Privacy Policy

Revision date: | View archived versions

Procurify Technologies Inc. and its affiliates or subsidiaries (“we“, “us“, “our“, and similar expressions) value your privacy and we want you to understand how we collect, use, share, and protect your personal information when you visit www.procurify.com and any of its sub-domains (our “Website“), buy products through us, use our services, sign up for an account with us (an “Account“), use our software platform (the “Platform“) (the foregoing collectively, the “Services“), and otherwise interact with us. By using our Website or any of our Services, you are agreeing to the terms of this Privacy Policy.

1. What is personal information?

“Personal information” is generally any information about an identified or identifiable individual, which includes information that can be used on its own or with other information to identify, contact, or locate a natural person.

2. What personal information do we collect about you and how do we collect it?

When we act as a service provider to our business customers, we generally process personal information as a ‘processor’ or equivalent role under applicable data protection laws, in accordance with our customer contracts and the Data Processing Addendum. When we determine the purposes and means of processing—for example, when we collect information about visitors to our Website, manage our own marketing and sales activities, or operate our internal business systems—we generally act as a ‘controller’ or equivalent role.

  • Information you give to us.
    • Contact data and account profile data. We collect personal information you give us directly when you create an Account, activate a subscription or purchase of our Services, or upload data to the Platform. For example, when you create an Account or place an order for Services with us you will give us information like your email address, first and last name, payment information, and your username and password. You may also provide us with other optional information as part of your Account profile, such as avatars or profile images, other contact information, and links to social network profiles you have (including when used for authentication purposes).
    • Data in contracts and other legal agreements. We may also collect information directly from you for contractual or legal reasons. For example, we may ask you to select your jurisdiction when you sign up for Services.
    • Information to verify your identity. We collect information to verify your identity, which may include your name, date of birth, social security number, social insurance number, driver’s license number, passport number, government-issued identification details, and similar information to verify your identity.
    • Communications. We may collect personal information you include in your communications with us, such as information you include in SMS (text) messages, form submissions on the Website, communication means in the Services, and other electronic messages between you and us (collectively, “Electronic Messages”), or by phone or mail.
    • Marketing preferences, surveys, contests, or promotions. We collect information you include in your marketing preferences with us or that you provide as part of a survey, contest, or promotion that we run and in which you participate.
    • Social and community content. We receive content you post on our social media pages and the public areas of our Website (e.g., if you post a comment on an article we feature on the Website).
    • Business and financial information. We may receive information from you about your business, your finances, expenses, invoices, details of your financial transactions, payment details, tax details, details about your customers, vendors, or employees, or other business and financial information when you use our Services.
    • Device and contact data. If you grant permission in your device settings, certain features may have access to your device and contacts information.
    • Payment processing information. If you have made a purchase through us, or if you make a financial transaction using our Services, we or any third-party payment processors we use will collect information about the purchase or transaction. This includes billing details, credit card information, account, and authentication information.
    • Information you upload. We collect personal information about you when you upload it to the Platform or otherwise give it to us when we provide our Services to you. This includes information we collect when you complete a transaction with us.
  • Information about you that we get from other sources. We may receive personal information about you from other third parties where you have provided consent or where we are permitted by applicable law to receive the information. We protect and process the personal information we receive from third parties as described in this Privacy Policy, consistent with any additional restrictions imposed by the source of the information. Our third-party sources may vary over time and depend upon how you use the Services. For example, we receive information from:
    • Other customers and users of our Services. Our Services connect our customers with other people and businesses. This means others may input personal information about you to our Services. For example, another customer of our Services may share your contact details to the Platform when they acquire your products and services and track their spending with your business. Another example is when an Account administrator includes personal information about authorized users, such as names and email addresses, to allow those users to access and use the Services with that Account.
    • Service providers. We use a variety of third-party service providers to help us deliver our Services and these service providers may give us information about you. For example, we may get information from our marketing service providers to support our marketing initiatives, improve our Services, and better monitor, manage, and measure our ad campaigns, such as details about when our service provider shows you one of our ads on or via its advertising platform. We may hire research firms that help us understand our market and where allowed under applicable laws, these researchers may provide us with personal information. We may receive personal information about you or your interaction with the Services from certain third parties for troubleshooting purposes, for example when we obtain information about your interaction(s) with customer support and information about technical issues you have raised, including call center recordings, call monitoring records, voicemails, photographs, and chat records.
    • Business partners. We may also collect information about you from our business partners that assist us with providing our Services, developing our business, and understanding our market. For example, we facilitate you having certain financial products, such as our Bill Pay and Spending Card products, that are provided to you through collaborations we have with our business partners, such as Stripe. To deliver these products and services to you, we may be given information about you from the applicable business partner (e.g., Stripe). Our Financial Services Partners independently determine the purposes and means of processing personal information they collect when you use their services, and they act as separate controllers under applicable data protection laws. We encourage you to review their privacy policies for more information about their data practices.
    • Supplemental information and identity verification providers. We also collect personal information about you from third-party service providers that assist us with verifying your identity. For our Bill Pay and Spending Card products, this may include “know your client” information needed to comply with applicable laws and the requirements of our financial product business partners. Our Services may also use single sign-on integrations through other platforms and providers (e.g., signing in through a social media account), which includes information sharing between us and the single sign-on provider.
    • Linked third-party services. If you choose to integrate a third-party service with your Account, we may receive information from that third-party service according to your settings with that third-party.
    • Risk management, cybersecurity & anti-fraud providers. We may receive personal information from third parties that help us assess risks associated with our offerings, including to help combat fraud and illegal activity and to help protect your personal information.
    • Joint offering partners. We may offer co-branded services or experiences or engage in joint-marketing activities with others, including through our conferences or live events.
    • Government agencies. We receive information from government agencies, including from various tax agencies, to help verify your business information or to facilitate your use of our Services.
    • Public information. We collect individual and household demographic information and preference information from publicly available sources, such as open government databases, social media platforms, and others.
    • B2B identification and intent providers. We use third-party services that help us identify the businesses and professional contacts most likely to be interested in our Services. These providers may give us information about the company associated with a visitor to our Website, contact details for individuals at organizations that match our target customer profile, and signals indicating that an individual or organization is researching products or topics relevant to our Services.
  • Automatic data collection. We, our service providers, and our business partners may automatically collect personal information about you, such as:
    • Information from your use of the Website and Services. We collect personal information about you when you use our Website and Services. This includes information like your Internet protocol (IP) address, your geographic location (including city-level location and other non-precise location signals derived from your IP address or device), the website you visited before coming to our Website, your browser type and settings, log data, your device information (for example, if you’re using a tablet, mobile phone, or desktop computer and the operating system), the date and time when you visited the Website, information about your browser configuration and plug-ins, your language preferences, and other unique identifiers.
    • Usage information. We may collect information about your use of our Services, such as the pages you viewed, the services and features you used or interacted with, your browser type, and details about any links or communications with which you interacted. Our analytics tools may also record mouse movements, scrolling, clicks, and other interactions with our Website to help us understand how visitors use our Website and improve it. These session recording tools are subject to your cookie consent preferences and are configured to mask or exclude sensitive input fields.
    • Information stored locally. Some of our web-enabled desktop services and offerings synchronize with the information on your computer. In doing so, we may collect information such as device information, product usage, and error reports. We may also store personal information locally on your device.
    • Communication interaction data. We or our third-party service providers may collect information from email providers, communication providers, and social networks, such as your interactions with our email, text, or other communications (e.g., whether you open or forward emails). We may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails.
    • Online behavioral data. We may automatically collect certain personal information about your use and interactions with our Website, customers’ websites or e-commerce stores, social media websites, and marketing campaigns that we or our customers organize, including device information (such as your IP address and unique device IDs), page view information and search results, links, and if you are a customer contact, whether or not a campaign presented or sent to you using our offerings has been viewed, delivered, opened, clicked on, whether it has bounced or was treated as spam.
    • Information from cookies and other tracking technologies. We collect information about you through cookies and similar tracking technologies to provide and support our Website and the Services. More information on our use of cookies is available in our Cookie Policy. We use the following categories of tracking technologies on our Website:
      • Analytics and product analytics, to understand how visitors find and use our Website, including aggregated, session-level, and page-level interaction data;
      • Digital advertising and conversion measurement, including pixels and tags operated by search, social, and display advertising platforms, which help us deliver and measure the effectiveness of our advertising;
      • B2B visitor identification and intent, which help us identify the businesses visiting our Website and signals that an organization may be researching our Services;
      • Marketing automation and customer relationship management, which help us send relevant communications, track website activity associated with our marketing programs, and route inquiries;
      • Interactive content and product tours, which help us host demos and interactive experiences on our Website;
      • Customer support and chat, where applicable; and
      • Consent management, which records and honors your cookie and tracking preferences.

      A current list of the specific providers we use in each of these categories, the cookies they set, and the choices available to you is available in our Cookie Policy.

    • Hashed identifiers shared with measurement and advertising partners. When you submit information through certain forms on our Website (for example, when you request a demo, contact us, download a resource, or sign up for marketing communications), we may transmit a hashed (one-way encrypted) version of personal information you provide — including your email address, phone number, and name — to our analytics and advertising partners. We do so only where you have consented to marketing communications or, for business contacts, where we have a legitimate interest in measuring and improving our marketing effectiveness. These hashed identifiers are used by those partners to:
      • more accurately measure conversions resulting from our advertising and marketing campaigns;
      • match website activity to known users and reduce reliance on third-party cookies; and
      • include you in, or exclude you from, audiences for our advertising on their platforms.

      We rely on the technical controls and contractual commitments of these partners to ensure that hashed identifiers are processed only for the purposes we have authorized. You can opt out of this processing as described in Section 6.

  • Sensitive personal information. Our Services may ask you to input sensitive personal information, for example when you request financial products we make available to you through collaborations with our business partners, such as our Bill Pay and Spending Card products offered through the services of Stripe. The sensitive personal information will be identified at the time we request it from you and may include financial information about you.

3. How and when do we use your information?

We use information that we collect about you or that you provide to us, including any personal information, for several purposes:

  • Consent. We use your personal information when you have consented to the use of it in a particular way. When you consent, you can change your mind at any time. We’ll normally let you know when information is required, and the consequences of failing to provide it or withdrawing your consent. If you do not provide personal information when requested, you may not be able to use our Services if that information is necessary to provide you with the Service or if we are legally required to collect it.
  • To make our Website and Services available to you. We use your personal information to provide your Account and our Website and Services to you and to respond to your requests.
  • To fulfill the purposes for which you provided the information to us. We use your personal information when you give it to us for a specific purpose or for reasons that were described when it was collected, such as providing Services to you, or any other purpose for which you provide it, including for any other reason described in this Privacy Policy.
  • To determine your eligibility. We may use your personal information to evaluate your eligibility for marketing offers, products, and services. Sometimes this may involve deciding whether you are approved for our Services or to offer you financing arrangements we make available to you through collaborations with our business partners, such as may be the case with our Spending Card and Bill Pay products.
  • To connect you with others. We may use your personal information in connection with our Services to connect you with other people and businesses in the way intended by our Platform. For example, we collaborate with certain marketplace providers through what is commonly referred to as a “punchout” integration; this allows our Platform to exchange information with third party platforms to enable you to purchase goods and services from the third-party platform provider or its marketplace participants.
  • To process payments. We use your personal information to process payments through our Website and Services.
  • To communicate with you and verify your identity. We use your personal information to communicate with you, including to send you Electronic Messages and other communications about the Services and your relationship with us. We also may use your personal information to verify your identity. If we are interacting with you in person, such as when you attend our offices, events, or the location of others that are providing a venue on our behalf, we may use your personal information for security purposes, such as creating a visitor or attendee log.
  • To market and promote our business to you. We use your personal information to market our Website, Services, and business to you, including through surveys and promotions. We may use your information to send you tailored marketing communications about products, services, offers, programs, and promotions of ours and those of our partners and measure the success of those campaigns. For example, we may send different marketing communications to you depending on what we think may interest you based on other information we hold about you. We use your personal information to analyze your interactions with our Website and Services and third parties’ services so we can tailor our advertising to what we think will interest you. This includes sharing hashed versions of personal information you submit through our Website with advertising and analytics partners so they can measure the effectiveness of our marketing and match website activity to known audiences, as described in Section 2. For example, we may decide not to advertise our Services to you on a social media site if you already signed up for an Account or follow us, and we may choose to serve you a particular advertisement based on your service choices with us.
  • To customize your experience. We use your personal information to provide you with customized services. For example, we use your location information to determine your language preferences or display accurate date and time information. We also use cookies and similar technologies for this purpose, such as remembering your preferences.
  • To create inferences and for profiling. We use personal information we collect from you and the other sources identified in our Privacy Policy to create a profile about you to reflect your preferences, characteristics, behavior, and other similar characteristics to better understand you and how our Website and Services may be relevant to you. Some jurisdictions give individuals a right to have profiling activities restricted. In certain jurisdictions, including Colorado, Connecticut, and Virginia, you may have the right to opt-out of certain profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. You can exercise such rights, where available, by contacting our Privacy Officer or through the settings available in your Account, as described in the jurisdiction-specific sections of this Privacy Policy. Please contact our Privacy Officer with any requests or information about our use of your personal information for profiling.
  • To improve our Website, Services, and customer experience, and for general research and development. We use your personal information to analyze and learn about how you access and use the Website and Services, to evaluate and improve our Website and Services (including by developing new products and services and managing our communications), and to monitor and measure the effectiveness of our advertising. We usually do this based on anonymous, pseudonymized, or aggregated information which does not focus on you individually. For example, if we learn that most people using our Services in a location or for a particular purpose tend to use a specific integration or feature, we might wish to expand on that integration or feature.
  • To de-identify or anonymize your personal information and to aggregate it with other data. We combine and anonymize information about your interactions with us to create de-identified personal information, anonymized data, and aggregated data for research and development, marketing, promoting, improving, and developing our Services. Personal information does not include information that has been anonymized in such a way that it can no longer be used to identify a specific natural person, whether on its own or in combination with other information. We may use your personal information to create this kind of anonymized or aggregated data. In creating De-Identified Data and AI Training Data, Procurify applies technical and organizational safeguards designed to ensure that the resulting data cannot reasonably be used, alone or in combination with other information available to Procurify, to identify a specific individual.
  • To make our Website and Services secure. We use your personal information to keep our Website and our Services secure, such as when we use your personal information to verify your identity and access credentials.
  • To manage our third-party relationships. We use your personal information to manage our vendor, service provider, and partner relationships.
  • To enforce our rights and to meet our obligations. We use your personal information to carry out our obligations and enforce our rights under contracts and our terms of service, for billing matters, or to comply with legal requirements. We may also use your personal information to protect our and others’ interests, rights, and property where we have a legitimate interest in doing so.
  • To comply with the law. We use your personal information to comply with applicable legal requirements, such as tax and other government regulations, contracts, and law enforcement requests.
  • Notices about our relationship with you. We will also use your personal information to give you notices about your relationship with us.
  • Whistleblower reporting. When you report any concern of non-compliance, unethical conduct, or other alleged violation of our policies or terms of service, personal information you provide will be processed as a part of the investigation of the allegations and retained in accordance with our internal policies until the investigation is complete. While we make every effort to maintain confidentiality, depending on the investigation, disclosing your identity to other individuals may be necessary.

4. Artificial Intelligence and Automated Decision-Making

Our Services use artificial intelligence (“AI”) technologies, including AI models and advanced AI features, to enhance our Platform. These features may: automatically extract and analyze data from invoices, purchase orders, receipts, and other documents; perform pattern recognition and anomaly detection across transaction data; provide AI-generated recommendations (for example, for approvals, general ledger coding, and procurement workflows); match and reconcile transactions; support fraud detection and suspicious payment flagging; perform agentic or autonomous processing based on parameters set by your organization; and enhance spend analysis, insights, and reporting.

AI-powered features may use your personal information, together with configuration settings defined by your organization, to generate outputs, recommendations, or actions (“AI Outputs”). AI Outputs are based on patterns in the data provided to us and in your organization’s configuration settings. AI Outputs may be inaccurate, incomplete, or unreliable and should not replace your own judgment. You and your organization are responsible for reviewing AI Outputs and for any decisions or actions taken based on them. We do not guarantee that AI features will (a) be accurate or error-free, (b) detect all fraudulent or unauthorized transactions, (c) comply with all laws in every jurisdiction, or (d) be suitable for your specific business needs. You should maintain appropriate human oversight and controls when using AI features.

Some AI processing activities may constitute “profiling” or automated decision-making under applicable privacy or data protection laws, including automated processing used to evaluate, analyze, or predict personal aspects such as an individual’s economic situation, reliability, behavior, preferences, or movements, and that may support decisions about eligibility for certain services or features we or our partners offer. In most cases, our AI features assist our customers’ authorized users, who retain decision-making authority and review AI Outputs before acting. We do not generally rely on solely automated decision-making, within the meaning of Article 22 GDPR / UK GDPR or comparable laws, to make decisions that produce legal or similarly significant effects concerning individuals in the context of our enterprise Services. If, in exceptional cases, we act as a controller and use solely automated decision-making that produces such effects, we will inform affected individuals and, where required, provide information about the logic involved, the significance and envisaged consequences of the processing, and the rights to obtain human intervention, express a point of view, and contest the decision.

Depending on your jurisdiction, you may have rights in relation to profiling and automated decision-making, which may include rights to request human intervention, express your point of view, contest automated decisions, or opt out of certain profiling or automated processing that produces legal or similarly significant effects. For example, residents of Colorado, Connecticut, and Virginia may have rights to opt out of certain profiling in furtherance of such decisions, as described in the jurisdiction-specific sections of this Privacy Policy. Residents of the UK, the EEA, and Brazil may have rights to request review of automated decisions or to object to certain processing, as described in the UK/EEA and Brazil sections of this Privacy Policy. To exercise these rights, where available, you may contact our Privacy Officer or use the tools and settings available in your Account. Where we act as a service provider or processor, we will coordinate with your organization to help respond to your request.

We work with third-party AI providers to deliver certain AI models and advanced AI features. When you use AI features, your personal information, as well as inputs you or your organization provide and AI Outputs generated by the Services, may be processed by these third-party providers under their terms and privacy policies. We require our third-party AI providers to maintain appropriate confidentiality and data protection obligations consistent with applicable law and our contractual commitments to our customers.

We may use de-identified and aggregated data derived from personal information, including Customer Data, inputs, and AI Outputs (“AI Training Data”), to develop, train, improve, and enhance our AI models and features. De-identified data has been processed so it can no longer be used to identify a specific individual, whether on its own or in combination with other information. We use commercially reasonable methods to help ensure that AI Training Data cannot be used to reconstruct or re-identify the underlying personal information. We do not use identifiable Customer Data to train our AI models without first applying appropriate de-identification processes. Our general data retention practices are described in the “How long do we keep your personal information?” section below. We may retain AI Training Data in de-identified form for as long as necessary for the purposes described in this section and in our agreements with our customers. In the context of our enterprise Services, Procurify does not generally act as controller to make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects concerning individuals. Where we exceptionally rely on such processing as controller, we will provide any notices required by Applicable Laws and will respect individuals’ rights to obtain human intervention, express their point of view, and contest the decision.

Our AI features may involve the transfer of personal information, inputs, AI Outputs, and AI Training Data to countries other than the one in which the information was originally collected, including to our third-party AI providers. These transfers are carried out in accordance with the “Where we may store and process your information” and “International data transfers” sections of this Privacy Policy and applicable data protection laws, including the use of appropriate safeguards where required. For more information about our international transfer mechanisms or AI-related processing, please contact our Privacy Officer using the details in the “How to contact us” section below.

For clarity, where we refer to anonymized, de-identified, or aggregated data in this Privacy Policy, such terms have the same or substantially similar meanings as ‘De-Identified Data’ and ‘AI Training Data’ in our Subscription Services Agreement and Data Processing Addendum, and we apply technical and organizational safeguards designed to prevent such data from being re-identified. Capitalized terms used in this Section 4, such as ‘AI Model’, ‘Advanced AI Features’, ‘Agentic AI’, ‘AI Outputs’, ‘AI Training Data’, ‘Autonomous Processing’, and ‘Configuration Parameters’, have the meanings given to them in our Subscription Services Agreement, unless otherwise specified in this Privacy Policy.

5. How do we share your personal information?

In addition to other scenarios we have discussed in this Privacy Policy, we may share your personal information in the following ways:

  • Information we collect and share with others for their own purposes. Our business includes collecting information and data about people and companies that use our Website and Services and sharing that information with other organizations so that they can use it for their own purposes. For example, when you request or order the products and services of third parties through our Services, we will share your request and the information within it, including personal information, to facilitate the transaction.
  • For certain product features. We may use third party integration services, often through an API, to enable you to use certain product features. If you choose to use those features, you acknowledge and agree that you are also bound by the third party’s privacy policy. You may manage your data by visiting the third party’s security settings page or by contacting the third party. When you use these third-party integrations, you consent to us sharing your personal information with the owner or operator of the third-party integration.
  • Affiliates and subsidiaries. We share personal information with our affiliates and subsidiaries when it is reasonably necessary or desirable, such as to help provide services to you or analyze and improve the services we or they provide, or for other purposes that we identify at the time we collect the personal information from you.
  • Business partners. We may share personal information with our business partners. For example, we may share your personal information when our Website, Services, or other assets are integrated with the services of other parties, but only when you have been informed or would otherwise expect such sharing. Some of our products, such as Bill Pay and Spending Card, are offered to you through collaborations with other companies. We also use “punchout” integrations with certain third-party market providers to allow you to purchase their or their customers’ products and services. We share your personal information to facilitate these transactions.
  • Service providers. We share personal information with our service providers that perform services on our behalf. For example, we may use third parties to help us provide customer support, manage our advertisements on other sites, send marketing and other communications on our behalf, to complete purchase and order requests, or to assist with data storage and processing. We use a variety of service providers in connection with the Website and Services. We only share your personal information when you have been informed or would otherwise expect such sharing, such as for verification of authenticity, to provide our Services to you, to follow up on your inquiries, or as disclosed at the time the information is collected.
  • Process payments. We transmit your personal information via an encrypted connection to our payment processor.
  • Following the law or protecting rights and interests. We disclose your personal information if we determine that such disclosure is reasonably necessary to comply with the law, protect our or others’ rights, property, or interests, or to prevent fraud or abuse. In particular, we may disclose your personal information in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements. The laws regarding how this personal information may be used will vary by jurisdiction.
  • Advertising, measurement, and audience matching. We share personal information with third parties so we can provide you with tailored advertising for our business and measure and monitor its effectiveness. This includes:
    • Tracking technologies on our Website. Advertising and analytics partners place cookies, pixels, tags, and similar technologies on our Website that may collect device identifiers, IP address, browsing activity on our Website, and other online identifiers, and may combine that information with information they collect from other sources.
    • Hashed identifiers from form submissions. As described in Section 2, when you submit information through forms on our Website, we may transmit a hashed (one-way encrypted) version of personal information you provide — including your email address, phone number, and name — to our analytics and advertising partners for conversion measurement and audience matching.
    • Pseudonymized or hashed contact data for audience suppression and targeting. For example, we may share a hashed version of your email address with an advertising platform to avoid serving ads to people who already use our Services, or to reach audiences similar to our existing customers.

    Some U.S. state privacy laws may classify some or all of this activity as a “sale” of personal information, “sharing” of personal information, or processing for “targeted advertising.” Please see Sections 6 through 12 for information about how to opt out.

  • Business transfers. If we’re involved in a reorganization, merger, acquisition, or sale of some or all of our assets, your personal information may be transferred as part of that deal or the negotiation of contemplated deals.
  • To provide insights, metrics, and benchmarking data. We share personal information to provide insights, metrics, and information that other organizations, people, and companies may find useful as follows: to help promote or sell its own products or services; to provide market insights and economic data; or for other purposes we disclose to you at the time we collect the information. We only provide anonymized or anonymous aggregate data for such purposes unless we have your permission in advance or as otherwise disclosed at the time the information is collected.
  • For legal reasons. We may share your personal information with third parties for legal reasons without your consent, and as permitted by law, including: when we reasonably believe disclosure is required in order to comply with a subpoena, court order, or other applicable law, regulation or legal process; to protect our, our customers’, and others’ rights, property, or safety; to enforce, remedy, or apply our terms of service or other agreements; to detect or prevent fraud, cybersecurity attacks, or illegal activity; for debt collection; and with regulatory agencies, including government tax agencies, as necessary to help detect and combat fraud, or protect our customers, users, or as required for risk control programs.

6. Your rights and choices

  • Rights to access, update, change, or delete personal information. Where applicable law requires (and subject to any relevant exceptions under law), you may have the right to access, update, change, or delete your personal information. You can access, update, delete, or change your personal information directly in your Account or by contacting us at [email protected] to request the required changes. You can exercise your other rights (including deleting your Account) by contacting us at the same email address. Please note that we may need to verify your identity in connection with your requests, and such verification process may require you to provide us with additional information (e.g., government identification). Even if you have access to your Account, we may request additional information if we believe it’s necessary to verify your identity. If we are unable to verify your identity or request, we may not, in accordance with applicable law, be able to fulfill your request. Please note that, for technical reasons, there is likely to be a delay in deleting your personal information from our systems when you ask us to delete it. When we delete your personal information, it will no longer be retrievable. Please ensure you have exported or otherwise saved your personal information before you ask us to delete it.
  • Withdrawal of consent. If we rely on consent for the collection, use, or disclosure of your personal information, you have the right to withdraw it at any time and free of charge. When you do so, this will not affect the lawfulness of the collection, use, or disclosure of your personal information before your withdrawal of consent. If you wish to withdraw consent, please contact our Privacy Officer, or follow the instructions on opting-out of collection and use of your personal information through your Account. Please note that if you withdraw consent, certain features of the Service or your Account may not have full functionality because certain features rely on your personal information to work as intended.
  • Cookie and tracking technology choices. You can manage your cookie and tracking technology preferences at any time using the “Manage Cookies” or “Privacy Settings” link in the footer of our Website. You may also be able to opt out of certain interest-based advertising by visiting Network Advertising Initiative, Digital Advertising Alliance, or Your Online Choices, or by adjusting the settings in your browser or device. If you do not want us to transmit hashed identifiers from forms you submit to our analytics and advertising partners, you may opt out by using the preference controls available in your Account settings, by declining marketing consent when submitting forms, or by contacting our Privacy Officer. Please note that opting out may affect our ability to measure the effectiveness of our marketing to you.
  • Data processing and portability. Some jurisdictions’ laws may give you the right to restrict or object to the processing of your personal information or to exercise a right to data portability. If such rights apply to you, you may exercise them by contacting our Privacy Officer or following the instructions in your Account.
  • Commercial electronic messages. Like many other companies, we may ask you to sign up to receive emails and other Electronic Messages from us. If you no longer wish to receive those messages, you can opt-out by following the unsubscribe link in the messages or by contacting us.
  • Complaints. You may have the right to lodge a complaint with a competent supervisory authority, subject to applicable law.

7. Québec privacy statements

  • Québec residents. This section applies only to Québec residents. It describes how we collect, use, and share personal information of Québec residents in our capacity as an “enterprise” under the Act respecting the protection of personal information in the private sector (“Private Sector Act”) and your rights with respect to that personal information. For purposes of this section, the term “personal information” has the meaning given in the Private Sector Act but does not include information exempted from the scope of the Private Sector Act. Please note that we may claim legal exemptions for certain types of personal information from all or certain parts of the Private Sector Act. In some cases, we may provide a different privacy notice to certain categories of Québec residents, such as employees and job applicants, in which case that notice will apply instead of this section.
  • Data residency. Personal information may be communicated outside of Québec. Unless exempted under the Private Sector Act, prior to communicating personal information outside of the province we take into account (1) the sensitivity of the information, (2) the purposes for which it is to be used, (3) the protection measures that would apply to it, and (4) the legal framework applicable in the jurisdiction in which the information would be communicated, including the legal framework’s degree of equivalency with the personal information protection principles applicable in Québec. The information may be communicated if the assessment establishes that it would receive protection equivalent to that afforded under the Private Sector Act. We also ensure that where required under the Private Sector Act, the communication of the information is subject to a written agreement that takes into account the results of our assessment and, if applicable, the terms agreed on to mitigate the risks identified in the assessment.
  • De-indexing. Under certain conditions, you may have the right to have the personal information we make available about you through hyperlinks de-indexed or re-indexed with correct information. To exercise this right, please contact our Privacy Officer.
  • Portability. You may request portability of your personal information in a readily usable format. To make such a request, contact our Privacy Officer or access the settings available in your Account.
  • Access. You may request a copy of the personal information by contacting our Privacy Officer or accessing the settings available in your Account.
  • Correction. You can edit and correct your personal information at any time by changing it directly in our products and services or by contacting our Privacy Officer or accessing the settings available in your Account.
  • Withdraw consent. If we communicate your personal information with your consent, you can withdraw your consent at any time.
  • Third persons to whom we communicate your personal information. If applicable, you have the right to be given the name of the third person for whom your personal information is being collected, and the names of the third persons or categories of third persons to whom it is necessary to communicate the personal information for the purposes for which it was collected.
  • Automated decision-making. Where we act as a service provider or processor for a business customer that is responsible for providing notices and responding to automated decision-making or profiling requests under the Act, we will provide reasonable assistance to that customer, in accordance with our Data Processing Addendum, to help them meet their obligations. Individuals may request information about automated decisions that affect them and may request review of such decisions by contacting our Privacy Officer or, where we act as a processor, through your organization.

8. California privacy statements

  • California residents. This section applies only to California residents. It describes how we collect, use, and share personal information of California residents in our capacity as a “business” under the California Consumer Privacy Act (“CCPA”) and your rights with respect to that personal information. For purposes of this section, the term “personal information” has the meaning given in the CCPA but does not include information exempted from the scope of the CCPA. Please note that we may claim legal exemptions for certain types of personal information from all or certain parts of the CCPA. In some cases, we may provide a different privacy notice to certain categories of California residents, such as employees and job applicants, in which case that notice will apply instead of this section.
  • Personal information that we collect, use, and disclose. We summarize here the personal information we collect by reference to the categories of personal information specified in the CCPA and describe our practices currently and during the 12 months preceding the effective date of this Privacy Policy. Information you voluntarily provide to us, such as in webforms, may contain other categories of personal information not described in this chart.
  • Your California privacy rights. As a California resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
    • Access. You may request that we provide the following information about how we have collected and used your personal information during the past 12 months:
      • the categories of personal information we have collected about you,
      • the sources from which that information was collected,
      • the business or commercial purpose for collecting, selling, or sharing your personal information,
      • the categories of personal information we shared or sold about you,
      • the categories of third parties to whom we shared or sold personal information about you,
      • the categories of personal information we disclosed for a business purpose, and
      • the categories of third parties to whom we disclosed personal information about you for a business purpose.
    • Request a copy of your personal information. You may request a copy of your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Correction. You can edit and correct your personal information at any time by changing it directly in our products and services.
    • Deletion. You may have the right, under certain circumstances, to request that we delete the personal information you have provided to us. You may delete your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Opt-out of Sales or Sharing. Like many companies, we use services that help deliver interest-based ads to you as described above. The CCPA may classify our use of some of these services as “sharing” your personal information with the advertising partners that provide the services. You can opt-out of the “sharing” of your personal information by visiting the “Your California Privacy Rights” link in the footer of our website. We honor recognized browser-based or device-based opt-out preference signals. If you have enabled such a signal, you will automatically be opted out of “sales” and “sharing” of your personal information when you interact with our Services.
    • Limit processing of sensitive personal information. We only use sensitive personal information as necessary for our (1) Service delivery and operations, (2) compliance and protection, (3) research and development, or (4) Service improvement and analytics purposes in accordance with CCPA. If we use sensitive personal information outside the permitted purposes of CCPA, we will provide you with the right to limit processing of sensitive personal information.
    • Non-discrimination. You have the right to be free from discrimination or retaliation related to your exercise of any of your California privacy rights.
    • Verification. To protect your personal information from unauthorized access or deletion, we may require you to verify your credentials before you can submit a rights request. If you do not have an account with us, or if we suspect your account has been accessed without your authorization, we may ask you to provide additional personal information for verification.
    • Authorized agents. You may use an authorized agent to submit a rights request. If you do so, the authorized agent must present signed written authorization to act on your behalf, and you will also be required to independently verify your own identity directly with us and confirm with us that you provided the authorized agent permission to submit the rights request. This verification process is not necessary if your authorized agent provides documentation showing that the authorized agent has power of attorney to act on your behalf under Cal. Prob. Code §§ 4121 to 4130.
    • Appeal. If we decline your request, you may appeal our decision by contacting our Privacy Officer. We will respond to your appeal within the timeframes required by applicable law. If your appeal is denied, you may contact the California Attorney General to submit a complaint.
  • Controller vs. service provider. When we process personal information on behalf of our business customers in connection with the Platform, we generally act as a ‘service provider’ or ‘processor’ under applicable US state privacy laws and process that information only on their instructions, consistent with our Data Processing Addendum. When we collect and use personal information for our own purposes, such as our Website analytics, marketing, or account management, we generally act as a ‘business’ or ‘controller’.

9. Colorado privacy statements

  • Colorado residents. This section applies only to Colorado residents. It describes how we collect, use, and share Personal Data of Colorado residents in our capacity as a business under the Colorado Privacy Rights Act (“CPA”) and your rights with respect to that Personal Data. For purposes of this section, the term “Personal Data” has the meaning given in the CPA but does not include information exempted from the scope of the CPA. Please note that we may claim legal exemptions for certain types of personal information and certain companies in our group of companies from all or certain parts of the CPA.
  • Your Colorado privacy rights. As a Colorado resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
    • Access. You may request a copy of your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Correction. You can edit and correct your personal information at any time by changing it directly in our products and services.
    • Deletion. You may have the right, under certain circumstances, to request that we delete the personal information you have provided to us. You may delete your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Opt-out of tracking for targeted advertising purposes. You can submit requests to opt-out of tracking for targeted advertising purposes by visiting the “Manage Cookies” link in the footer of our website. We honor recognized opt-out mechanisms recognized under Colorado law. We do not otherwise “sell” your Personal Data to third parties for monetary consideration.
    • Opt-out of profiling. You can opt-out of the automated processing of your Personal Data to evaluate, analyze, or predict personal aspects related to your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, to the extent this results in decisions that produce legal or similarly significant effects, including profiling carried out by AI features described in Section 4 (Artificial Intelligence and Automated Decision-Making) of this Privacy Policy.
    • Sensitive Personal Data. We will not process your sensitive personal data without your consent.
    • Non-discrimination. You have the right to be free from discrimination related to your exercise of any of your Colorado privacy rights.
    • Authentication. To protect your Personal Data from unauthorized access or deletion, we may require you to verify your credentials before you can submit a rights request. If you do not have an account with us, or if we suspect that your account has been accessed without your authorization, we may ask you to provide additional personal information for verification.
    • Appeal. If we decline your request to exercise your rights under the CPA, you may appeal our decision by contacting our Privacy Officer within a reasonable period after receiving our response. We will inform you in writing of any action taken or not taken in response to your appeal, including a written explanation of the reasons for the decision, within the timeframes required by the CPA. If your appeal is denied, you may contact the Colorado Attorney General to submit a complaint.

10. Connecticut privacy statements

  • Connecticut residents. This section applies only to Connecticut residents. It describes how we collect, use, and share Personal Data of Connecticut residents in our capacity as a business under the Connecticut Data Privacy Act (“CDPA”) and your rights with respect to that Personal Data. For purposes of this section, the term “Personal Data” has the meaning given in the CDPA but does not include information exempted from the scope of the CDPA. Please note that we may claim legal exemptions for certain types of personal information and certain companies in our group of companies from all or certain parts of the CDPA.
  • Your Connecticut privacy rights. As a Connecticut resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
    • Access. You may request a copy of your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Correction. You can edit and correct your personal information at any time by changing it directly in our products and services.
    • Deletion. You may have the right, under certain circumstances, to request that we delete the personal information you have provided to us. You may delete your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Opt-out of tracking for targeted advertising purposes. You can submit requests to opt-out of tracking for targeted advertising purposes by visiting the “Manage Cookies” or “Privacy Settings” link in the footer of our website. We do not otherwise “sell” your Personal Data to third parties for monetary consideration.
    • Opt-out of profiling. You can opt-out of the automated processing of your Personal Data to evaluate, analyze, or predict personal aspects related to your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, to the extent this results in decisions that produce legal or similarly significant effects, including profiling carried out by AI features described in Section 4 (Artificial Intelligence and Automated Decision-Making) of this Privacy Policy.
    • Sensitive Personal Data. We will not process your sensitive personal data without your consent.
    • Non-discrimination. You have the right to be free from discrimination related to your exercise of any of your Connecticut privacy rights.
    • Authentication. To protect your Personal Data from unauthorized access or deletion, we may require you to verify your credentials before you can submit a rights request. If you do not have an account with us, or if we suspect that your account has been accessed without your authorization, we may ask you to provide additional personal information for verification. If we are subsequently unable to confirm your identity, we may refuse your rights request.
    • Appeal. If we decline your request to exercise your rights under the CTDPA, you may appeal our decision by contacting our Privacy Officer within a reasonable period after receiving our response. We will inform you in writing of any action taken or not taken in response to your appeal, including a written explanation of the reasons for the decision, within sixty (60) days of receipt of your appeal. If your appeal is denied, you may contact the Connecticut Attorney General to submit a complaint.

11. Utah privacy statements

  • Utah residents. This section applies only to Utah residents. It describes how we collect, use, and share Personal Data of Utah residents in our capacity as a business under the Utah Consumer Privacy Act (“UCPA”) and your rights with respect to that Personal Data. For purposes of this section, the term “Personal Data” has the meaning given in the UCPA but does not include information exempted from the scope of the UCPA. Please note that we may claim legal exemptions for certain types of personal information and certain companies in our group of companies from all or certain parts of the UCPA.
  • Your Utah privacy rights. As a Utah resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
    • Confirmation of Processing. You have the right to know what Personal Data about you we collect, how we use the Personal Data, and whether we sell your Personal Data.
    • Access. You may request a copy of your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Portability. You may request portability of your personal information in a readily usable format. To make such a request, contact our Privacy Officer or access the settings available in your Account.
    • Deletion. You may have the right, under certain circumstances, to request that we delete the personal information you have provided to us. You may delete your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Opt-out of tracking for targeted advertising purposes and sales of Personal Data. You can submit requests to opt-out of tracking for targeted advertising purposes by visiting the “Manage Cookies” or “Privacy Settings” link in the footer of our website.
    • Opt-out of Sales or Sharing. Like many companies, we use services that help deliver interest-based ads to you as described above. The UCPA may classify our use of some of these services as “sharing” your personal information with the advertising partners that provide the services. You can opt-out of the “sharing” of your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Non-discrimination. You have the right to be free from discrimination related to your exercise of any of your Utah privacy rights.
  • Other U.S. State Privacy Laws. If you reside in a U.S. state with applicable consumer privacy legislation not specifically addressed above (such as Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, or Tennessee), you may exercise the rights available to you under such laws by contacting our Privacy Officer using the details in the “How to contact us” section below. We will respond to your request in accordance with the requirements of the applicable state law. Where such laws require an appeal process, you may appeal a denied request by contacting our Privacy Officer, and we will respond within the timeframes required by applicable law.

12. Virginia privacy statements

  • Virginia residents. This section applies only to Virginia residents. It describes how we collect, use, and share Personal Data of Virginia residents in our capacity as a business under the Virginia Consumer Data Protection Act (“VCDPA”) and your rights with respect to that Personal Data. For purposes of this section, the term “Personal Data” has the meaning given in the VCDPA but does not include information exempted from the scope of the VCDPA. Please note that we may claim legal exemptions for certain types of personal information and certain companies in our group of companies from all or certain parts of the VCDPA.
  • Your Virginia privacy rights. As a Virginia resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
    • Access. You may request a copy of your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Correction. You can edit and correct your personal information at any time by changing it directly in our products and services.
    • Deletion. You may have the right, under certain circumstances, to request that we delete the personal information you have provided to us. You may delete your personal information by contacting our Privacy Officer or accessing the settings available in your Account.
    • Opt-out of tracking for targeted advertising purposes. You can submit requests to opt-out of tracking for targeted advertising purposes by visiting the “Manage Cookies” or “Privacy Settings” link in the footer of our website.
    • Opt-out of profiling. You can opt-out of the automated processing of your Personal Data to evaluate, analyze, or predict personal aspects related to your economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, to the extent this results in decisions that produce legal or similarly significant effects, including profiling carried out by AI features described in Section 4 (Artificial Intelligence and Automated Decision-Making) of this Privacy Policy.
    • Sensitive Personal Data. We will not process your sensitive personal data without your consent.
    • Non-discrimination. You have the right to be free from discrimination related to your exercise of any of your Virginia privacy rights.
    • Authentication. To protect your Personal Data from unauthorized access or deletion, we may require you to verify your credentials before you can submit a rights request. If you do not have an account with us, or if we suspect that your account has been accessed without your authorization, we may ask you to provide additional personal information for verification.

13. United Kingdom (UK) and European Economic Area (EEA) privacy statements

  • Personal information. References to “personal information” in this Privacy Policy are equivalent to “personal data” governed by European Union and UK data protection laws. Essentially, “personal data” is information about an individual, where that individual is either directly identified or can be identified. It does not include ‘anonymous data’ (i.e., information where the identity of an individual has been permanently removed).
  • Legal basis of processing. We use your personal information only as permitted by law. Applicable EEA and UK data protection law requires us to have a “legal basis” for each purpose for which we collect your personal information. Below we describe the legal bases we rely on for each category of processing activity.
    Processing Purpose Legal Basis
    Account creation and management: To create, manage, and authenticate your Account and provide you with access to our Services. Performance of a contract: This processing is necessary to perform our contract with you to provide the Services you have requested.
    Service delivery and operations: To provide, maintain, and operate our Website and Services, including processing transactions, providing customer support, and delivering product features. Performance of a contract: This processing is necessary to perform our contract with you to provide the Services.
    Communication about the Services: To send you service-related communications, such as confirmations, invoices, technical notices, updates, security alerts, and administrative messages. Performance of a contract: This processing is necessary to perform our contract with you. Legitimate interests: We have a legitimate interest in communicating with you about the Services you use.
    AI-powered features and automated processing: To provide AI-powered features within our Services, including automated data extraction, pattern recognition, fraud detection, and AI-generated recommendations. Performance of a contract: This processing is necessary to provide the AI-powered features included in the Services. Legitimate interests: We have a legitimate interest in developing and improving our AI capabilities to enhance our Services.
    Improvement and development: To analyze usage, evaluate, and improve our Website and Services, develop new products and features, and conduct research and analytics. Legitimate interests: We have a legitimate interest in understanding how our Services are used and in improving and developing our products and services.
    Personalization: To personalize your experience with our Services and to provide content and features tailored to your interests and preferences. Legitimate interests: We have a legitimate interest in providing a personalized experience to enhance our Services. Consent: Where required by law, we obtain your consent for certain personalization activities.
    Marketing and advertising: To send you marketing communications about our products, services, offers, and events, and to deliver interest-based advertising. Consent: We rely on your consent to send you marketing communications and to use your personal information for targeted advertising, where required by law. Legitimate interests: Where permitted by law, we rely on our legitimate interest in promoting our products and services.
    Security and fraud prevention: To protect the security of our Website and Services, detect and prevent fraud, unauthorized access, and other malicious activity. Legitimate interests: We have a legitimate interest in ensuring the security and integrity of our Services and in preventing fraud.
    Compliance and legal obligations: To comply with applicable laws, regulations, legal processes, and government requests, and to establish, exercise, or defend legal claims. Legal obligation: This processing is necessary to comply with our legal obligations. Legitimate interests: We have a legitimate interest in establishing, exercising, or defending legal claims.
    De-identification and aggregation: To de-identify, anonymize, or aggregate your personal information for research, analytics, benchmarking, and AI model training purposes. Legitimate interests: We have a legitimate interest in creating de-identified and aggregated data for research, analytics, and product improvement, including AI training, in ways that do not identify you.

    Where we rely on legitimate interests as the legal basis for processing, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests, as described below. Where we rely on our legitimate interests, these may include improving and securing our Services, developing and training our AI models and Advanced AI Features using de-identified data, and preventing fraud and abuse, in each case subject to safeguards designed to protect your rights and freedoms.

    Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

  • Credit, spending, or debit cards. For residents in the UK searching for a credit card, spending card, or a loan or credit product through our Services, we may share your personal information, including your contact details, date of birth, as well as the information you give us about your employment, income, and housing and employment expenses with third parties to determine your eligibility.
  • Your privacy rights. If you are a resident of the UK or EEA, you may have the following rights and choices:
    • Update your privacy settings. You may update your privacy settings by visiting your account settings.
    • Access, correction, or deletion. You may request to access, to correct, or to delete your personal information by contacting our Privacy Officer or accessing the settings available in your Account. You can edit and correct your personal information at any time by changing it directly in our products and services. Please note that even if you request for your personal information to be deleted, certain aspects may be retained for us to: meet our legal or regulatory compliance (e.g. maintaining records of transactions you have made with us); exercise, establish or defend legal claims; and to protect against fraudulent or abusive activity on our Service. Data retained for these purposes will be handled as described in our Privacy Policy sections on data retention.
    • Objection and restriction. You may object to our processing of your personal information or ask us to restrict processing of your personal information.
    • Portability. You may request portability of your personal information.
    • Withdraw consent. If we process your personal information with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
    • File a complaint. You have the right to file a complaint with a supervisory authority about our collection and processing of your personal information. For UK residents, you may contact the Information Commissioner’s Office (ICO). For EEA residents, you can find your data protection regulator at the European Data Protection Board website.
    • Manage marketing communications from us. To update your marketing communication preferences, you can go to the marketing preference tools in your account settings or contact our Privacy Officer.
    • Cookies and other tracking technologies. You may be able to opt-out of interest-based advertising by visiting Network Advertising Initiative or Your Online Choices or by contacting our Privacy Officer or accessing the settings available in your Account.
  • International data transfers. We reserve the right to store and process your personal information in the United States and in any other country where we or our affiliates, subsidiaries, or service providers operate facilities in accordance with and as permitted by applicable laws and regulations. Some of these countries may have data protection laws that are different from the laws of your country (and, in some cases, may not be as protective). When we transfer, store, or process personal information outside of your jurisdiction (including to or in the United States, as described above), we take appropriate safeguards to require that your personal information remain protected in accordance with this Privacy Policy and applicable law. If you are a resident of the UK or the EEA, please note that we maintain servers in the United States and your personal information may be stored there and could, in extraordinary circumstances, become subject to orders for disclosure under United States national security and intelligence laws. While it is our practice, if we receive a request for disclosure of personal information by any law enforcement agency, to ask for the judicial order regarding the request and to limit the disclosure to the minimal amount needed to comply, we cannot guarantee how law enforcement agencies will use the personal information we are compelled to share. Some of these recipients of your personal information are located in countries for which the European Commission or UK Government (as and where applicable) have issued adequacy decisions, which means that these countries are recognized as providing an adequate level of data protection under applicable UK or European data protection laws and the transfer is therefore permitted under Article 45 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”). Other recipients of your personal information are located in countries outside the EEA or the UK that are not the subject of an adequacy decision (for example, the United States). In these cases, we may use the Standard Contractual Clauses approved by the European Commission or, as may be applicable, the International Data Transfer Agreement approved by the UK Government, to help ensure your personal information is protected. For more information on the transfer safeguards we rely on, please contact us by using the details in the “How to contact us” section below.
  • UK and EEA legal representative. If you have questions or concerns that have not been addressed by this Privacy Policy, you can contact our Data Protection Officer by writing to [email protected].

14. Brazil privacy statements

  • Legal Basis of Processing. We use your personal information only as permitted by applicable Brazilian data protection law, including the Lei Geral de Proteção de Dados Pessoais (LGPD). The LGPD requires us to have a “legal basis” for each purpose for which we process your personal information. Below we describe the legal bases we rely on for each category of processing activity.
    Processing Purpose Legal Basis (LGPD Article 7)
    Account creation and management: To create, manage, and authenticate your Account and provide you with access to our Services. Execution of a contract or preliminary procedures (Article 7, V): This processing is necessary to perform our contract with you or to take steps at your request prior to entering into a contract.
    Service delivery and operations: To provide, maintain, and operate our Website and Services, including processing transactions, providing customer support, and delivering product features. Execution of a contract (Article 7, V): This processing is necessary to perform our contract with you to provide the Services.
    Communication about the Services: To send you service-related communications, such as confirmations, invoices, technical notices, updates, security alerts, and administrative messages. Execution of a contract (Article 7, V): This processing is necessary to perform our contract with you. Legitimate interests (Article 7, IX): We have a legitimate interest in communicating with you about the Services you use.
    AI-powered features and automated processing: To provide AI-powered features within our Services, including automated data extraction, pattern recognition, fraud detection, and AI-generated recommendations. Execution of a contract (Article 7, V): This processing is necessary to provide the AI-powered features included in the Services. Legitimate interests (Article 7, IX): We have a legitimate interest in developing and improving our AI capabilities.
    Improvement and development: To analyze usage, evaluate, and improve our Website and Services, develop new products and features, and conduct research and analytics. Legitimate interests (Article 7, IX): We have a legitimate interest in understanding how our Services are used and in improving our products and services.
    Marketing and advertising: To send you marketing communications about our products, services, offers, and events, and to deliver interest-based advertising. Consent (Article 7, I): We rely on your consent to send you marketing communications and to use your personal information for targeted advertising.
    Security and fraud prevention: To protect the security of our Website and Services, detect and prevent fraud, unauthorized access, and other malicious activity. Legitimate interests (Article 7, IX): We have a legitimate interest in ensuring the security of our Services and preventing fraud. Fraud prevention (Article 7, VI): This processing is necessary for the regular exercise of rights in judicial, administrative, or arbitration procedures, including fraud prevention.
    Credit protection: To protect credit, including in connection with credit analysis and risk assessments related to our Services. Credit protection (Article 7, X): This processing is necessary for credit protection, in accordance with applicable law.
    Compliance and legal obligations: To comply with applicable laws, regulations, legal processes, and government requests, and to establish, exercise, or defend legal claims. Legal or regulatory obligation (Article 7, II): This processing is necessary to comply with our legal or regulatory obligations. Regular exercise of rights (Article 7, VI): This processing is necessary for the regular exercise of rights in judicial, administrative, or arbitration procedures.
    De-identification and aggregation: To de-identify, anonymize, or aggregate your personal information for research, analytics, benchmarking, and AI model training purposes. Legitimate interests (Article 7, IX): We have a legitimate interest in creating de-identified and aggregated data for research, analytics, and product improvement, including AI training, in ways that do not identify you. Note: Anonymized data is not considered personal data under the LGPD (Article 12).

    Where we rely on legitimate interests as the legal basis for processing, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms, taking into account your reasonable expectations based on your relationship with us.

    Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

  • Sharing with Credit Bureaus. If you are located in Brazil and have requested the canceling of your registration on each of our partners as allowed by Brazilian Federal Law No. 12,414/2011, we will not be able to provide you any more personalized recommendations based on your credit profile.
  • De-identified and anonymized data. Where we create de-identified or anonymized AI Training Data from personal data in accordance with the LGPD, such anonymized data is no longer considered personal data under the LGPD and may be used for research, analytics, and AI model development, provided we maintain safeguards designed to prevent re-identification.
  • Rights and Choices. If you are a resident of Brazil, you may have the following rights and choices:
    • Update your privacy settings. You may update your privacy settings by visiting your account settings or contacting us.
    • Manage marketing communications from us. To update your marketing communication preferences, you can go to the marketing preference tools in your account settings or contact us.
    • Access, Correction, Anonymization or Deletion. You may request to access, to correct, to anonymize or to delete your personal information. You may request a copy of your personal information in your account or by contacting us. You can edit and correct your personal information at any time by changing it directly in our products and services. You may request that we delete or anonymize your personal information in your account or by contacting us. Where we make decisions solely on the basis of automated processing that affect your interests, you may request a review of such decisions in accordance with applicable Brazilian data protection law. You may exercise this right by contacting us as described in the “How to contact us about privacy questions” section and, where we act as a processor on behalf of your organization, we will cooperate with that organization in handling your request.
    • Objection and Restriction. You may object to our processing of your personal information or ask us to restrict processing of your personal information. You may request objection, restriction, and portability rights by contacting us.
    • Portability. You may request portability of your personal information. Personal information of individuals in Brazil may be transferred to and processed in other countries, including Canada and the United States, as described in the “Where we may store and process your information” and “International data transfers” sections of this Privacy Policy, and such transfers are carried out in accordance with applicable LGPD requirements.
    • Withdraw Consent. If we have collected and processed your personal information with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
    • File a complaint. You have the right to file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD), Brazil’s national data protection authority, about our collection and processing of your personal information. You can contact the ANPD at www.gov.br/anpd.

15. Mexico privacy statements

  • ARCO Rights. If you are a resident of Mexico, you may have the choices and rights we go over in this section, known as “ARCO rights”. Please note that we are required to verify your request prior to exercising your rights. After we have received a request, our response will indicate whether the request for access, rectification, cancellation, or opposition is appropriate and, if so, the determination will be made within 15 business days from such date. The deadlines may be extended under the terms set out in the applicable laws.
    • Access. You have the right to know what personal data we have about you, what we use it for and the conditions of use we give to it. Electronic copies of your personal data will be provided if you exercise your right of access. You may request a copy of your personal information in your account or by contacting us. When making a request, please provide a clear and precise description of the personal data you wish to access any other element that facilitates the location of your data.
    • Rectification. You have the right to request the correction of your personal data if it is outdated, inaccurate, or incomplete. You can edit and correct your personal information at any time by changing it directly in our products and services.
    • Deletion/Cancellation. You have the right to request that we remove your personal information from our records or databases when you consider that it is not being used in accordance with the principles, duties, and obligations provided for in the applicable laws. You may request for us to delete your personal information in your account or by contacting us. When making a request, please provide a clear and precise description of the personal data you wish to delete/cancel or any other element that facilitates the location of your data.
    • Opposition/Rejection. You have the right to oppose the use of your personal data for specific purposes. You may request objection, restriction, and portability rights by contacting us. When making a request, please provide a clear and precise description of the personal data you wish to oppose, or any other element that facilitates the location of your data.
    • Update your privacy settings. You may update your privacy settings by visiting your account settings or contacting us.
    • Manage marketing communications from us. To update your marketing communication preferences, you can go to the marketing preference tools in your account settings or contact us.
  • How to limit the use and disclosure of your personal information. If you are a resident of Mexico, you also have the right to limit the use or disclosure of your personal information or may withdraw your consent for our processing of your personal information by contacting us.
  • International transfers and security incidents. Personal information we collect in Mexico may be transferred to and processed in other countries, including Canada and the United States, as described in the “Where we may store and process your information” and “International data transfers” sections of this Privacy Policy. Such transfers are carried out in accordance with applicable Mexican data protection law. Where required by applicable Mexican data protection law, if we become aware of a security breach that significantly affects your pecuniary or moral rights, we will notify you so that you may take appropriate measures.
  • Automated processing. If we use automated processing, including AI-powered features, that significantly affects you in the context of our Services, we will provide information about such processing in accordance with applicable Mexican data protection law, and you may exercise your ARCO rights as described in this section.
  • Complaints. If you are a resident of Mexico and believe your data protection rights have been violated, you have the right to file a complaint with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) at www.inai.org.mx.

16. Australia privacy statements

  • Australian residents. This section applies only to Australian residents. It describes how we collect, use, and share personal information of Australian residents in our capacity as an “APP entity” under the Privacy Act 1988 (Cth) (“Australian Privacy Act”) and your rights with respect to that personal information. For purposes of this section, the term “personal information” has the meaning given in the Australian Privacy Act but does not include information exempted from the scope of the Australian Privacy Act. Please note that we may rely on exemptions available under the Australian Privacy Act for certain types of personal information or in certain circumstances.
  • Collection and notification. We collect personal information only by lawful and fair means and, where it is reasonable and practicable to do so, directly from you. Where we collect personal information about you from third parties, we take reasonable steps to ensure you are made aware of the matters set out in this Privacy Policy, unless you have already been informed or the collection is required or authorized by law. We collect personal information that is reasonably necessary for one or more of our functions or activities as described in the “How do we use your personal information?” section of this Privacy Policy.
  • Use and disclosure. In general, we use personal information of Australian residents for the primary purpose of providing and operating our Services, and for related secondary purposes that would be reasonably expected in the context of our relationship with you, including to improve, secure, and enhance our AI-powered features, fraud detection capabilities, and analytics, in accordance with the Australian Privacy Principles. We only use or disclose your personal information for the primary purpose for which it was collected, for a secondary purpose that is related to the primary purpose (or, in the case of sensitive information, directly related to the primary purpose) and within your reasonable expectations, where you have consented to the use or disclosure, or as otherwise permitted or required by law.
  • Cross-border disclosure. We may disclose your personal information to recipients located outside Australia, including in Canada, the United States, and other countries where we, our affiliates, or our service providers maintain operations, as described in the “Where we may store and process your information” section of this Privacy Policy. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information, unless an exception under the Australian Privacy Act applies (for example, where you have consented to the disclosure after being expressly informed that the overseas recipient may not be required to comply with the Australian Privacy Principles, or where the recipient is subject to a law, binding scheme, or contract that has the effect of protecting the information in a way that, overall, is at least substantially similar to the Australian Privacy Principles).
  • Data quality. We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant, having regard to the purpose of the use or disclosure. You can help us maintain accurate and up-to-date records by notifying us of any changes to your personal information.
  • Data security. We take reasonable steps to protect your personal information from misuse, interference, and loss, and from unauthorized access, modification, or disclosure. We also take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed for any purpose for which it may be used or disclosed under the Australian Privacy Act.
  • Your Australian privacy rights. If you are an Australian resident, you may have the following rights:
    • Access. You have the right to request access to the personal information we hold about you. To request access, please contact our Privacy Officer. We will respond to your request within a reasonable period after the request is made. We may charge a reasonable fee for providing access to reflect the costs of locating, retrieving, and supplying the information, but we will not charge for making the request. In some circumstances, we may refuse to provide access, such as where giving access would have an unreasonable impact on the privacy of others, where the request is frivolous or vexatious, where legal proceedings are ongoing, or where providing access would be unlawful.
    • Correction. You have the right to request the correction of your personal information if it is inaccurate, out-of-date, incomplete, irrelevant, or misleading. To request correction, please contact our Privacy Officer or update your information directly through your Account. If we refuse to correct your personal information, we will give you written reasons for our refusal and information about how you may complain about the refusal. If we refuse to correct your personal information as requested, you may request that we associate a statement with the information that you believe it is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
    • Complaints. If you believe that we have breached the Australian Privacy Principles or have a complaint about our handling of your personal information, please contact our Privacy Officer in the first instance. We will acknowledge your complaint in writing and investigate the matter within a reasonable period. If you are not satisfied with our response to your complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
    • Anonymity and pseudonymity. Where it is lawful and practicable, you have the option of not identifying yourself or of using a pseudonym when dealing with us. However, if you do not provide us with certain personal information, we may not be able to provide you with our Services or respond to your requests.
  • Eligible data breach notification. Where we are aware of an eligible data breach (within the meaning of the Australian Privacy Act) involving your personal information that is likely to result in serious harm to you, we will notify you and the OAIC as soon as practicable, in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Australian Privacy Act. Our notification will include a description of the data breach, the kinds of information involved, and recommendations about the steps you should take in response to the breach. We also cooperate with our business customers to enable them to meet their breach notification obligations under the Australian Privacy Act.
  • Contact. If you have any questions about this Privacy Policy or wish to make a privacy-related request or complaint, please contact [email protected].

17. Please use caution when posting on the public areas or features of our Website and Services

You may be able to post or make public communications on certain areas of our Website or Services, such as comments and questions fields, discussion forums, in-Platform communication functions, and other public discussion mechanisms. These kinds of communications are made at your own risk. Although we may monitor or even control these types of public posts, we are under no obligation to do so. We also cannot control the actions of other users of the Website or Services, including how they will use your public posts and any personal information you include in them. We cannot and do not guarantee that unauthorized persons will not view your public posts or respect your privacy.

18. Where we may store and process your information

We are based out of Canada, but we may process, store, and transfer personal information in Canada or elsewhere. For example, we could use third-party service providers, such as managed hosting providers, credit card processors, customer relationship management (CRM) systems, and technology partners to provide the necessary software, networking, infrastructure, and other services that we use to operate the Website and Services. These third-party providers may process or store personal information on servers outside of Canada.

Locations other than Canada may have different privacy laws, which may be more or less protective. If we move personal information to a location other than Canada, the governments, courts, law enforcement, or regulatory agencies of that country may have access to your personal information through their laws. In addition to Canada, your personal information may be collected, used, disclosed, or stored for any purpose stated in this Privacy Policy in the United States.

19. How do we keep your personal information secure?

We follow industry standards on information security management to safeguard sensitive information, such as financial information, intellectual property, and any other personal information entrusted to us. Our information security systems apply to people, processes, and information technology systems on a risk management basis. No method of transmission over the Internet, or method of electronic storage, is completely secure. Therefore, we cannot guarantee the absolute security of your personal information. You can find out more about how we protect your personal information at www.procurify.com/security-overview. Where required by applicable law (including PIPEDA and the Québec Act respecting the protection of personal information in the private sector), if we determine that a breach of security safeguards involving your personal information presents a real risk of significant harm (or a risk of serious injury), we will notify you and any applicable privacy regulator as soon as feasible, and we will cooperate with our business customers to enable them to meet their breach notification obligations.

20. How long do we keep your personal information?

In general, we keep your personal information throughout your relationship with us. Once you terminate your relationship with us, we will continue to store archived copies of your personal information for legitimate business purposes in accordance with applicable laws, like defending or enforcing a contractual claim, for audit purposes, to resolve disputes, and to comply with the law. We will continue to store anonymous or anonymized information, such as website visits, without identifiers, to improve our Website and Services. There may be occasions where we are unable to fully delete, anonymize, or de-identify your personal information due to technical, legal, regulatory compliance, or other operational reasons. Where this is the case, we will take reasonable measures to securely isolate your personal information from any further processing until such time as we are able to delete, anonymize, or de-identify it.

21. Children and privacy

Our Website and its features and the Services are not meant for children under 13 years of age. If you are under 13 years old, please do not give us your personal information. If you are the parent or guardian of someone under 13 years of age, please do not give us personal information of that person.

22. How to contact us about privacy questions

If you have a question or a concern about our Privacy Policy or your personal information, please get in touch with us. For GDPR purposes, our data protection officer is Amy Wang and may be contacted at [email protected].

23. Changes to our Privacy Policy

We may update this Privacy Policy from time to time to reflect, for example, changes to our privacy practices or for other operational, legal, or regulatory reasons. If we make material changes to this Privacy Policy, we will give you notice of such changes by posting the revised policy on our Website, and where appropriate, by other means. By continuing to use the Website or the Services after these changes are posted, you agree to the revised policy.

Procurement benchmark report preview showing PunchOut catalog adoption rate by industry

$30B+ in real spend data you won’t get anywhere else

Find out what it takes to move from reactive to AI-driven operations.

Download the report