Last Updated: July 1, 2023
We have provided this Privacy Statement to explain how we, SpendHQ, LLC and our Affiliated Group Companies, defined below (collectively, “SpendHQ,” “we,” “us” or “our”) collect, use, share and otherwise process personal information collected through our services. “Services,” for purposes of this Privacy Statement, shall include, as applicable, personal information provided through your interaction with our technology platforms, websites, mobile applications, social media pages, marketing activities, and related services, including setting up your account and collecting your personal information for billing purposes. “Personal information” means any information relating to an identified or identifiable natural person. As context requires, we may also refer to personal information as “personal data.”
2. OUR ROLE
We provide Services to our customers and clients (collectively, “Customers”) through an agreement with them, and solely for their benefit and the benefit of their authorized employees, agents and/or independent contractors (collectively, “Authorized Users”).
We determine the purpose and means of the processing of your personal information as described in this Privacy Statement and, therefore, act as a “data controller” (or equivalent/similar terms under applicable data privacy laws) of such information. We may share your personal information with our Affiliated Group Companies and conduct processing activities as controllers or joint controllers for the purposes set out in this Privacy Statement.
In certain circumstances, there may be more than one data controller processing your personal information. For example, your financial partner may also act as a data controller. In these situations, we act as an independent data controller over our processing activities. This means we determine how your personal information will be processed independently from other data controllers. The other data controllers have their own obligations under applicable data privacy laws. SpendHQ is not responsible for other data controllers’ processing activities, and you should contact them directly for questions about how they process your personal information and about how to exercise your privacy rights in relation to such processing.
This Privacy Statement does not apply where SpendHQ processes personal information as a processor or service provider on behalf of our Customers. When we act as a processor or service provider, the privacy policies of our Customers who use our Services applies instead of this Privacy Statement, and our processing of such personal information is governed by our agreement with the Customer, including, without limitation, our Data Processing Addendum. If you have concerns about personal information that we process on behalf of Customers, or you wish to exercise your privacy rights regarding such personal information, please contact the Customer directly.
3. PERSONAL INFORMATION THAT WE COLLECT
The personal information that we collect or otherwise receive about you depends on the context of your interactions with us, how your account is configured, and the choices you make with respect to your privacy settings. The way we process your personal information may also depend on the particular Services you are using, where you are located, and applicable data privacy laws.
3.1. Information You Provide to Us. We collect personal information that you provide to us, including:
(a) Contact Information and Account Data. We collect information from you (or your organization) when you activate Services, create an account with us, and/or upload content or data to our technology platform. Personal information may include your name, title, company name, mailing address, contact for billing purposes, phone number, email address, communication preferences, business location details, and account credentials such as your username and login.
(b) Personal Identifiers. We may collect information to verify your identity such as your name, date of birth, social security number, driver’s license number, government issued ID details, or similar information to verify your identity.
(c) Communication, Training, Support, Feedback and Related Data. We may collect personal information such as your name, email address, phone number and any other personal information that you choose to share when you contact us for support, to give us feedback, to participate in an optional survey, to attend our events, to receive training, or to otherwise communicate or engage with us. This information may include call center recordings and call monitoring records, chat and text records, voicemails, photographs and video images.
(d) Marketing Data. You may provide us with your contact information and preferences for receiving our marketing communications.
(e) Social Media and Websites. We receive content that you post to our social media pages or provide to us through our websites.
(f) Financial Information. We collect payment and billing-related information when you sign up for Services. Finance-related information may include a primary point of contact for billing-related purposes or your payment account details (such as a bank account or credit card number).
3.2. Information Received from Others. From time to time, we may receive personal information about you from other sources, including:
(a) Authorized Users. Authorized Users may provide information about you when they submit content or upload data through the Services. For example, your accountant or controller may enter payment details associated with your organization for purposes of sending you an invoice.
(b) Linked Third-Party Services. We may receive information about you when you link a third-party service (i.e., social media accounts, payment service providers) with our Services or your account. For example, you may allow our Services to connect with a third-party payment processor or social media provider. The information we receive when you link or integrate our Services with a third party depends on the settings, permissions and privacy policies controlled by the third-party provider.
(c) Third-Party Vendors and Suppliers. We may receive information about you from third-party vendors and suppliers that provide us with services or carry out functions related to the provision of our Services.
(d) Affiliated Group Companies. We may receive information about you from other Affiliated Group Companies, as permitted by this Privacy Statement.
(e) Business Partners. We may receive information about you and your activities from third party business partners, including resellers, joint marketers, payment service providers, market research firms, and companies that help us assess risk associated with our Services and technology platform. Information that business partners provide may include billing information, contact information, company name, products and services that may be of interest to you, and the countries or places where your business operates.
(f) Public Information. We may collect information about you from publicly available sources, such as open government databases, social media platforms, and others.
3.3 Information Received Through Automatic Data Collection. We, our service providers, and our business partners may automatically log personal information about you, your computer or mobile device, such as:
(a) Device Information. We collect information from your devices, including information about how you interact with our Services and the products or services of our third-party service providers. This information includes device-specific identifiers, browser version, usage information, operating type, mobile network information, device settings and software data.
(b) Location Information. Certain features of our Services may collect your precise location information if you grant us permission to do so through your device settings.
(c) Communication Interaction Data. We and/or our third-party service providers may collect information from email providers, communication providers and social networks, such as your interaction with our emails, texts or other communications. We may do this through use of pixel tags (also known as clear GIFs) which may be embedded invisibly in our emails.
(d) Online Behavioral Data. We may automatically collect certain personal information about your use and interaction with our Services, including our websites, social media pages and marketing campaigns that we organize, including device information (such as your IP address, operating system, and unique device ID), page view information and search results and links.
3.4 Information Received Through Cookies and Similar Technologies. We collect information when you access content, advertising, websites, interactive widgets, applications and other products (both on and off of our Services) where our data collection technologies such as web beacons, development tools, cookies and other technologies are present. These data collection technologies allow us to understand your activity on and off our Services and to store information when you interact with our Services. For more information, please review our Cookies Notice.
4. HOW WE USE PERSONAL INFORMATION
4.1 Use of Personal Information. We use personal information collected through the Services and through other means (for example, in person at one of our conferences or events) for the purposes described in this Privacy Statement, including:
- With your consent;
- To operate, audit and improve our Services and technology systems;
- To provide customer service and support;
- To provide and facilitate the delivery or products and services requested by you;
- To send you business-related information, including confirmations, invoices, technical notices, updates, security alerts, training information and administrative messages;
- To maintain your account with us;
- To enhance security, monitor and verify identity and service access, combat fraud, malware and other information security risks;
- To detect bugs, report errors and perform activities to maintain the quality and safety of our Services;
- To develop and send you marketing, sales and promotional communications in line with your communication preferences;
- To communicate with you about one of our events, conferences, webinars or demos;
- To implement or deploy our Services at your business location, either onsite or remotely;
- To respond to your comments or questions, or provide you with information that you have requested;
- To display and measure engagement with promotions across different devices and sites;
- To maintain legal and regulatory compliance; and
- To process your information for other legitimate business purposes such as data analysis, audits, collecting and assessing feedback, identifying usage trends, determining the effectiveness of marketing campaigns, and to evaluate and improve our products, services, marketing and business relationships.
4.2 Legal Basis for Processing for Subscribers in the EEA. If you reside in the European Economic Area (“EEA”), we collect and process personal information about you only where we have a legal basis for doing so under the EU’s General Data Protection Regulation 2016/679 (“EU GDPR”) and the United Kingdom’s Data Protection Act of 2018 (“UK GDPR”). The legal basis depends on the Services you use and how you use them. This means we collect and use your personal data only where:
- We need it to provide you with Services, including to operate the Services, provide customer support and to protect the integrity of the Services and our technology systems where other clients and customers are concerned;
- It satisfies a legitimate interest, such as for research and development, to market and promote the Services, and to protect our legal rights and interests;
- You give us consent to do so for a specific purpose; or
- We need to process your personal information to comply with a legal obligation, including our provision of Services to you under your agreement with us.
If you have consented to our use of personal information for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your personal information because we have a legitimate interest in doing so, you have the right to object to that use, although, in some cases, this may mean no longer being able to use the Services.
5. WHEN WE SHARE YOUR PERSONAL INFORMATION
We do not disclose and share your personal data with third parties other than:
- Where it has been de-identified, including through aggregation or anonymization;
- When you instruct us to do so;
- With your consent, for example, when you agree to our disclosing your personal information with other third parties subject to their separate privacy policies and practices;
- With our Affiliated Group Companies;
- With third party vendors, consultants and other service providers who work with us and need access to your personal information to carry out their work function. Examples include vendors and third-party service providers who provide assistance with marketing, scheduling, billing, payment processing, data analysis, fraud detection and prevention, network and IT system security, technical support and customer service;
- With third party business partners who are involved in providing products and services to our Customers, including to fill product requests, provide training or customer support, or implement the Services.
- To comply with laws or to respond to lawful requests and legal process;
- To protect our rights and property (including that of our agents, representatives and business partners), and to enforce our agreements, policies and terms of service;
- In order to protect any individual’s vital interests (but only where we believe it reasonably necessary in order to protect that individual’s vital interests); and
- In connection with or during negotiation of any business transfer, merger, financing, acquisition, dissolution transaction or proceeding involving sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.
6. DATA SECURITY
Although no company or service can guarantee complete security, we use appropriate technical and organizational measures to protect personal information that we collect and process. We have implemented information security policies, password protection protocols, rules and other technical measures to protect the personal information under our control from unauthorized access, improper use or disclosure, and unlawful destruction or accidental loss. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. While information security risks are always evolving, so are the controls. The controls that we have implemented are periodically reviewed as part of internal and external audits.
7. RETENTION AND DELETION
We retain personal information that we collect from you where we have an ongoing legitimate business need to do so (for example, to comply with applicable legal requirements or to enforce our agreement with you). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it; or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
8. PROTECTING CHILDREN’S PRIVACY
Services are not intended for and are not available to persons under the age of 16 or any other age designated by applicable law (“Minors“). We do not knowingly collect or solicit personal data from Minors. We do not knowingly allow Minors to use our Services. If you are a Minor, please do not use our Services or send us your personal data. We delete personal data that we know is collected from a Minor without verified parental consent. Please contact us if you believe we may have personal data from or about a Minor that should be deleted from the Platform.
9. THIRD-PARTY SITES AND SERVICES
This Privacy Statement does not apply to the practices of companies that we do not own or control, or to people that we do not employ or actively manage. If our Services include links to third-party websites, please be aware that we are not responsible for the privacy practices of these third parties. We encourage you to familiarize yourself with the privacy policies for the third-party companies so you have an understanding about how your personal information might be collected and used.
10. YOUR PRIVACY RIGHTS AND CHOICES
10.1 Privacy Rights for Customers. Certain data privacy laws around the world, including the EU GDPR, UK GDPR and the California Consumer Privacy Act, as modified by the California Privacy Rights (“CCPA”), provide users with rights related to their personal information. Consistent with those laws, we give you the choice of accessing, editing, or removing certain information, as well as choices about how we contact you. You may change or correct your account information through your account settings. You may also remove certain optional information that you no longer wish to be publicly available through the Services. You can also request to permanently close your account and delete your personal information. Depending on your location, you may also be entitled to other rights.
- Right to Access & Portability. You can access certain personal information associated with your account by visiting your account privacy settings. You can request a copy of your personal information by emailing us at email@example.com with the subject heading: “Information Request.”
- Right to Correction. You have the right to request that we rectify inaccurate information about you. By visiting your account settings, you can correct and change certain personal information associated with your account.
- Right to Restrict Processing. In certain cases where we process your personal information, you may also have the right to restrict or limit the ways in which we use such information.
- Right to Deletion. In certain circumstances, you have the right to request the deletion of your personal information, except information we are required to retain by law, regulation, or to protect the safety, security, and integrity of the Services and our other customers.
- Right to Object. If we process your information based on our legitimate interests as explained above, or in the public interest, you can object to this processing in certain circumstances. In such cases, we will cease processing your information unless we have compelling legitimate grounds to continue processing or where it is needed for legal reasons.
- Right to Withdraw Consent. Where we rely on consent, you can choose to withdraw your consent to our processing of your personal information using specific features provided to enable you to withdraw consent, like an email unsubscribe link or your account privacy preferences. If you have consented to share your precise device location details but would no longer like to continue sharing that information with us, you can revoke your consent to the sharing of that information through the settings on your mobile device.
The CCPA provides California residents with the following additional rights:
- Right to Know. California residents may request disclosure of the specific pieces and/or categories of personal information that the business has collected about them, the categories of sources for that personal information, the business or commercial purposes for collecting the information, the categories of personal information that we have disclosed, and the categories of third parties with which the information was shared.
- Right to Opt-Out of the “Sale” of Personal Information. We do not “sell” personal information as that term is traditionally understood. We also do not knowingly “sell” the personal information of consumers under 16 years of age.
- The Right to Non-Discrimination. We will not refuse, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise any of your rights under the CCPA.
Limiting use of, or deleting, your personal information may impact features and functionalities that rely on that information. However, we will not discriminate against you for exercising any of your rights, including otherwise denying you use of the Services, providing you with a different level or quality of Services, or charging you a different price.
10.2 Privacy Rights for our Customer’s Customers. If you are one of our Customer’s customers and the personal information pertaining to you as an individual has been submitted to us by or on behalf of our Customer, and you wish to exercise any data protection rights you may have with respect of such data under applicable data privacy law – including, as applicable, the right to access, port, correct, amend or delete such data – please send your request directly to the Customer with whom you have a business relationship. We have limited ability to access and/or correct a Customer’s data or submitted consent. If you make your request directly to us, please provide the name of the Customer who submitted your personal information to our Services and we will refer your request to that Customer and/or support them as we are able in responding to the request in a reasonable timeframe.
10.3 Exercising Your Privacy Rights. If you would like to manage, change, limit or delete your personal information, you can do so via your account settings in the Services. Alternatively, you can exercise any of the rights above by contacting us by phone, mail or email at the contact information listed below in Section 14. Please direct your inquiry to the appropriate SpendHQ entity with whom you have a business relationship.
10.4 Verification Procedures. To help protect privacy and the security of your personal information, we may ask you to provide us with additional information to verify your identity and/or ownership rights before we fulfill your privacy rights request. If we cannot verify your identity or your ownership rights in the data, we may not be able to act on your request until proper documentation is provided.
10.5 How to Opt Out from Marketing Communications. You can opt out from receiving marketing communications from us by:
- Clicking on the unsubscribe link located at the bottom of each marketing-related email;
- Updating your communication preferences within the Services (in account settings menu); or
- By contacting us directly to have your contact information removed from our distribution list.
Please note that even after you opt out from receiving marketing messages from us, you will continue to receive generic (non-targeted) ads and transactional (non-promotional) messages from us regarding our business relationship with you.
11. HOW WE TRANSFER DATA INTERNATIONALLY
We reserve the right to store and process your personal information in the United States and in any other country where we, our Affiliated Group Companies, and our third-party service providers have operations in accordance with and as permitted by applicable data privacy laws. Some of these countries may have privacy laws that are different from the laws of your country (and, in some cases, may not be as protective). When we transfer, store or process personal data outside of your jurisdiction (including to or in the United States), we take appropriate safeguards to require that your personal information remains protected in accordance with this Privacy Statement and applicable data privacy laws.
Some of these recipients of your personal information are located in countries for which the European Commission and/or the United Kingdom Government (as and where applicable) have issued adequacy decisions, which means that these countries are recognized as providing an adequate level of data protection under applicable United Kingdom and/or European data protection laws and the transfer is therefore permitted under Article 45 of UK GDPR and EU GDPR.
Other recipients of your personal information are located in countries outside the EEA and/or United Kingdom that are not the subject of an adequacy decision (for example, the United States). In these cases, we may use the Standard Contractual Clauses approved by the European Commission or, as applicable, the International Data Transfer Agreement approved by the United Kingdom Government, to help ensure your personal data is protected.
Please contact us for additional information about the transfer safeguards we and our Affiliated Group Companies rely on.
12. ADDITIONAL DISCLOSURES FOR CALIFORNIA RESIDENTS
12.1 Shine the Light. California law entitles residents to ask for notice describing what categories of personal information we share with third parties for their own direct marketing purposes. We do not share any personal information with third parties for direct marketing purposes.
12.2 Notice of Collection. In addition to the rights and choices described above in Section 10, the CCPA requires disclosure of the categories of personal information collected over the past 12 months. While this information is provided in greater detail in Section 3 titled “Personal Information That We Collect,” the categories of personal information that we have collected – as described by the CCPA – are:
- Identifiers, including name, email address, location name, physical address.
- Other individual records such as phone number, billing address, or credit or debit card information. This category includes personal information protected under pre-existing California law (Cal. Civ. Code 1798.80(e)) and overlaps with other categories listed here.
- Demographics, such as your age or gender. This category includes data that may qualify as protected classifications under other California or federal laws.
- Commercial information, including purchases, transaction data, and engagement with the Services.
- Internet activity, including your interactions with our Services and what led you to our Services.
- Sensory visual data, such as pictures posted on our Service.
- Geolocation data provided through location enabled services such as WiFi and GPS.
- Inferences, including information about your interests, preferences and favorites.
12.3 The Sources and Purposes for our Collection. We collect these categories of personal information from the sources described above, and we use these categories of personal information for our business and commercial purposes as described in Section 4 titled “How We Use Personal Information,” including providing and improving the Services, maintaining the safety and security of the Services, processing payments and sales transactions, and for marketing purposes.
12.4 “Do Not Track” Signals. Some browsers have incorporated “Do Not Track” (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our Services do not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including the ability to opt out from receiving marketing from us as described above.
12.5 Accessibility. If you have a disability and would like to access this policy in an alternative format, please contact us by phone, mail or email at the contact information listed below in Section 14. Please direct your inquiry to the appropriate SpendHQ with whom you have a business relationship.
13. CHANGES TO THIS PRIVACY STATEMENT
We may update this Privacy Statement from time to time, so you should check it periodically. If we make changes that are material, we will provide you with appropriate notice before such changes take effect.
14. HOW TO CONTACT US
If you have questions about this Privacy Statement or our privacy practices, please direct your inquiry to us at:
5555 Triangle Pkwy., Ste. 250
Atlanta, GA 30092
15. AFFILIATED GROUP COMPANIES
5555 Triangle Pkwy., Ste. 250
Atlanta, GA 30092 USA
Affiliated Group Companies:
Market / Territory
Insight Sourcing Group
5555 Triangle Pkwy., Ste. 300
Atlanta, GA 30092 USA
Per Angusta, LLC
5555 Triangle Pkwy., Ste. 250
Atlanta, GA 30092 USA
United Kingdom / Europe
Per Angusta SAS
19 Rue Louis Guérin
69100 Villeurbanne, France
+33 4 72 69 02 09