In brief: If you use our services, regardless of whether you are a free or paying user, we will collect Your Personal Data as required to provide our services to you and/or help us improve our services for you.
1.1 Use of our website
If you visit any domain or subdomain of expensemonkey.io and do not register for or log into your account, we collect and process Your Personal Data that is necessary to enable your informational use of these domains. We also use functional cookies and other technologies (see Section 8) to enable this functional use of our website and to maintain the stability and security of our website. For these purposes, we process your IP address and other usage metrics along with the date and time of your access. We process Your Personal Data to provide our website to you (Art. 6 (1) (1) b GDPR) and based on our legitimate interest to maintain our website’s stability and security (Art. 6 (1) (1) f GDPR).
1.2 Use of our mobile app
If you download our mobile apps or and do not register for or log into your account, we process Your Personal Data to enable your informational use of the respective app and to ensure the stability and the security of the respective app. For our mobile app, we process your device ID, information related to your device (e.g. the operating system), information about the app you use (app version and language), the amount of transferred data and applicable timestamps. We process Your Personal Data in order to provide our mobile apps and/or desktop app to you (Art. 6 (1) (1) b GDPR) and based on our legitimate interest to maintain our apps’ stability and security (Art. 6 (1) (1) f GDPR).
1.3 Use of our services via third-party services
You may be able to access our services. For this purpose, you do not have to create a User Account with us or provide your login credentials for the third-party service or application. Rather, we will let you access our services with an authorization token (aka “OAuth token”) from the third-party service provider confirming that you are a valid user of their service. We process this information to enable your use of our services (Art. 6 (1) (1) b GDPR).
1.4 User Account
If you create a Smallpdf account via our website or mobile app we process your email address and the password you choose at registration.
You can also create a user account for our services using your pre-existing Google, Apple, or Facebook accounts and use that third-party platform’s credentials to log in to your user account with us. If you choose this option, you allow us to request and use some of Your Personal Data from the third-party account.
For Google, this involves us processing your name, surname, email address, and public profile information (e.g. profile picture). For Facebook, we will process your email address and public profile information (username and profile picture). For Apple, this involves us processing your username and email address. The third-party platform may ask for your consent to share this data with us. As the personal data we may process under this option was originally collected by the third-party platform, the initial data processing and sharing of the data with us is governed by the privacy policy of such third-party platforms (thus, either Google, Apple, or Facebook). Please refer to the relevant third-party platform and/or its settings, if you want to deactivate the connection between the third-party platform and us.
We process Your Personal Data to set up your user account and, thus, form a contractual relationship (Art. 6 (1) (1) b GDPR).
For security reasons, we also process the time, browser, IP address of your last login, and the time of your last password reset. We have a legitimate interest to process this information to filter out suspicious login requests and to detect and prevent abuse of your user credentials (Art. 6 (1) (1) f GDPR).
1.5 ExpenseMonkey subscription
During registration of your user account or later on, you may provide Your Personal Data as part of your profile if you purchase any of our paid subscriptions. These types of personal data vary based on the type of account (single or team), the type of subscription, and the payment method you choose. These types of data may generally include your name, address, which subscription plan you are on, your payment method (e.g. PayPal or credit card, in the latter case including expiration date and certain digits of your credit card number), your VAT or other tax number, user settings, your company, role, and employee status.
We process Your Personal Data to suggest the right type of subscription for your needs to you and to complete your purchase. The data processing serves to conclude and fulfill the subscription contract between you and us (Art. 6 (1) (1) b GDPR).
a) Payment
We use payment data and information on your subscription and payment history (subscription plan, billing period, etc.) to process the regular payments for your subscription and, thus, fulfill our contract (Art. 6 (1) (1) b GDPR). We accomplish this through third-party payment processors, such as PayPal (in case you choose Paypal as a payment method or, in some cases, for credit card payments), Stripe (in some cases you choose credit card as your payment method).
If you choose credit card as your payment method, your full credit card number is always sent directly to the payment provider and never reaches our server. We only receive the first and last four digits of any credit card.
b) Invoices
We process your account, subscription, and payment information to fulfill our legal obligations (legal data storage obligations, e.g. under tax law) (Art. 6 (1) (1) c GDPR) and provide you with invoices under our contract (Art. 6 (1) (1) b GDPR). We use Stripe as a subscription management provider to help us in providing the aforementioned services. For further information on this provider, please visit section 4 below.
1.6 Email communication, including customer support, newsletters, and other marketing emails
When you communicate with us via email, including for customer support, you provide us with your email address and may provide us with your name, contact details, and other personal data, including the content of your email. We process this information to answer your request (Art. 6 (1) (1) b GDPR).
We may send you our newsletter or other marketing emails, generally only with your consent (Art. 6 (1) (1) a GDPR). However, where you have already purchased products and/or services from us, we may inform you about our similar products or services via email where we have informed you of such a possibility in advance and allowed you to refuse it. We do so under our legitimate interest to promote our business with existing customers (Art. 6 (1) (1) f GDPR). Please note that you can opt out of such email communication by clicking on the unsubscribe link at the end of each marketing email.
For information about third-party providers that we may use for the aforementioned purposes, please visit Section 4 below.
1.7 Service improvement and error detection
a) Website and mobile apps
For our website and mobile apps, we may process information on your default system language, your device, your usage of our services, and information on the pages of our website which you have visited. For error detection, we aggregate this information by shortening your IP address, such that it is not directly attributable to specific users. We only use this information in this aggregated form. We generally use the same type of information, as well as file metadata, for analytical purposes to improve our services by identifying features our users like and how our services function with different devices. We have a legitimate interest to use this information for service improvement (Art. 6 (1) (1) Of GDPR). For information on third-party providers that we use for these tasks, please visit Section 4 below.
1.8 Surveys & user feedback
We occasionally conduct voluntary surveys through our website, desktop app, mobile apps, or other methods to collect user feedback. For some of these surveys, we may process Your Personal Data, such as your name, email, and IP address in addition to your feedback/answers. In other cases, we only collect aggregated information that is not directly attributed to specific users (e.g. yes or no answers through a survey field only). We process and store all of the aforementioned information to carry out the surveys (Art. 6 (1) (1) b GDPR) and under our legitimate interest to collect user feedback (Art 6 (1) (1) f GDPR). In some cases, we may also collect your consent (Art. 6 (1) (1) a GDPR). For more information on third-party providers we use for this purpose please visit Section 4 below.
1.9 Our services
When you use ExpenseMonkey.io for managing and processing your invoices and other documents, we collect and process information contained in these documents. This may include personal data that you or your organization have included in the invoices or documents. If you invite other users to your organization on our platform, or if you are invited by someone else, you are responsible for ensuring that you have the necessary consent for sharing any personal data with us. Additionally, we process user-specific information such as email addresses, IP addresses, timestamps of activities, and details related to the expenses reported, including the type of expense, category, and project, or as defined within our product. This processing is necessary for the provision of ExpenseMonkey.io's services (Art. 6 (1) (1) b GDPR) and is based on our legitimate interest in offering an efficient, user-friendly service and in preventing misuse (Art. 6 (1) (1) f GDPR)."
