2) Where is Your Personal Data stored?
The servers on which Spendesk processes and stores Personal Data are located in the territory of the European Union.
3) Are your Personal Data shared with third parties?
Spendesk does not share Your Personal Data to third parties.
To facilitate the functioning of certain tools associated with the Spendesk Solution, for example to allow card payments or reimbursements, or to provide the commercial or technical service of the Spendesk Solution, certain Personal Data may be transmitted to partners located outside the European Union. The list of these partners is available upon written request.
Spendesk requires each of its partners to comply with applicable Data Protection Regulations and to provide written contractual guarantees regarding the safety and confidentiality of the processing.
Spendesk does not otherwise disclose Your Personal Data to third parties, unless: (1) You (or the holder of Your Account acting on Your behalf) request or authorise disclosure; (2) disclosure is necessary to process transactions or provide the services you have requested; (3) Spendesk is required to transmit Your Personal Data to an administrative or judicial authority (requisition), or if (4) disclosure is necessary to comply with legal and/or regulatory obligations.