Last updated: December 1, 2024
Privacy Policy
REPLACE WITH YOUR LEGAL COMPANY NAME (“SpendArc”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our spend management platform and related services (“Services”).
1. Information we collect
We collect information you provide directly to us, such as when you create an account, submit a KYB application, or contact our support team. This includes: name, email address, phone number, company information, government-issued ID (for KYB verification), and financial information required for regulatory compliance. We also automatically collect certain information when you use our Services, including log data (IP address, browser type, pages visited), device information, and usage patterns.
2. How we use your information
We use the information we collect to: provide, maintain, and improve our Services; process transactions and send related information; verify your identity and your business for compliance purposes (KYB/KYC); send promotional communications (with your consent); respond to your comments and questions; and comply with legal obligations.
3. Information sharing
We do not sell your personal information. We may share your information with: service providers who assist in our operations (subject to confidentiality agreements); financial institutions and payment networks required to process transactions; regulatory and law enforcement bodies when legally required; and business partners with your explicit consent. In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
4. Data security
We implement industry-standard security measures including AES-256 encryption at rest, TLS 1.3 in transit, infrastructure designed to support [CUSTOMISE: your compliance commitments, e.g. SOC 2 Type II], and multi-factor authentication. While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure.
5. Data retention
We retain personal information for as long as necessary to provide our Services and comply with legal obligations. Financial records are retained for 7 years as required by applicable law. You may request deletion of your account and associated personal data, subject to our legal retention requirements.
6. Your rights
Depending on your location, you may have the following rights: • Right of access (Art 15 GDPR) — you can request a copy of the personal data we hold about you. • Right to rectification (Art 16 GDPR) — you can ask us to correct inaccurate or incomplete data. • Right to erasure (Art 17 GDPR) — you can ask us to delete your data (right to be forgotten), subject to our legal retention obligations. • Right to restriction of processing (Art 18 GDPR) — you can ask us to pause processing of your data in certain circumstances. • Right to data portability (Art 20 GDPR) — you can request your data in a structured, machine-readable format. • Right to object (Art 21 GDPR) — you can object to processing based on legitimate interests or for direct marketing. • Right not to be subject to solely automated decisions (Art 22 GDPR) — you can request human review of decisions made solely by automated means that significantly affect you. • Right to withdraw consent (Art 7(3) GDPR) — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing. • Right to lodge a complaint — if you believe we have mishandled your data, you have the right to lodge a complaint with the relevant supervisory authority (e.g. the UK ICO at ico.org.uk, or your national EU data protection authority). • California rights (CCPA / CPRA) — California residents have the right to know what personal information we collect, to delete it, to opt out of its sale or sharing, and to non-discrimination for exercising these rights. To exercise any of these rights, contact us at: dpo@[CUSTOMISE: yourdomain.com]
7. Do Not Track / Global Privacy Control
We honour the Global Privacy Control (GPC) signal, treating it as an opt-out of the sale or sharing of your personal data as required under applicable US state privacy laws (CCPA/CPRA and related statutes). No further action is needed if your browser or extension sends a GPC signal — we will automatically apply opt-out treatment. We also respect Do Not Track (DNT) browser signals where technically feasible. Note that DNT does not carry the same legal weight as GPC and our ability to honour it depends on third-party service providers.
8. Cookies
We use cookies and similar tracking technologies to track activity on our Services. You can instruct your browser to refuse all cookies or indicate when a cookie is being sent. However, some parts of our Services may not function properly without cookies.
9. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Services after changes constitutes acceptance of the updated policy.
10. Contact us
If you have questions about this Privacy Policy, please contact us at: REPLACE WITH YOUR LEGAL COMPANY NAME REPLACE WITH YOUR REGISTERED ADDRESS dpo@[CUSTOMISE: yourdomain.com]