Privacy Policy | ExpenseMonkey

ExpenseMonkey respects your right to privacy when you use our services, visit our website, download our mobile app, or communicate with us. We take all necessary measures to ensure that any personal data you give us is treated in compliance with data protection laws and with this Privacy Notice.

We are ExpenseMonkey LLC, a company incorporated under the laws of Switzerland, with its registered offices at Zweierstrasse 35, Zurich, Switzerland, reachable at [email protected]. 'Personal data' is any information that relates to an unidentified or identifiable natural person, such as your name or email address.

In exchange for our services, when you visit our website or communicate with us, we may process personal data related to you ('Your Personal Data'). In these cases, ExpenseMonkey is the controller of Your Personal Data.

When you upload or otherwise provide receipts, files, and information that may contain personal data related to you or others and process such files and information using our services ('User Files'), you remain fully responsible for such personal data contained in the User Files.

Our website, mobile apps, and communications may contain links to other websites. If you follow a link to any of those websites, please note that the personal information you submit will be processed according to their own privacy notices. ExpenseMonkey does not accept any responsibility or liability for those websites.

This Privacy Notice has been drafted to be in line with applicable privacy laws. Based on your location, this might, for example, be the Swiss Federal Data Protection Act (nFADP), the California Consumer Privacy Act (CCPA), or the EU General Data Protection Regulation (GDPR).

We Value Your Trust and Protect Your Privacy

1 What personal data does ExpenseMonkey collect through its website and for what purposes?

In brief: If you use our services, regardless of whether you are a free or paying user, we will collect your personal data as required to provide our services to you and/or help us improve our services for you.

1.1 Use of our website

If you visit any domain or subdomain of ExpenseMonkey and do not register for or log into your account, we collect and process Your Personal Data that is necessary to enable your informational use of these domains. We also use functional cookies and other technologies (see Section 8) to enable this functional use of our website and to maintain the stability and security of our website. For these purposes, we process your IP address and other usage metrics along with the date and time of your access. We process Your Personal Data to provide our website to you (Art. 6 (1) (1) b GDPR) and based on our legitimate interest to maintain our website’s stability and security (Art. 6 (1) (1) f GDPR).

1.2 Use of our mobile app

If you download our mobile apps or and do not register for or log into your account, we process Your Personal Data to enable your informational use of the respective app and to ensure the stability and the security of the respective app. For our mobile app, we process your device ID, information related to your device (e.g. the operating system), information about the app you use (app version and language), the amount of transferred data and applicable timestamps. We process Your Personal Data in order to provide our mobile apps and/or desktop app to you (Art. 6 (1) (1) b GDPR) and based on our legitimate interest to maintain our apps’ stability and security (Art. 6 (1) (1) f GDPR).

1.3 Use of our services via third-party services

You may be able to access our services. For this purpose, you do not have to create a User Account with us or provide your login credentials for the third-party service or application. Rather, we will let you access our services with an authorization token (aka “OAuth token”) from the third-party service provider confirming that you are a valid user of their service. We process this information to enable your use of our services (Art. 6 (1) (1) b GDPR).

1.4 User Account

If you create a ExpenseMonkey account via our website or mobile app we process your email address and the password you choose at registration.

You can also create a user account for our services using your pre-existing Google, Apple, or Facebook accounts and use that third-party platform’s credentials to log in to your user account with us. If you choose this option, you allow us to request and use some of Your Personal Data from the third-party account.

For Google, this involves us processing your name, surname, email address, and public profile information (e.g. profile picture). For Facebook, we will process your email address and public profile information (username and profile picture). For Apple, this involves us processing your username and email address. The third-party platform may ask for your consent to share this data with us. As the personal data we may process under this option was originally collected by the third-party platform, the initial data processing and sharing of the data with us is governed by the privacy policy of such third-party platforms (thus, either Google, Apple, or Facebook). Please refer to the relevant third-party platform and/or its settings, if you want to deactivate the connection between the third-party platform and us.

We process Your Personal Data to set up your user account and, thus, form a contractual relationship (Art. 6 (1) (1) b GDPR).

For security reasons, we also process the time, browser, IP address of your last login, and the time of your last password reset. We have a legitimate interest to process this information to filter out suspicious login requests and to detect and prevent abuse of your user credentials (Art. 6 (1) (1) f GDPR).

1.5 ExpenseMonkey subscription

During registration of your user account or later on, you may provide Your Personal Data as part of your profile if you purchase any of our paid subscriptions. These types of personal data vary based on the type of account (single or team), the type of subscription, and the payment method you choose. These types of data may generally include your name, address, which subscription plan you are on, your payment method (e.g. PayPal or credit card, in the latter case including expiration date and certain digits of your credit card number), your VAT or other tax number, user settings, your company, role, and employee status.

We process Your Personal Data to suggest the right type of subscription for your needs to you and to complete your purchase. The data processing serves to conclude and fulfill the subscription contract between you and us (Art. 6 (1) (1) b GDPR).

a) Payment

We use payment data and information on your subscription and payment history (subscription plan, billing period, etc.) to process the regular payments for your subscription and, thus, fulfill our contract (Art. 6 (1) (1) b GDPR). We accomplish this through third-party payment processors, such as PayPal (in case you choose Paypal as a payment method or, in some cases, for credit card payments), Stripe (in some cases you choose credit card as your payment method).

If you choose credit card as your payment method, your full credit card number is always sent directly to the payment provider and never reaches our server. We only receive the first and last four digits of any credit card.

b) Invoices

We process your account, subscription, and payment information to fulfill our legal obligations (legal data storage obligations, e.g. under tax law) (Art. 6 (1) (1) c GDPR) and provide you with invoices under our contract (Art. 6 (1) (1) b GDPR). We use Stripe as a subscription management provider to help us in providing the aforementioned services. For further information on this provider, please visit section 4 below.

1.6 Email communication, including customer support, newsletters, and other marketing emails

When you communicate with us via email, including for customer support, you provide us with your email address and may provide us with your name, contact details, and other personal data, including the content of your email. We process this information to answer your request (Art. 6 (1) (1) b GDPR).

We may send you our newsletter or other marketing emails, generally only with your consent (Art. 6 (1) (1) a GDPR). However, where you have already purchased products and/or services from us, we may inform you about our similar products or services via email where we have informed you of such a possibility in advance and allowed you to refuse it. We do so under our legitimate interest to promote our business with existing customers (Art. 6 (1) (1) f GDPR). Please note that you can opt out of such email communication by clicking on the unsubscribe link at the end of each marketing email.

For information about third-party providers that we may use for the aforementioned purposes, please visit Section 4 below.

1.7 Service improvement and error detection

a) Website and mobile apps

For our website and mobile apps, we may process information on your default system language, your device, your usage of our services, and information on the pages of our website which you have visited. For error detection, we aggregate this information by shortening your IP address, such that it is not directly attributable to specific users. We only use this information in this aggregated form. We generally use the same type of information, as well as file metadata, for analytical purposes to improve our services by identifying features our users like and how our services function with different devices. We have a legitimate interest to use this information for service improvement (Art. 6 (1) (1) Of GDPR). For information on third-party providers that we use for these tasks, please visit Section 4 below.

1.8 Surveys & user feedback

We occasionally conduct voluntary surveys through our website, desktop app, mobile apps, or other methods to collect user feedback. For some of these surveys, we may process Your Personal Data, such as your name, email, and IP address in addition to your feedback/answers. In other cases, we only collect aggregated information that is not directly attributed to specific users (e.g. yes or no answers through a survey field only). We process and store all of the aforementioned information to carry out the surveys (Art. 6 (1) (1) b GDPR) and under our legitimate interest to collect user feedback (Art 6 (1) (1) f GDPR). In some cases, we may also collect your consent (Art. 6 (1) (1) a GDPR). For more information on third-party providers we use for this purpose please visit Section 4 below.

‍

1.9 Core expense processing services

When you use ExpenseMonkey to manage and process your invoices, receipts, and other expense documents, we collect and process information contained in those documents. This may includepersonal data such as merchant names, amounts, tax values, expense categories,and user-specific identifiers such as email addresses, IP addresses, andactivity timestamps.

To provide core servicefunctionality including automated data extraction and expense categorisation,certain structured expense data fields (specifically: merchant name, merchantaddress, expense total, and tax value) may be transmitted to external artificialintelligence (AI) and large language model (LLM) service providers. Theseproviders process the data on our behalf under data processing agreements.Please see Section 4 for details of these providers. No unstructured documentcontent, names of individual employees, or other personal identifiers beyondthose listed are transmitted to AI providers for this purpose.

Legal basis: Art. 6(1)(b) GDPR(processing necessary for the performance of the contract between you andExpenseMonkey).

1.10 AI assistant integrations (Claude, ChatGPT) — Opt-in only

ExpenseMonkey offers optional integrations with third-party AI assistants, currently including Anthropic Claude and OpenAI ChatGPT, via the Model Context Protocol (MCP). These integrations are entirely optional and must be actively set up and enabled by you.

By enabling an AI assistant integration, you authorize ExpenseMonkey to make your expense data (including expense records, amounts, categories, merchant names, and related metadata stored in your ExpenseMonkey account) accessible to the AI assistant of your choice. This allows you to query, analyze, and manage your expenses using natural language directly within Claude or ChatGPT.

Important: Once data is transmitted to a third-party AI assistant, that data is governed by the privacy policy of the relevant provider- Anthropic's Privacy Policy (for Claude) or OpenAI's Privacy Policy (for ChatGPT). ExpenseMonkey is not responsible for how those providers process, store, or use data once it is transmitted. We strongly recommend reviewing those policies before enabling the integration.

You may disconnect any AI assistant integration at any time via your account settings. Disconnecting theintegration prevents future data transmissions. Data already processed by theAI provider prior to disconnection remains subject to that provider's datapolicies.

Legal basis: Art. 6(1)(a) GDPR (your explicit consent, given at the time you activate the integration).

‍

2 How does ExpenseMonkey protect Your Personal Data?

ExpenseMonkey uses appropriate technical and organizational measures to protect Your Personal Data. Only authorized staff or third-party company staff (i.e. service providers) have access to Your Personal Data. All such staff are required to adhere to our Privacy Notice. Additionally, all third-party employees who have access to Your Personal Data must sign non-disclosure agreements. In addition, ExpenseMonkey has contracts in place with third-party companies that have access to Your Personal Data in order to protect it. To protect Your Personal Data, Exopensemonkey maintains a secure IT environment and has measures in place to prevent unauthorized access to it. All communication and file transfers to and from our server are encrypted with TLS. Passwords are only stored in encrypted (hashed) form, never in plain text.

3 How does ExpenseMonkey use Your Personal Data?

We process Your Personal Data for the purposes listed above.

In specific cases, Your Personal Data may also be processed for the following purposes:

● In case we partially or fully sell the company or buy another company in whole or in part. We have a legitimate interest to further the development of our company through mergers and acquisitions (Art. 6 (1) (1) f GDPR).

● To comply with our legal obligations, including participation in investigations and proceedings conducted by the government or public authorities (Art. 6 (1) (1) c GDPR).

● In case we have a legal obligation to this effect (Art. 6 (1) (1) c GDPR), we may process Your Personal Data to protect our rights and safety, as well as those of our customers and third parties. Although we may not have a legal obligation to do so, we may still process data for this purpose based on our legitimate interest or those of other affected persons in order to assert legal claims (Art. 6 (1) (1) f GDPR)

4 To whom does ExpenseMonkey disclose Your Personal Data, and why?

ExpenseMonkey may share Your Personal Data with the following categories of recipients as necessary:

● External services providers (e.g. hosting providers, software and software as a service providers, app development providers, email service, email verification and email analytics providers, providers for error logging and service development, customer support providers, survey and user feedback providers, payment providers, billing service providers, and marketing providers). We have a legitimate interest to use external providers to ensure that we can provide our services in a professional and user-friendly manner and with a high level of service quality (Art. 6 (1) (1) f GDPR). Data transfers to service providers are covered by data processing agreements between us and the respective provider (in connection with Art. 28 GDPR).

● In the event that we buy or sell our company in whole or in part, data may be transferred to our potential contractual partners. We have a legitimate interest to further the development of our company in this manner (Art. 6 (1) (1) f GDPR).

● To law enforcement agencies, public authorities, and courts in order to comply with legal obligations to participate in investigations and proceedings conducted by governments or public authorities (Art. 6 (1) (1) c GDPR).

● To other companies, individuals, or government agencies where it is required to disclose personal data by law (Art. 6 (1) (1) c GDPR) or based on legitimate interests to protect our rights or safety as well as those of our customers and third parties (Art. 6 (1) (1) f GDPR).

● AI and LLM service providers: We use external AI and large language model providers to power automated expense data extraction and categorisation. These providers receive structured expense data fields as described in Section 1.9 and process this data as data processors on our behalf under data processing agreements. This currently includes [INSERT PROVIDER NAME]. These providers may be located outside the EU/EEA; see Section 7.

● Third-party AI assistants (opt-in only): If you enable an AI assistant integration (Section 1.10), your expense data will be transmitted to the selected provider, currently Anthropic (Claude) or OpenAI (ChatGPT). These providers act as independent data controllers for data processed through their platforms. Data is transmitted only where you have given explicit consent.

‍

Some of the aforementioned providers may process Your Personal Data outside the EU/EEA. For more information on protective measures used to secure data transfers in countries outside the EU/EEA, please see Section 7 below.

5 What are my data protection rights and how can I exercise them?

You have certain rights over Your Personal Data under data protection laws, including, for example, the Swiss Federal Data Protection Act, the California Consumer Privacy Act, or the EU GDPR.

Depending on the specific circumstances of the case and your place of residence, you may have some or all of the following rights:

● to withdraw your consent to the processing of Your Personal Data at any time. As a result, we may no longer process Your Personal Data based on the consent. But the withdrawal of your consent has no effect on the lawfulness of processing before the withdrawal;

● to access the personal data processed by us and/or request copies of this data. In particular, you can obtain information about the purposes of processing, categories of personal data, categories of recipients to whom your data has been or will be disclosed, planned retention period, and origin of your data if it was not collected directly from you;

● to request the rectification/correction, erasure, or restriction of processing of Your Personal Data;

● to request Your Personal Data, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit this data to another controller. You may also ask us to directly transmit this data to another controller, where technically feasible;

● to object to the processing of Your Personal Data on grounds relating to your particular situation, if we process Your Personal Data based on our legitimate interests. You may also object to the processing of Your Personal Data for direct marketing purposes at any time;

● to opt-out of the sharing of Your Personal Data to third parties. We currently share data to Google and Facebook via cookies. You may opt out of these cookies by following the instructions in 4.3.1(a) (for Google) and 4.3.3(c) (for Facebook).

● to obtain information of the possibility of denying consent to the data processing and the consequences of the denial;

● to oppose the processing grounded on a legal basis other than consent;

● to request review, by a natural person, of decisions taken solely on the basis of automated processing of personal data that affects their interests, including decisions intended to define their personal, professional, consumer or credit profile, or aspects of their personality.

In general, exercising these rights requires you to be able to prove the account ownership. In order to assert these rights, please contact us at [email protected]. After you’ve contacted us, we may ask you for some information to prove your identity; what we ask for will depend upon whether or not you have an account with us. Once we have authenticated your identity, we will fulfil your request within one month unless we inform you otherwise.

You can have an agent (your attorney or another person empowered to represent your interests) make one of these requests on your behalf. We will ask the agent to provide proof of your authorization and proof of both their and your identity.

6 How and for how long do we store Your Personal Data?

We will only retain Your Personal Data and User Files you upload for as long as necessary to fulfill the purpose for which it was collected or to comply with legal requirements. To help us, we apply criteria to determine the appropriate periods for retaining Your Personal Data depending on its purpose, such as account maintenance, facilitating client relationship management, and responding to legal claims or requests from authorities.

If you access our services via a User Account, we store your data until you decide to cancel the service. We store the data so that you can generate report of your expensense any time. Your data will be deleted by the moment you decide to delete your account.

7 Which data transfers outside the EU/EEA take place?

We are located in Switzerland, which has been recognized as a safe third country in an adequacy decision of the European Commission. When you use our services, Your Personal Data may be transferred to recipients located in other countries, including outside the EU/EEA.

Where such a recipient country does not provide for an adequate level of data protection according to the European Commission, we will only transfer Your Personal Data to the recipient country on the basis of appropriate safeguards, such as binding corporate rules, standard contractual clauses (European Commission decision 2010/87/EU), or when another exception under Art. 49 GDPR applies. Please contact us (see “Contact Us” section) to request information on the specific safeguards that are in use for the recipients of Your Personal Data.

In particular, the AI and LLM service providers referenced in Sections 1.9 and 4 may be located in the United States. Data transfers to these providers are made on the basis of Standard Contractual Clauses. If you enable an AI assistant integration (Section 1.10), data transmitted to Anthropic or OpenAI is also transferred to the United States and is subject to those providers' own transfer mechanisms and privacy policies.

8 COOKIES – How and why do we use them?

When you visit or log into our website, we use cookies and similar technologies to collect certain information about your visit. This includes (i) Usage Data (Information about how you use our site, such as pages visited, time spent on pages, and links clicked.) (ii) Device Information (Details about the device you use to access our site, including IP address, browser type, and operating system.) and (iii) Personal Data (If you provide it, we may collect information such as your email address, phone number, or other contact details). We may also combine this information collected automatically with other data we receive from third-party sources, such as data providers and marketing partners, to create a more complete profile of you. We then use this profile to communicate with you, including providing personalized advertising and promotional content based on your interests and browsing behavior. You may opt out of this at any time.

‍

9 Does ExpenseMonkey knowingly handle the data of minors?

ExpenseMonkey does not knowingly collect or retain the data of minors under the age of sixteen. Such persons are not permitted to use this website except where enabled by a school that has contracted with us, in which case the school is the data controller and is responsible for the respective data processing affecting minors. If you discover that a minor has been using our website, please let us know via the contact information in Section 11 and we will delete their information.

10 Can ExpenseMonkey change the terms of this Privacy Notice?

ExpenseMonkey may occasionally make changes and corrections to this Privacy Notice. Please check this Privacy Notice regularly to see the changes and how they may affect you.

11 Contact us

Please use the contact form in section Contact Us.