Privacy Policy

1. Introduction and Scope

Welcome to Eloope Expense. This Privacy Policy explains how Eloope LLC ("Eloope," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our expense management platform and related services (collectively, the "Service").

This Privacy Policy applies to:

• Our marketing and information website at https://expense.eloope.com (the "Website")
• Our web application at https://app.expense.eloope.com (the "App")
• Our APIs, support ticketing system, and developer tools
• All integrations with third-party services

By using the Service, you agree to be bound by this Privacy Policy. If you are using the Service on behalf of an organization, you agree to this policy on behalf of that organization.

2. Information We Collect

2.1 Account and Profile Information

When you create an account, we collect your name, email address, and password (which is securely hashed). You may also provide additional profile information including your phone number, profile photograph, job title, department, bio, position, and address (street address, city, state, and country). If you create or join an organization, we collect the organization name, short name, and default currency preference.

2.2 Expense and Financial Data

As you use our expense management features, we collect:

• Expense details including titles, amounts, dates, merchant names, categories, descriptions, currency, and billable status
• Expense reports including report titles, grouped expenses, submission dates, and approval workflow data
• Receipt images and supporting documentation (JPEG, PNG, WebP, or PDF formats)
• Trip details including itineraries, travel documents, and associated expenses
• Cash advance requests with amounts and justifications
• If you use mileage tracking features, distance, route, or location data you choose to provide or that is captured with your explicit consent
• Company card information and card-to-employee assignments
• Cost center names and assignments

2.3 Website Form Submissions

When you interact with forms on our Website, we collect the information you provide:

• Waitlist: email address
• Early Access: name, email, company name, team size, role, and referral source
• Support requests: name, email, inquiry type, and message
• Feature requests: name, email, feature title, and description
• Feedback: name, email, feedback type, and message
• Support tickets: name, email, subject, category, priority, and description

2.4 Communications Data

We collect information from your communications with us, including support ticket messages and correspondence. Our Website includes a chat assistant that helps answer questions about the Service. When you send a message to the chat assistant, your message is transmitted to our servers and to a third-party AI provider (currently Groq, Inc.) to generate a response. Conversation history may be stored in your browser's local storage so you can continue previous conversations on the same device; clearing your browser storage will remove it. We do not associate chat messages with your account unless you separately submit a support request or other form containing your contact information.

2.5 Information Collected Automatically

When you use the Service, we automatically collect technical information such as your IP address, device type, and browser type. We use IP addresses for rate limiting and security purposes. Your approximate location may be determined based on your IP address. We also maintain audit logs that record user actions within the App for security and compliance purposes.

2.6 Information from Third Parties

If you choose to sign in using an authentication provider such as Google, we receive basic profile information (name and email) from that service. When you connect business integrations such as QuickBooks Online, Google Drive, or Slack, we receive data from those services as described in Section 5.

2.7 Payment and Billing Information

When you subscribe to a paid plan, payment processing is handled by Stripe. We do not directly store your full payment card numbers. Stripe collects your payment method details (card brand, last four digits, expiry date), billing address, and email. We store your subscription status, plan type, and billing history references. You may manage your payment details through Stripe's hosted billing portal.

3. How We Use Your Information

3.1 Providing the Service

We use your information to process and manage expenses and expense reports, facilitate approval workflows between employees and managers, perform OCR scanning and data extraction from receipts, generate reports and analytics for your organization, track mileage and manage trip-related expenses, manage company card assignments and cost center allocations, and provide customer support.

3.2 Automated Processing

Your organization's administrators may configure automation rules that automatically process expenses based on defined criteria. This may include auto-approvals, automated email notifications, automatic syncing with connected accounting software, and automatic backup of receipts to cloud storage. These automations operate on your expense data as configured by your organization.

3.3 Communication

We use your information to send transactional emails related to expense submissions, approvals, rejections, and notifications. We also send service-related communications such as ticket confirmations, waitlist confirmations, welcome emails, invitation emails, and password reset emails. With your consent, we may send push notifications about expense activity and approvals. We may also send service announcements and updates.

3.4 Security, Compliance, and Audit

We use your information to protect against fraud and unauthorized access, enforce our Terms of Service, comply with legal obligations, maintain audit logs of user actions, detect expense policy violations, and manage escalation workflows. We also use IP addresses for rate limiting to protect the Service from abuse.

4. AI and Automated Processing

4.1 AI Chat Assistant

The App and Website include AI-powered chat assistants that help you with expense-management tasks and product questions. When you use these features, your messages and limited contextual information (which may include your name, email, role, organization identifier, department, job title, and the page you are viewing) are transmitted to one or more third-party AI service providers for processing. The specific AI providers we use may change from time to time; a current list is available on request.

4.2 Receipt OCR Processing

When you upload receipts, we use automated optical character recognition (OCR) to extract data such as merchant names, transaction amounts, and dates. This processing may involve sending receipt images to third-party AI or OCR service providers.

4.3 Your Choices

Use of the AI chat assistant is optional. Receipt OCR is used as part of the expense submission workflow. We do not train our own AI models on your data. Where we use third-party AI providers, we select providers and plans whose terms prohibit training their models on customer inputs; we cannot, however, guarantee the practices of every provider or every model at all times, and providers' terms may change.

5. Third-Party Integrations

5.1 Supported Integrations

The Service supports optional integrations with third-party applications, which currently include accounting platforms (such as QuickBooks Online, Xero, FreshBooks, and Sage), cloud storage (such as Google Drive and OneDrive), communication tools (such as Slack and Microsoft Teams), automation platforms (such as Zapier), financial-data providers (such as Plaid, where applicable), and single sign-on providers. The list of available integrations may change; a current list is maintained within the App and on our Website.

5.2 Data You Authorize Us to Access

When you connect an integration, you authorize us to access only the data we believe is required to provide the connected feature. For accounting integrations, this typically includes chart of accounts, vendor lists, and company information used to sync expenses and create bills. For cloud storage integrations, this typically includes permission to create and manage files within a dedicated folder we create for your receipts. For communication integrations, this typically includes permission to send messages to channels or users you designate and to read basic channel, user, and team information. For financial-data providers, this may include account and transaction information you explicitly link.

5.3 Integration Credentials and Disconnection

We request only the permissions we believe are necessary to deliver the feature you enable. Integration credentials (such as OAuth access and refresh tokens) are stored on infrastructure that encrypts data at rest. We do not sell data obtained through integrations. You may disconnect any integration at any time through your account settings or through the third-party service, which revokes our ongoing access; data previously synced to or from that service may remain in the respective systems.

5.4 Third-Party Policies

Each third-party integration is governed by its own terms and privacy policy. We encourage you to review those policies before connecting a service. We are not responsible for the privacy or security practices of third-party services.

6. Data Sharing and Disclosure

6.1 Within Your Organization

We share your expense data with administrators, managers, approvers, and finance team members as configured in your organization's hierarchy and role-based access settings. This sharing is necessary to facilitate the expense approval and reimbursement workflow.

6.2 Service Providers

We share data with trusted service providers who assist us in operating the Service, including providers of cloud hosting and database infrastructure, file storage, email and notification delivery, payment processing (Stripe, Inc.), error monitoring, and AI-powered features (which currently include providers such as Groq, Google (Gemini), Anthropic, and OpenAI, depending on the feature and configuration). A current list of our sub-processors is available on request. All service providers are bound by contractual obligations to protect your data and use it only for the purposes we specify.

6.3 Legal Requirements

We may disclose your information when required to comply with applicable laws or legal processes, respond to lawful government requests, or protect our rights, safety, or property.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your personal information.

6.5 Aggregated Data

We may share anonymized, aggregated data that cannot reasonably be used to identify you for research and analytics purposes.

7. Data Retention

We retain your account and expense data for as long as your account is active, subject to the retention period associated with your subscription plan. Current retention periods by plan are described on our pricing page. Customer support communications, audit logs, and technical logs are retained for periods we determine to be reasonably necessary for security, support, and operational purposes, typically ranging from several months to several years.

After your account is closed, we generally delete your personal data within a reasonable period (typically 30 days for active systems and 90 days for backups), except where a longer retention period is required or permitted by applicable law (for example, for tax, accounting, legal, or fraud-prevention purposes) or where data has been aggregated or anonymized such that it no longer identifies you.

8. Data Security

We implement commercially reasonable technical and organizational measures designed to protect your information against unauthorized access, loss, or alteration. These measures include:

• Encryption of data in transit using TLS
• Storage on cloud infrastructure that encrypts data at rest
• Authentication and password management handled by our authentication provider, which stores credentials as salted one-way hashes
• Role-based access controls designed to enforce the principle of least privilege
• Audit logging of user actions for security and compliance purposes
• Session management, including session expiration

No security program can be guaranteed to be impenetrable, and we cannot warrant or guarantee the security of any information you transmit to us or store on the Service. You are responsible for maintaining the confidentiality of your account credentials and for using available security features.

Your data may be transferred to, stored in, and processed in the United States and in other countries where we or our service providers operate. Where required by applicable law, we rely on appropriate safeguards for such transfers.

9. Your Rights and Choices

You have the right to access your personal information and receive a copy of your data in portable formats such as JSON or CSV. You may correct any inaccurate information and request deletion of your data, subject to legal retention requirements. You can also restrict or object to processing, withdraw consent at any time, and opt out of marketing communications.

To exercise your rights, you can use the settings within your account or contact us at support@eloope.com. We aim to respond to verified requests within the timeframes required by applicable law, and we may extend our response period where permitted (for example, for complex or high-volume requests).

We comply with applicable privacy laws in your jurisdiction. If you have specific rights under CCPA, GDPR, or other privacy regulations, please contact us at support@eloope.com to exercise those rights.

10. Cookies and Local Storage

10.1 Essential Cookies

We use essential cookies for authentication and session management. These cookies are set by our authentication provider (Supabase) and contain encrypted session tokens and refresh tokens. These cookies cannot be disabled as they are necessary for the Service to function properly.

10.2 Functional Storage

We use your browser's local storage for functional purposes such as remembering your theme preference (light or dark mode) and retaining recent chat-assistant conversation transcripts so that you can continue previous conversations on the same device. Local storage entries themselves remain on your device; clearing your browser storage will remove them. Messages you send to the chat assistant are separately transmitted to our servers and AI providers as described in Section 4.

10.3 No Third-Party Tracking

We do not use our Service to deliver third-party advertising, and we do not set advertising trackers or advertising pixels. We may use limited first-party or privacy-preserving analytics and error-monitoring tools to understand how the Service is used and to diagnose problems. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

You can manage cookies through your browser settings. Clearing cookies will require you to sign in again.

11. Push Notifications

The App supports browser push notifications powered by Firebase Cloud Messaging (FCM). When you opt in to push notifications, your browser generates a unique device token that is stored on our servers to deliver notifications to your device. Notification content may include expense activity, approval requests, and other workflow updates.

Push notifications require your explicit browser permission and are entirely optional. You can enable or disable push notifications at any time through the App's notification settings. When you disable push notifications, your device token is removed from our servers.

12. Children's Privacy

The Service is a business tool intended for adults and is not directed to children. We do not knowingly collect personal information from children under 13, and consistent with our Terms of Service, users must be at least 18 years old (or the age of majority in their jurisdiction) to use the Service. If you believe a child has provided personal information to us, please contact support@eloope.com and we will take steps to delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and notify you via email or in-app notification.

Your continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy.

14. Contact Information

For questions, concerns, or requests regarding this Privacy Policy, please contact us: