Privacy Policy
Last updated: May 17, 2026
ApproveExpense ("we", "us", "our") provides expense submission, approval, and reimbursement-export software to businesses ("Customers") and their personnel ("Users"). This Privacy Policy explains exactly what information we collect, where it is stored, how long we keep it, and the choices Users have. It is written to match how the service actually works.
1. Information we collect
- Account data — name, work email, password hash (managed by our authentication provider), avatar (optional), company affiliation, and one or more roles per company (employee, approver, accountant, admin). A small number of accounts may additionally hold a superadmin role used only to operate the service.
- Company data — company name, public handle, logo, plan tier and cadence, Stripe customer and subscription identifiers, AI add-on quota and usage counters, trial expiration.
- Expense data — amounts, currencies, dates, merchants, categories, descriptions, approval decisions, rejection notes, per-item approval timestamps, and the user IDs of submitter and approver.
- Receipt files — images and PDFs you upload as proof of expense. Stored in a private object storage bucket; access is granted only through short-lived signed URLs (5-minute expiry) generated for authenticated members of the same company.
- Email logs — for each transactional or authentication email we send, we record the recipient address, template name, send status, and any error returned by the email provider. We do not store the rendered email body.
- Payment data — handled entirely by Stripe. We store only the Stripe customer ID, subscription ID, price ID, status, and current period boundaries. We never see or store full card numbers.
- Usage and security data — server logs (request paths, status codes, timing), authentication events, IP address at sign-in, and basic device/browser metadata.
2. How we use information
- Operate the service: authentication, expense submission, approval routing, reporting, and CSV/PDF export.
- Bill Customers and meter the optional AI receipt scanning add-on.
- Send transactional notifications (email verification, password reset, invites, report decisions).
- Protect the service against fraud, abuse, and unauthorized access.
- Comply with legal obligations and enforce our Terms of Use.
We do not sell personal information. We do not use Customer Data to train general-purpose machine-learning models or for advertising.
3. AI receipt scanning
If a Customer enables the optional AI receipt scanning add-on, receipt images are sent to our AI gateway, which routes the request to a third-party model provider for the sole purpose of extracting structured fields (merchant, date, amount, currency). The extracted fields are returned to the User for review before being saved. Extracted values are treated as Customer Data under this Policy. The User must verify the extracted values before submission; the service is not liable for unreviewed AI output.
4. Sub-processors
We rely on a small set of vetted vendors to operate the service. Each processes Customer Data only on our instructions.
- Cloud database, authentication, and object storage — Supabase (PostgreSQL, Auth, Storage).
- Hosting and edge delivery — Cloudflare.
- Payments — Stripe.
- Email delivery — our managed email infrastructure operated by Lovable, which delivers via an upstream email provider on our behalf.
- AI receipt extraction — Lovable AI Gateway, which proxies to third-party model providers (e.g., Google, OpenAI) for the AI add-on only.
- Bot protection — Cloudflare Turnstile, used on public forms.
5. Sharing within a Customer's account
Within a Customer's tenant, data is shared strictly according to role. Row-level security in our database enforces that:
- Employees see only their own expenses and reports.
- Approvers and accountants see expenses and reports for the company they belong to, scoped to their assigned duties.
- Admins see and manage all company data, members, billing, and branding.
- Users from one Customer cannot see data belonging to another Customer.
6. Legal disclosure
We may disclose information when required by law, valid legal process, or to protect the rights, property, or safety of ApproveExpense, our Customers, or the public.
7. Data retention
The following schedule applies by default:
- Expense records, reports, and approval decisions — retained for 7 years after creation, to support Customer tax-record obligations. Customers may request earlier deletion of items not yet final.
- Receipt files — retained alongside the expense they back, for the same 7-year period. Orphaned uploads (no expense saved) are removed within 30 days.
- Email send logs — retained for 180 days, then purged. Suppression records (bounces, complaints, unsubscribes) are retained while the address remains suppressed.
- Authentication and server access logs — retained for up to 90 days.
- Operational incident logs (webhook failures, queue dead-letters) — retained for 90 days.
- Account and company records after termination — billing-related records (Stripe customer, invoices) retained for 7 years for tax/accounting compliance. Other Customer Data is deleted within 30 days of termination, unless the Customer requests an export window or a longer retention.
- Backups — encrypted point-in-time backups may retain copies of deleted data for up to 30 days before they cycle out.
Customers may request earlier deletion at any time, subject to legal, regulatory, or tax retention obligations that override deletion requests.
8. Security
- All traffic is encrypted in transit with TLS.
- Passwords are stored only as salted hashes by our authentication provider; we check submitted passwords against the HaveIBeenPwned breach corpus and reject known-leaked passwords.
- Database access is gated by row-level security policies enforcing per-company isolation.
- Receipt files are private and accessed only via short-lived signed URLs.
- Service-role credentials are never shipped to the browser; they run only in server functions.
- Public forms are protected by Cloudflare Turnstile to deter automated abuse.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
9. Your rights and choices
Depending on where you live, you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. Users can update their profile and avatar directly in the product, and can unsubscribe from non-essential email via the link in any such message. Transactional emails (security, billing, approval) cannot be unsubscribed because they are required to operate the service. To exercise a right that the product UI does not expose, contact us at the address below; we will respond within 30 days.
10. International transfers
Our infrastructure and sub-processors may process data in the United States and other countries. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.
11. Children
The service is intended for business use and is not directed to individuals under 16. We do not knowingly collect personal information from children.
12. Changes
We may update this Policy from time to time. Material changes will be communicated via the product or by email to the Customer admin. The "Last updated" date at the top reflects the latest revision.
13. Contact
Questions about this Policy, sub-processors, or to exercise a data right, email privacy@approveexpense.com.
