This website requires JavaScript.

PRIVACY POLICY

Last Updated: January 2024 (Version 0.3)

Spendesk, a simplified joint stock company registered with the Paris Trade and Companies Register under number 821 893 286 and having its registered office at 51, rue de Londres - 75008 Paris (France), provides an intuitive solution that helps companies to manage, pay and monitor more effectively their business expenses, available on the web and as a mobile app (hereinafter the “Spendesk Solution”), and publishes the websites accessible at www.spendesk.com and www.cfoconnect.eu/en/ (hereinafter the “Website”).

A. Overview / Introduction

As part of its activities, Spendesk is required to process Personal Data belonging to various categories of persons. This Personal Data may be collected from the Website, the Spendesk Solution, through third-party partners that are themselves data controllers (event partners, recruitment platforms, etc.), and is processed for the purposes indicated below.

Personal Data means any information relating to an identified or identifiable natural person; an “identifiable natural person” is deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a telephone number, an email address, location data or an online identifier.

By subscribing to and/or using the Website and/or the Spendesk Solution, You acknowledge and accept that Spendesk processes certain Personal Data concerning You, as well as certain information on expenses incurred with the tools and/or recorded via the Spendesk Solution. In addition, Spendesk puts in place security measures aimed at guaranteeing the confidentiality, integrity and availability of Your Personal Data and limiting access only to persons with a need to know.

This Privacy Policy aims to describe how Spendesk processes Your Personal Data for the purposes indicated below and to inform You of Your rights in this respect. It may be subject to updates, particularly in the event of changes to the Personal Data Regulation or in the event of processing updates. The applicable version is the one available on the Website on the day You use the latter and/or the Spendesk Solution.

Below you will find the main answers to the questions You may have about Spendesk’s personal data protection commitments.

B. Spendesk Data Protection Officer

To supervise Spendesk’s commitments and its compliance with the Personal Data Regulation, Spendesk has appointed a Data Protection Officer (DPO), who can be contacted by email (privacy@spendesk.com).

C. Spendesk statuses and responsibilities

As part of the processing of Your Personal Data, Spendesk may have the status of data controller or data processor. The specific terms of these statuses are set out below.

1. Spendesk, data controller

In accordance with the Personal Data Regulation, the data controller is the legal or natural person that determines the means and purposes of processing Personal Data.

As data controller, Spendesk processes Your Personal Data, in particular if you are:

  • Candidate(s), Spendesk employee(s);

  • Prospect(s), marketing contact(s), sales contact(s) at Spendesk’s Customer;

  • Beneficial owner(s), legal representative(s) of the Spendesk Customer;

  • User(s) of the Spendesk Solution;

  • Member(s) of the communities managed by Spendesk (including CFO Connect);

  • Internet user(s) browsing the Website.

Your Personal Data is collected either directly from You or indirectly under partnership agreements, services mandated by Spendesk, in connection with Personal Data that You choose to make public on third-party social media platforms or through the use of cookies, pixels, trackers and similar items. For more information on Cookies and other trackers, Spendesk invites You to view the Cookies Policy.

Your Personal Data is processed by Spendesk, in its capacity as data controller, for the following purposes:

  • Management and monitoring of the candidate’s recruitment process (including background checks);

  • Management of the employment relationship and payment of employee-related social security contributions;

  • Management of the marketing relationship and management of Spendesk communities (including CFO Connect);

  • Commercial prospection;

  • Required anti-money laundering and counter-financing of terrorism (AML-CFT) checks related to the Customer’s account opening and use;

  • Sales and contract management with the Spendesk Customer;

  • Research and development regarding the Spendesk Solution and the Website (including by conducting A/B tests);

  • Video and audio recording of calls to improve Spendesk services and to train and monitor the performance of Spendesk staff;

  • Incidents’ notification after subscription to the notification emails via the page https://spendesk.statuspage.io/;

  • Supervision of User accounts on the Spendesk Solution to provide technical support to the Customer and to train Spendesk staff authorised to process the Customer’s information; and

  • Detection, prevention and mitigation of fraudulent or other illegal activities.

2. Spendesk, data processor

In accordance with the Personal Data Regulation, the data processor is the legal or natural person that processes the Personal Data on behalf of and on the instructions of the Data Controller.

As data processor, Spendesk processes Your Personal Data in particular if you are:

  • User(s) of the Spendesk Solution in its free and/or paid versions.

Your Personal Data is collected either directly from You or indirectly as part of the API integration of third-party platforms into the Spendesk Solution or in connection with Personal Data that You choose to make public on third-party social media platforms.

Your Personal Data is processed by Spendesk, in its capacity as data processor, for the following purposes:

  • Provision of a SaaS Platform for payments, invoices and flows management to authorise Users’ business expenses;

  • Provision of Payment Services to the Customer and Users, including:

    1. opening a payment account in the Customer’s name

    2. issuing debit cards for each User at the Customer’s request

    3. managing payment transactions (including by card and transfer)

    4. managing requests and complaints from the Customer or one or more Users

  • Management of business expenses: payment and/or reimbursement of the User’s business expenses, analysis and retention of invoices and receipts in accordance with accounting and tax regulations;

  • Provision of anonymised data on industry trends in business expenses according to pre-determined criteria based on the Customer’s field of activity.

D. Details of Personal Data processed by Spendesk

1. Spendesk - data controller

Processing purpose(s)Data subject categoriesNature of the data processedLegal basis/basesRetention period(s)
Monitoring of the recruitment processCandidatesLast name, first name, phone number, email address, CV, immigration dataSpendesk’s legitimate interest, Consent, Compliance with a legal obligationIf consent, up to two (2) years after the end of recruitment
Management of the employment relationship and payment of employee-related social security contributionsEmployeesLast name, first name, phone number, email address, identity documents and social security affiliation documents, bank information, immigration dataSpendesk’s legitimate interest, Performance of the employment contract, Compliance with a legal obligationDuring the term of the employment contract and during the retention periods imposed by the regulation applicable to labour law
Tracking of browsing on the Website (see details in the Cookies Policy)Internet usersCookie ID, IP address, browsing informationSpendesk’s legitimate interest, ConsentDetails of the retention periods are provided in the Cookies Policy
Management of the marketing relationship: invitation to events, newsletters, recategorisation as a prospectMarketing contactLast name, first name, telephone number, email addressSpendesk’s legitimate interest, ConsentUp to three (3) years after the last contact
Relationship management in Spendesk communitiesMember(s) of the communityLast name, first name, email address, telephone number, company, position, Slack IDSpendesk’s legitimate interest, ConsentUp to three (3) years after the last contact
Commercial prospectionProspectsLast name, first name, email address, phone number, company, positionSpendesk’s legitimate interest, ConsentDuration of prospection and up to thirty-six (36) months, unless prior opposition
AML-CFT checks related to the Customer’s account opening and useMain User (or agent of the Spendesk Account), beneficial owner(s), legal representative(s) of the Customer, UsersFor all: last name, first name, postal address, date of birth, place and country of birth, financial transaction data // For the Main User and the Users only: professional email address // For the Main User, the beneficial owner(s) and the legal representative(s) only: nationality, identity document and any other supporting document necessary for validating the Customer to enter into a business relationship // For the beneficial owner(s) only: nature of the relationship with the Customer Compliance with a legal obligation, Spendesk’s legitimate interestFor the duration of the contractual relationship with the Customer and up to five (5) years after the end of the business relationship
Sales and contract management with the Spendesk CustomerCustomer’s sales contactLast name, first name, phone number, email address, company, positionSpendesk’s legitimate interestFor the duration of the contractual relationship and up to five (5) years after the end of the business relationship
Research and developmentInternet users, UsersBrowsing data, cookie ID or other tracker(s), device ID(s) (IP address, IDFA, ADID, etc.), sessionSpendesk’s legitimate interest, ConsentDepending on the project
Video and audio recording of calls for the purposes of improving Services, training and monitoring Spendesk staff performanceEmployee, Prospect, Customer, UserLast name, first name, phone number, email address, voice, imageSpendesk’s legitimate interest, ConsentUp to six (6) months after the date of the recording
Notification of incidents via the page https://spendesk.statuspage.io/Person who subscribed to the notificationPhone number, email address, Slack identifierConsentUntil opting out of notifications
Supervision of User accountsUsersLast name, first name, company, position, financial transactionsSpendesk’s legitimate interest, ConsentDuring account’s supervision
Systems’ securityCandidates, Employees, UsersLogin data (User ID, device ID, logs), IP addressSpendesk’s legitimate interestUp to three hundred and sixty-five (365) days after collection of the login logs

2. Spendesk - data processor

Processing purpose(s)Categories of data subjectsNature of the data processedLegal basis/basesRetention period(s)
Opening of the Customer’s AccountMain User (or agent of the Spendesk Account)Last name, first name, postal address, date of birth, nationality, email addressSpendesk’s legitimate interestFor the duration of the contractual relationship and up to two (2) years after the end of the Main User’s use of the Spendesk Solution
Management of the use of the Spendesk Solution by the UserUser(s)Last name, first name, email address, phone number, postal address (only if sending a physical payment card), gender, picture (optional), position, IBAN (optional), login data (username, password, IP address)Consent, Compliance with a legal obligationUp to two (2) years after the end of the User’s use of the Spendesk Solution
Management of business expensesUser(s)Last name, first name, user ID, email address, financial transaction(s), invoice(s) and receipt(s)Compliance with a legal obligationUp to two (2) years after the end of the User’s use of the Spendesk Solution Up to five (5) years after the end of the business relationship Ten (10) years from the end of the calendar year in which invoices/receipts were received

E. Use of sub-processors

As part of certain processing of Your Personal Data, Spendesk may use sub-processors.

Spendesk chooses its subcontractors with the utmost care and uses only subcontractors that provide sufficient security guarantees.

For more information on the subcontractors involved in the provision of the Spendesk Solution, please visit https://www.spendesk.com/en/legals/subprocessors.

F. Security measures

Spendesk places the utmost importance on the security of the Personal Data entrusted to it. In accordance with the Personal Data Regulation, Spendesk undertakes to take all necessary precautions to preserve the security of the Personal Data and, in particular, to protect it against accidental or unlawful destruction, accidental loss, corruption, dissemination or unauthorised access, as well as against any other form of unlawful processing or disclosure to unauthorised persons.

As such, Spendesk:

  • implements security practices and measures in accordance with our industry standards to ensure the integrity, availability and confidentiality of Your Personal Data;

  • implements a policy for managing rights to access Your Personal Data based on the principle of least privilege, need to know and function (Role based Access Control);

  • implements appropriate electronic, physical and management procedures to safeguard and preserve the processed data;

  • ensures that sufficient confidentiality measures are in place that comply with the persons who have access to Your Personal Data;

  • ensures that it only uses only partners and/or subcontractors that meet the security requirements requested by Spendesk;

  • performs regular security controls and audits on its systems to be able to attest to their robustness.

Spendesk does not otherwise disclose Your Personal Data to third parties, unless: (1) You (or the holder of Your account acting on Your behalf) requests or authorises its disclosure; (2) disclosure is necessary to process transactions or provide the services You have requested; or (3) Spendesk is obliged to transmit Your Personal Data to an administrative or judicial authority.

G. Hosting and transfer of Personal Data

The Personal Data processed by Spendesk is hosted on secure servers within the European Union.

In the event that Personal Data is transferred outside the European Union, Spendesk undertakes to implement the measures required by the Personal Data Regulation (security measures, adequate transfer mechanism, etc.).

H. Your rights over Your Personal Data

In accordance with the Personal Data Regulation, You have at any time a right of access, rectification, restriction, erasure and deletion of Personal Data concerning You, as well as a right to object and a right to portability.

You may also send us in advance your instructions regarding how Your Personal Data is handled after Your death.

To exercise Your rights, or to learn more about them, You can contact our Data Protection Officer:

  • by post: Spendesk SAS - Data Protection Officer  (DPO) - 51 rue de Londres, 75008 Paris, France;

  • by email: privacy@spendesk.com

We will respond to Your request within thirty (30) days, possibly renewable, and may request a copy of Your identity document for verification only.

However, we may not respond to some of Your requests to exercise rights, in particular where the processing of Your Personal Data is necessary for the performance of the current contract or the processing is carried out pursuant to a legal obligation applicable to Spendesk.

Regarding requests relating to the Personal Data processed as part of the Spendesk Solution, You may at any time edit Your personal identification data (title, first name, last name, email, telephone number, password) by logging into the “My profile” section of Your account, in accordance with the Spendesk Solution identification and use policy possibly implemented by Your employer.

You can request the exercise of Your rights by contacting Your employer (data controller), as well as by writing to us directly at privacy@spendesk.com. We will inform Your employer of the nature of Your request and the action to take.

If You consider that Spendesk is not complying with its obligations regarding the protection of Personal Data or is failing to respond to Your requests satisfactorily, You may refer the matter to the French supervisory authority - National Commission for Information Technology and Civil Liberties (CNIL) - via its website (www.cnil.fr/en) or by post (CNIL, Service des Plaintes, 3 place de Fontenoy - TSA 80715 -75334 Paris Cedex 07).

Lastly, in accordance with the provisions of article L.561-45 of the French Monetary and Financial Code, You must send Your right of access request relating to the processing carried out as part of our obligations relating to AML-CFT indirectly to the French supervisory authority, the National Commission for Information Technology and Civil Liberties (CNIL).

To learn more about Your Personal Data protection rights, visit the CNIL website at www.cnil.fr/en.