Privacy Policy
Last Updated: February 11, 2026
1. Introduction and Scope
Welcome to Eloope Expense. This Privacy Policy explains how Eloope LLC ("Eloope," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our expense management platform and related services (collectively, the "Service").
This Privacy Policy applies to:
- Our marketing and information website at https://expense.eloope.com (the "Website")
- Our web application at https://app.expense.eloope.com (the "App")
- Our APIs, support ticketing system, and developer tools
- All integrations with third-party services
By using the Service, you agree to be bound by this Privacy Policy. If you are using the Service on behalf of an organization, you agree to this policy on behalf of that organization.
2. Information We Collect
2.1 Account and Profile Information
When you create an account, we collect your name, email address, and password (which is securely hashed). You may also provide additional profile information including your phone number, profile photograph, job title, department, bio, position, and address (street address, city, state, and country). If you create or join an organization, we collect the organization name, short name, and default currency preference.
2.2 Expense and Financial Data
As you use our expense management features, we collect:
- Expense details including titles, amounts, dates, merchant names, categories, descriptions, currency, and billable status
- Expense reports including report titles, grouped expenses, submission dates, and approval workflow data
- Receipt images and supporting documentation (JPEG, PNG, WebP, or PDF formats)
- Trip details including itineraries, travel documents, and associated expenses
- Cash advance requests with amounts and justifications
- Mileage data including distances and routes; with your explicit consent, precise GPS location data for mileage tracking
- Company card information and card-to-employee assignments
- Cost center names and assignments
2.3 Website Form Submissions
When you interact with forms on our Website, we collect the information you provide:
- Waitlist: email address
- Early Access: name, email, company name, team size, role, and referral source
- Support requests: name, email, inquiry type, and message
- Feature requests: name, email, feature title, and description
- Feedback: name, email, feedback type, and message
- Support tickets: name, email, subject, category, priority, message, and any file attachments
2.4 Communications Data
We collect information from your communications with us, including support ticket messages and correspondence. Our Website includes a chat widget that stores conversation history locally in your browser; this data is not transmitted to our servers unless you submit a formal support request.
2.5 Information Collected Automatically
When you use the Service, we automatically collect technical information such as your IP address, device type, and browser type. We use IP addresses for rate limiting and security purposes. Your approximate location may be determined based on your IP address. We also maintain audit logs that record user actions within the App for security and compliance purposes.
2.6 Information from Third Parties
If you choose to sign in using an authentication provider such as Google, we receive basic profile information (name and email) from that service. When you connect business integrations such as QuickBooks Online, Google Drive, or Slack, we receive data from those services as described in Section 5.
2.7 Payment and Billing Information
When you subscribe to a paid plan, payment processing is handled by Stripe. We do not directly store your full payment card numbers. Stripe collects your payment method details (card brand, last four digits, expiry date), billing address, and email. We store your subscription status, plan type, and billing history references. You may manage your payment details through Stripe's hosted billing portal.
3. How We Use Your Information
3.1 Providing the Service
We use your information to process and manage expenses and expense reports, facilitate approval workflows between employees and managers, perform OCR scanning and data extraction from receipts, generate reports and analytics for your organization, track mileage and manage trip-related expenses, manage company card assignments and cost center allocations, and provide customer support.
3.2 Automated Processing
Your organization's administrators may configure automation rules that automatically process expenses based on defined criteria. This may include auto-approvals, automated email notifications, automatic syncing with connected accounting software, and automatic backup of receipts to cloud storage. These automations operate on your expense data as configured by your organization.
3.3 Communication
We use your information to send transactional emails related to expense submissions, approvals, rejections, and notifications. We also send service-related communications such as ticket confirmations, waitlist confirmations, welcome emails, invitation emails, and password reset emails. With your consent, we may send push notifications about expense activity and approvals. We may also send service announcements and updates.
3.4 Security, Compliance, and Audit
We use your information to protect against fraud and unauthorized access, enforce our Terms of Service, comply with legal obligations, maintain audit logs of user actions, detect expense policy violations, and manage escalation workflows. We also use IP addresses for rate limiting to protect the Service from abuse.
4. AI and Automated Processing
4.1 AI Chat Assistant
The App includes an AI-powered chat assistant that helps you with expense management tasks. When you use this feature, your messages and contextual information (including your user ID, name, email, role, organization ID, and current page) are sent to a third-party AI service provider for processing. We may use providers such as Google Gemini, Anthropic Claude, or OpenAI to power this feature. AI interactions are rate-limited to 20 requests per minute and 200 requests per day per user.
4.2 Receipt OCR Processing
When you upload receipts, we use automated optical character recognition (OCR) to extract data such as merchant names, transaction amounts, and dates. This processing may involve sending receipt images to third-party AI or OCR service providers.
4.3 Your Choices
Use of the AI chat assistant is optional. You may choose not to use these features, though receipt OCR is a core part of the expense submission workflow. We do not use your data to train AI models.
5. Third-Party Integrations
5.1 QuickBooks Online
When you connect QuickBooks Online, we request access to your accounting data, profile, and email. We access your chart of accounts, vendor lists, and company information to sync expenses and create bills in QuickBooks. Integration credentials (access and refresh tokens) are stored encrypted.
5.2 Google Drive
When you connect Google Drive, we request access to create and manage files within a dedicated folder and to read file metadata. We create an "Eloope Expense Receipts" folder structure organized by month and upload receipt files for backup. We also access your email address for identification purposes.
5.3 Slack
When you connect Slack, we request access to read channel information, send messages to channels and direct messages, read user and team information. We use this integration to send expense approval notifications, report submissions, and other workflow notifications to designated Slack channels or individuals.
5.4 Data Handling for All Integrations
We request only the minimum necessary permissions for each integration. All integration credentials are encrypted at rest. We do not sell data obtained through integrations. You can disconnect any integration at any time through your account settings, which revokes our access.
5.5 Third-Party Policies
Each third-party integration is governed by its own privacy policy. We encourage you to review the privacy policies of any services you connect. We are not responsible for the privacy practices of third-party services.
7. Data Retention
We retain your account data for the duration of your account plus seven years to comply with legal and tax requirements. Expense records are retained for seven years from creation to meet tax compliance obligations. Customer support tickets and logs are retained for three years. Audit logs are retained for the duration of your organization's account. Technical logs are retained for one year.
Upon account deletion, your personal data is deleted within 30 days and backup copies are purged within 90 days. Data required for legal compliance is retained as mandated by applicable law.
8. Data Security
We implement industry-standard security measures to protect your data:
- All data in transit is protected with TLS encryption
- Data at rest is encrypted using AES-256 encryption
- Passwords are securely stored using bcrypt hashing
- Third-party integration credentials (OAuth tokens) are encrypted at rest
- Multi-factor authentication (MFA) via time-based one-time passwords (TOTP) is available for added account security, with encrypted recovery codes
- Role-based access controls enforce the principle of least privilege
- Periodic access reviews ensure appropriate permission levels
- Session management includes automatic session cleanup
We are based in the United States. Your data may be transferred to and processed in countries other than your own, and we implement appropriate safeguards for such transfers.
9. Your Rights and Choices
You have the right to access your personal information and receive a copy of your data in portable formats such as JSON or CSV. You may correct any inaccurate information and request deletion of your data, subject to legal retention requirements. You can also restrict or object to processing, withdraw consent at any time, and opt out of marketing communications.
To exercise your rights, you can use the settings within your account or contact us at support@eloope.com. We respond to verified requests within 30 days.
We comply with applicable privacy laws in your jurisdiction. If you have specific rights under CCPA, GDPR, or other privacy regulations, please contact us at support@eloope.com to exercise those rights.
11. Push Notifications
The App supports browser push notifications powered by Firebase Cloud Messaging (FCM). When you opt in to push notifications, your browser generates a unique device token that is stored on our servers to deliver notifications to your device. Notification content may include expense activity, approval requests, and other workflow updates.
Push notifications require your explicit browser permission and are entirely optional. You can enable or disable push notifications at any time through the App's notification settings. When you disable push notifications, your device token is removed from our servers.
12. Children's Privacy
The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected such information, we will take steps to delete it promptly. If you believe we have collected information from a child under 16, please contact us at support@eloope.com.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and notify you via email or in-app notification.
Your continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy.
14. Contact Information
For questions, concerns, or requests regarding this Privacy Policy, please contact us: