This Policy applies from May 25, 2018.
This Policy, which applies to all who in any way use Companyexpense services and/or otherwise are in contact with Companyexpense, describes, among other things, how and why Companyexpense processes your personal data and what rights you have under the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (2018:218) and the Swedish Data Inspection Board’s binding rules and decisions.
What does personal data mean?
Personal data are all the information that can directly, or indirectly, be attributed to a natural living person. Examples of this include personal identity numbers and email addresses. However, encrypted data can also be personal data if they can be linked to a natural person.
What does “processing” personal data mean?
“Processing” is a broad term and covers most things one can do with personal data. It includes everything from collecting and storing personal data to modifying, using, and deleting personal data.
Companyexpense AB, 556977-0075, Ludvika, Sweden, is the software provider of a Web-based application for handling receipts, travel, and other expenses, hereinafter referred to as the “Service”. Companyexpense is the data processor when your personal data are processed by the Service and, thus, is responsible for the organizational and technical security measures for processing such personal data. The personal data controller for the processing of your data by the Service is the “Customer”, that is, the organization registered with Companyexpense, which is your employer or another client. You, as a User and with your own login details to the Service are hereinafter referred to as the “User”. Moreover, the Customer’s representatives with responsibility for setting up Users and other system administrators, assigning rights and instructing Companyexpense regarding the processing of data, including personal data, by the Service will use the Service.
You, as a partner, supplier, or reseller of the programs, are hereinafter referred to as the “Business Partner”. Customers and Business Partners have people whose contact details are registered with Companyexpense in order for us to contact you, they are hereinafter referred to as “Contact Persons”
Companyexpense is the data controller for the processing of personal data that you share with us in any of the following cases:
|When||Category||Explanation/purpose||Example of personal data|
|Sales||Contact data||Collected in order to contact potential customers||Name, phone number, email address|
|Prior to training||Contact data||Collected in conjunction with training/webinars for the purpose of providing training||Name, phone number, email address|
|Chat support||Contact data||Collected to complete support cases and keep a history of support cases||Name, phone number, email address|
|Telephone support||Contact data||Collected to complete support cases and keep a history of support cases||Name, phone number, email address|
|Email support||Contact data||Collected to complete support cases and keep a history of support cases||Name, phone number, email address|
|Concluding agreements||Customer information||Data are saved as a basis for the written agreement||Name, email, personal identity number|
|Billing||Company information||Data for billing are stored||Name, email, personal identity number|
|Email contact||Contact data||Email history may be stored where there is a clear need for the data||Name, phone number, email address|
|User registration||Contact data||Stored in order to send newsletters/information to the User||Name, email|
Therefore, Companyexpense is the data controller on all of the following occasions:
- When you order the service;
- When you receive your login details and become a User of the Service;
- When you enter into an agreement with Companyexpense and become a Business Partner;
- When you are registered as a Contact Person with Companyexpense for your organization;
- When you have a question for and/or contact Companyexpense; and
- When you visit our website and accept cookies there.
This Policy describes the data that Companyexpense collects, the purpose for which they are collected, how you can gain control of your own data, and how you can contact Companyexpense. This Policy applies when you use the Service.
The personal data we collect
Primarily, Companyexpense collects personal data directly from you as a Customer. Examples of personal data we collect include your name and contact details, such as your mobile phone number, email address, or physical address.
Companyexpense records personal data in connection with:
- Registering with a service offered through the platform or platforms provided by Companyexpense.
- Entering your email address or mobile phone number on our website.
- Updating your data on your pages, which are located on companyexpense.co.uk.
- Contacting us by email, phone, on our websites and social media.
- [Signing up for our newsletters.]
- Visiting our websites and using our app, including but not limited to traffic data, location data, weblogs, and other communication data, as well as, for example, the IP address, type of device, operating system and browser type used for the visit.
The personal data processed also varies depending on your type of enterprise. For a Customer and/or a Business Partner who is a sole proprietor, business data may become personal data. When you order the Service, we collect contact data about you as a Contact Person and business data about you as a Customer. The contact data and login details of all Users are registered with Companyexpense so that Users can use the Service. When using our Companyexpense app, you may choose to upload images to the Service, and we will process these images. In the event an agreement has been concluded with Companyexpense, we process data about you as a Business Partner, which, as a sole proprietor become personal data, and your contact data as a contact person. When registering for training or other events, we need participants’ contact and company details. Companyexpense also processes the details of any training course or event you have attended. When you ask us a question or contact us regarding some other matter, the amount and type of personal data processed may vary depending on the communication channel used. Categories of personal data are usually contact and company details and the matter itself as unstructured content containing any personal data you choose to share with us.
Why and how we process your personal data
Companyexpense collects your personal data as a User or a Customer in order to deliver the Service to you, as well as to provide you as a Customer with the best experience possible when using the Service, the Companyexpense app and our website. We need to be able to identify you and manage your account. We also process data for statistical purposes and for direct marketing (which you can unsubscribe from). In order to manage orders, billing and be able to send login information to you and contact you, Companyexpense needs to collect personal data when the Service is ordered.
Companyexpense needs the personal data of all Users so that:
- You can access to the Service;
- You are able to use the Service;
- We can create a processing history for you as a Customer;
- We can identify you; and
- We know which Users and Customers are using the Service.
When using the Companyexpense app, you agree to Companyexpense accessing your phone camera and image gallery to allow you to upload and process your images in the Service, for example, when registering receipts, travel and other expenses.
As a Business Partner, your company data are needed to fulfill the agreement and as a Contact Person, your contact data are needed in order to contact you. Company and contact data, as well as information about courses or events where you are a participant, are also needed to provide training services, manage your registration and bill you.
We also process data to send evaluations and carry out follow-ups. When you contact us through any of Companyexpense’s communication channels, we use your data to handle your case, be able to contact you, for training purposes, and to help improve our service by saving your case for frequently asked questions from you or others asking the same question. When you visit the Companyexpense website, you consent to cookies for the processing of your data.
Companyexpense processes personal data mainly for the purposes listed below and for any additional purposes as specified at the time of collection:
- To fulfill orders for services through one of the platforms offered by Companyexpense;
- To make it possible to provide good customer service, such as managing your inquiries, correcting incorrect information or sending information that you have requested, for example, newsletters;
- To store and analyze information on services orders, and use such information as a basis for offers, discounts, and promotions of both a general and a targeted nature;
- To manage customer profiles, conduct analyses, and market research;
- For system administration and gathering statistical data about our Users’ behavior and patterns. However, this does not identify any individual person and occurs only on an aggregated basis;
- To develop, deliver, and improve our services through analysis of your behavior on our websites and app.
- To send you information and marketing via text message, email, our app, push, or other digital channels such as social media when you have an active customer relationship with us;
- To contact you via our app, text message, email, or mail about other offers, promotions, or services that we believe may be of interest to you. Please note that you can decline this marketing at any time;
- To help us develop our sites and app to be more useful and to improve your user experience of the Service; and
- To send important messages such as notifications about changes to our terms and policies.
Information that can be disclosed
Companyexpense cooperates solely with partners that process personal data within the EU/EEA or with companies that maintain the same level of protection as that within the EU/EEA.
Your information as a Customer may also be linked to third party registers to collect more information about you as a Customer. In order for us to provide the Service and fulfill our commitments to you in the best way, we may also need to share personal data with other companies within the Companyexpense group. We also share personal data about Users and Customers with companies within the Companyexpense group when you have a case with us, and the data are needed to help you.
The legal basis for processing
By providing Companyexpense with data, you give Companyexpense permission to record and store data regarding the service or services you have purchased, and to process the specified personal data for specified purposes. As a legal basis for processing data, Companyexpense will refer to the fulfillment of agreements, legal obligations, legitimate interest, or consent. Should Companyexpense use legitimate interest as a basis, it will only be done for the purposes stated above.
How long do we store your personal data?
Processing is done in accordance with current legislation and this means that we do not store personal data for any longer than is necessary for the purposes of processing.
Accordingly, Companyexpense stores personal data about you as a Customer as long as there is a customer relationship or it is necessary to achieve the purposes described in this policy. Upon termination of the agreement, Companyexpense will delete or anonymize your data within a reasonable period of time after termination, unless otherwise stated in Swedish or European law or precedent decisions made by court or authority.
Your data may be saved based on a balance of interest if there are security or financial reasons. How long your personal data as a User are stored with us varies depending on the purpose for which they were collected. Personal data processed for billing purposes are kept as long as they are required for accounting.
There may be a need to store data until training and event follow-ups have been completed. Information collected when you contact us is stored for as long as you are our Customer so that we can fulfill our commitments.
When a customer relationship ends, we may need to store data based on i) a balance of interests such as evidence in case of a potential dispute and other traceability purposes, or (ii) based on requirements under other GDPR-competing mandatory legislation. Storage is then limited to one system and controlled access.
Companyexpense always exercises the highest levels of security and confidentiality when processing personal data.
Your rights and options
You have rights regarding your personal data and you can influence your data and what is saved. Companyexpense will, on its own or at the Customer’s initiative, correct any data found to be inaccurate.
You have the following rights when your personal data are processed by us:
- Once a year, you have the right to receive information free of charge regarding which of your personal data are registered, by sending a written subject access request to Companyexpense.
- In some cases, you also have the right to data portability of your personal data.
- You have the right to have your personal data corrected if they are inaccurate, incomplete, or misleading and you have the right to restrict the processing of your personal data until they have been corrected.
- You have the right to have your personal data erased, also known as the right to be forgotten. However, personal data may not be erased if they are required for the performance of the contract, or if the erasure contradicts any other decision made in accordance with Swedish or European law, court or authority, or, after a balancing of interests, it has been established that the data cannot be deleted.
- Should you find that there are no legitimate reasons or that the balance of interest is incorrect, you have the right to object to the processing. You can most easily do this by contacting Companyexpense directly using the contact details below.
- You also have the right to withdraw your consent, submit complaints about the processing to The Swedish Authority for Privacy Protection (firstname.lastname@example.org), automatically oppose decision-making, profiling, and object to direct marketing.
You are always very welcome to contact our customer services for help with stopping messages from us.
Links to other sites
In the event our site contains links to third-party websites or materials published with third parties, these links are for information purposes only. As Companyexpense has no control over the content or material on these websites, we are not responsible for the content or material. Nor is Companyexpense responsible for damages or losses that could arise from using these links.
How to contact us
For further information on personal data processing or if you have questions, please feel free to contact us at email@example.com
For other questions, contact us at:
Companyexpense Svenska AB
Engelbrektsgatan 20, 771 30 Ludvika, Sweden
E-mail address: firstname.lastname@example.org
Customer service: +46 (0) 0771 584 886
As a data processor, Companyexpense is responsible for the technical and organizational security measures in and around the Companyexpense service. This means that we at Companyexpense must ensure that the security needed to, for example, store data, manage permissions, respond to subject access requests, and delete personal data is in place. We have internal procedures to manage personal data in cases where the required function is not available in the program. The measures that Companyexpense takes are described in more detail below.
Authentication and encryption
- Companyexpense uses 256-bit encryption (128-bit for some older phones with hardware limitations) and 2 048-bit keys. All data communication to and from the User’s computers and phones is encrypted using TLS, the successor to SSL and the most widely used Internet standard for encrypted communication.
- Companyexpense applies password protection by fully encrypting the login process, which means that no information is sent as unencrypted text. The User’s password is stored using one-way encryption (using a standardized one-way hash).
- To avoid unauthorized access to information when a computer is left unattended, the system automatically logs the User out after a certain amount of time. The Customer always assumes the risk associated with unauthorized use of the services when a User leaves a logged in computer or phone unattended.
- Users are continuously verified. Each call to Companyexpense’s servers involves checking the User’s organization and role permissions.
Storage and backups
Companyexpense runs on servers in computer halls that are monitored around the clock and where staff are always available. Data storage with full redundancy is in two geographically separated locations in Sweden and backups are taken every hour.
- The computer halls are equipped with fire prevention and climate control systems. Multiple automatic fire prevention and climate control systems ensure that the temperature is always low and that the humidity is optimal.
- The computer halls are equipped with a secondary power supply system and diesel generators to ensure the power supply to the servers.
Redundant high-capacity connections ensure Users’ access to the services.
- Only approved personnel have access to the computer halls.
- Companyexpense’s Services are based on a modern server platform with multi-level redundancy.
- Companyexpense’s server environment and network are protected by firewalls. In addition, Companyexpense proactively monitors and analyzes firewall and system logs using intrusion prevention and intrusion detection tools.
Companyexpense has comprehensive backup routines in place to ensure continuity of Services. Users’ encrypted passwords persist at backup. Complete backups are done every hour and transmitted to geographically different locations. Transmissions are encrypted.
Knowledge and information protection
- Only a few key persons with specific access rights within Companyexpense know how the security system is structured.
- All personnel are bound by a confidentiality agreement that prevents the dissemination of data, information, and the customer’s or user’s personal data. Only authorized personnel have access to the data and access is determined by Companyexpense’s Operations Department.
Companyexpense has an incident policy for managing any incidents. The policy clarifies the flow of information, the procedures available, all roles and responsibilities. An incident team manages the necessary coordination, communication, and responsibility to assess, respond to, and learn from incidents in order to reduce the risk of re-occurrence.