Last Updated: September 27, 2018
- We collect offline;
- Collected on any third party apps, services or websites, including websites you may access through the Services; or
- You provide to, or that is collected by, any third party data controller.
Those third parties may have their own privacy policies, which we encourage you to read before providing information to or through them. We do not accept any responsibility or liability for their privacy policies or any information you provide to or through them.
Please note that if you choose not to provide us with your information, we may not be able to provide some or all of the Services or respond to your other requests.
2. DATA CONTROLLER
A “data controller” is a person or organization who alone (or jointly) determines the purposes for which, and the way that, any personal information is, or is likely to be, processed. Your Company is the data controller of your personal information that we process through the Platform at your Company’s direction. Gorilla Expense is the data controller of your personal information collected through or otherwise provided to the Sites.
3. Information We Collect and How We Collect It
3.1. Categories of Information
When you use the Services, the categories of personal information about you that we collect may include:
- your contact information (such as your name, work email address and telephone number)
- your business information (such as the name, size and location of your Company)
- your employment information (such as your employee identification number and cost center)
- other personal profile information (such as your travel preferences)
- travel and expense-related information (such as copies of receipts and itineraries)
- your corporate card information
- your mobile device and (when enabled) your location information
- other information provided by third parties (including travel management companies and your Company)
- any information you may choose to provide when you engage the chat feature available through the Services or fill out a “free text” box on forms available through the Services (for example, your comments and opinions that you express when you comment on a blog post or other content posted through the Services, or when you contact us by email, mail or phone).
We may collect your personal information when you provide it to us directly or when your Company provides it to us on your behalf.
The table in Attachment 1 further sets forth the categories of information we collect about you when you use the Services and how (for which purpose) we use that information. The table also lists the legal basis which we rely on to process the information.
3.2. Information You Provide to Us
When you download, register with, access or use the Services, or when you otherwise contact us, we may ask you to provide, or you may voluntarily provide, information, including personal information, to provide you with Services or the support you request.
- Account information: A Gorilla Expense account is required for certain features of the Services. If you register for a Gorilla Expense account, we may require certain information, such as your first and last name, email address, and password.
- Payment information: When you use our Services to make, accept, request, or record payments, we may require you to provide certain billing details, contact information (e.g., your name, business name, address, email address, and phone number), financial information corresponding to the selected Services (e.g., a credit card number and expiration date or a bank account number), and in some instances identification information (e.g., date of birth, social security number, or tax identification number).
- Additional Profile Information: You may choose to provide us certain additional information as part of your Gorilla Expense account profile.
- Other Information You Provide: You may choose to voluntarily provide additional information to us (for example, by filling out and submitting online and other forms for events, webinars, or whitepapers; responding to surveys; participating in contests, promotions or other marketing activities; providing suggestions or improvements; posting content via our sites or applications; or which you otherwise choose to submit through the Services).
3.3. Information Automatically Collected and Tracked
When you download, access, or use the Services, they may use technology to automatically collect information, including personal information, about the Services and how you use them.
- Usage Details. When you access and use the Services, we may automatically collect certain details of your access to and use of the Services, including traffic data, location data, logs, and other communication data and the resources that you access and use on or through the Services.
- Device Information. We may collect information about your device (mobile, computer or otherwise) and internet connection, including the device’s unique device identifier, IP address, operating system, browser type, mobile network information, and the device’s telephone number.
- Stored Information and Files. The Services also may access metadata and other information associated with other files stored on your device.
- Location Information. The Services may collect information about the location of your device.
- Behavioral Information. We also may use technologies to collect information about your activities over time and across third-party websites, apps, or other online services (i.e., behavioral or interest-based tracking).
- Transaction Information. When you use our Services to make, accept, request, or record payments, we collect information about when and where the transactions occur, the names of the transacting parties, a description of the transactions, the payment or transfer amounts, billing and shipping information, the devices and payment methods used to complete the transactions, and other related transaction details.
The technologies we use for automatic information collection may include:
- Web Beacons. Certain pages or sites in the Services and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related app statistics (for example, recording the popularity of certain app content and verifying system and server integrity).
- Flash Local Shared Objects (LSOs). When we post videos or other media on the Services, third parties may use local shared objections (LSOs), also known as Flash cookies, to store your choices for things like volume control or to further personalize certain features. Cookie management tools provided by your browser will not delete Flash cookies. To learn how to manage privacy and storage setting for Flash cookies, visit macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html#117118.
We use the information collected automatically to present the Services to you on your device; to determine news, alerts and other products and services that may be of interest to you for marketing purposes; to monitor, support and improve the Services and our business; and to help us develop new products and services. The table in Attachment 2 further sets forth the categories of information we collect about you automatically when you use the Services and how (for which purpose) we use that information. The table also lists the legal basis which we rely on to process the information.
3.4. Information We Collect from Third Parties
We may collect information, including personal information, that others provide about you when they use the Services, or obtain information from other sources (including social media networks) and combine that with information we collect through the Services. Any information request regarding the disclosure of your personal information to us should be directed to such third parties.
- Third Party Services. When you use the Services or any content made available through the Services, certain third parties may use automatic information collection and tracking technologies to collect information about you or your device. These third parties may include advertisers, ad networks, and ad servers; analytics companies; your mobile device manufacturer; your mobile service provider; and other third parties. We do not control third parties’ collection or use of your information to serve interest-based advertising. This information varies and is controlled by those third party services or as authorized by you via your privacy settings with those services.
- Marketing Service Providers/Business Partners. We may also receive information collected by our marketing service providers on our behalf, including marketing lead generation service providers, marketing opt-in lists or other data aggregators, as well as information shared with us through referrals by our business partners, such as travel management companies.
- Other Sources. To the extent permitted by applicable law, we may receive additional information about you, such as demographic data, identity or account verification information, or fraud detection information, from third party service providers and/or partners, and combine it with information we have about you.
4. How We Use Your Information
We generally rely on the following three main bases to process your personal information:
- for our legitimate interests or those of a third party, where your rights and interests do not override those interests; or
- to comply with a legal or regulatory obligation.
Sometimes, we may rely on other legal bases to process your information, such as where you have given us consent to use your personal information in certain ways or to protect a user’s vital interest. We also may process your personal information relying on more than one legal basis, depending on the specific purpose for which we are using your personal information.
As noted above, the table in Attachment 1 provides further details on the categories of information we collect about you when you use the Services, how (for which purpose) we use that information, and the legal basis we rely on to process that information. You can also contact us at email@example.com if you need details about the specific legal ground we are relying on to process your personal information where more than one ground has been set forth below.
4.2. Provide Our Services
We use your personal information to provide or facilitate:
- Access to, and use and support of, the Services
- Payment processing and account management
- Order fulfillment
- Customer service and support
- Updates, security alerts, and account notifications
- Other services requested by you as described when we collect the information.
We process your personal information where it is necessary for the adequate performance of the contract with you. We also process this information given our legitimate interest in providing the Services in an effective manner.
4.3. Understand and Improve Our Services
We use your personal information to analyze, operate, protect, improve, and customize the Services and user experience, such as by performing data analytics and studying how the Services are used. We process this information given our legitimate interest in improving the Services, understanding how our Services are being used, and developing and growing our business.
4.4. Administer and Protect the Services
We use your personal information to:
- Prevent, detect, investigate, and mitigate fraud, security incidents, abuse, or other potentially harmful or illegal activities.
- Maintain the network and information security to protect information against loss, damage, theft or unauthorized access.
- Perform troubleshooting, testing, and system maintenance.
- Conduct security investigations and risk assessments.
- Verify your identity.
- Conduct checks against databases and other information sources, to the extent permitted by applicable laws and with your consent where required.
We process your personal information where it is necessary to comply with applicable laws and regulations. We also process this information given our legitimate interest in the providing administration and information technology services, ensuring network and information security, and complying with applicable laws and regulations.
4.5. Legal and Safety
We use your personal information to:
- Prevent, detect, investigate, and mitigate fraud, security incidents, abuse, or other potentially harmful or illegal activities.
- Comply with our legal obligations, including managing legal and regulatory requests and requirements.
- Resolve any disputes with any of our users and enforce our agreements with third parties.
We process your personal information where it is necessary to comply with applicable laws and regulations or to ensure adequate performance of the contract with you. We also process this information given our legitimate interest in protecting our Services, preventing harm or illegal activities, enforcing or defending our legal rights, and complying with applicable laws and regulations.
4.6. Provide and Improve Our Marketing
We use your personal information to:
- Send you promotional messages, marketing, advertising, and other information that we think may be of interest to you.
- Personalize, measure, and improve our marketing and advertising.
- Administer referral programs, rewards, surveys, sweepstakes, contests, or other promotional activities or events sponsored or managed by Gorilla Expense or its third-party partners.
- Analyze, operate, protect, improve, and customize the Services and user experience, such as by performing data analytics and studying how the Services are used.
We will process your personal information given our legitimate interest in undertaking marketing activities to offer you products or services that may be of your interest, informing our marketing strategies, and developing and growing our business. Generally, and unless you are a resident of the European Economic Area (EEA), we do not rely on your consent as a basis for processing your personal information other than in relation to sending third-party direct marketing communications to you via email or text message. Where we collect your personal information with consent, you may withdraw your consent for us to use your information at any time by unsubscribing, managing your preferences through your account, or contacting us (See “Your Choices About our Marketing Activities” below).
5. Disclosure of Your Personal Information
We will only share personal information collected through the Services as follows:
- With your consent.
- To your Company and to those other persons or entities to which your Company has elected to disclose your personal information.
- To contractors, service providers, and other third parties we use to support our Services, and only for the purposes for which we disclose it to them.
- To our corporate family of companies that are related by common ownership or control, to enable or support us in providing the Services.
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Gorilla Expense’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Gorilla Expense about the Services and users are among the assets transferred.
- To third parties to market their products or services to you if you have consented to/not opted out of these disclosures.
- For any other purpose disclosed by us when you provide the information.
- To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
- To enforce our rights arising from any contracts entered into between you and us, including the Terms and Conditions, and for billing and collection.
- If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of, our customers or others.
- We may also share aggregated information (information about our users that we combine so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling, marketing and advertising, and other business purposes.
6. Your Choices About Our Marketing Activities
6.1. Marketing Communications for Non-EEA Residents
From time to time, you may receive marketing communications from us if you have requested information from us or purchased services from us and, in each case (unless you are a resident of the European Economic Area (EEA)), you have not opted out of receiving such communications. If you are a resident of the EEA, you will not receive such communications from us unless you have specifically opted in to receive them, as described further in Section 5.4 (EEA Residents) below. In any case, most such communications we send will be by email. For some communications, we may use personal information we collect about you to help us determine the most relevant marketing information to share with you.
You can ask us to stop sending you marketing messages at any time by contacting us at firstname.lastname@example.org or by using the contact information set forth below.
6.3. Third Party Marketing
We will get your express opt-in consent before we share your personal information with any company outside Gorilla Expense for marketing purposes.
6.4. EEA Residents
If you are resident in the EEA, we will only send you marketing messages if you have given us your consent to do so. If you do not want to receive messages from us, you will be able to tell us by selecting certain boxes on forms we use when we first collect your contact details or by refusing or withdrawing your consent. You can also change your preferences later by clicking on the unsubscribe link at the bottom of our messages or by emailing us at email@example.com.
6.5. Non-Marketing Messages
Please note that if you do opt out of or do not grant consent to receiving marketing related messages from us, we may still send you non-marketing messages.
6.6. Affiliate Usage
7. Interest-Based Advertising
7.1. Interest-Based Advertising
We may participate in interest-based advertising and use third party advertising companies to serve you targeted advertisements based on your browsing history. If so, we may permit third party online advertising networks, social media companies and other third party services to collect information about your use of the Services over time so that they may play or display ads on the Services, on other websites, apps or services you may use, and on other devices you may use. Typically, though not always, the information used for interest-based advertising is collected through cookies or similar tracking technologies. We and our third party partners use this information to make the advertisements you see online more relevant to your interests, as well as to provide advertising-related services such as reporting, attribution, analytics and market research.
7.2. Online Resources
To learn about interest-based advertising and how you may be able to opt-out of some of this advertising, you may wish to visit the Network Advertising Initiative’s online resources, at http://www.networkadvertising.org/choices, the DAA’s resources at www.aboutads.info/choices and/or Your Online Choices at www.youronlinechoices.com/uk. Please note that opting-out of receiving interest-based advertising through the NAI’s and DAA’s or Your Online Choices online resources will only opt-out a user from receiving interest-based ads on that specific browser or device, but the user may still receive interest-based ads on his or her other devices. You must perform the opt-out on each browser or device you use. In addition, some of these opt-outs may not be effective unless your browser is set to accept cookies. If you delete cookies, change your browser settings, switch browsers or computers, or use another operating system, you will need to opt-out again.
8. USER CONTENT
9. Your Rights OVER YOUR PERSONAL INFORMATION
If you are resident in the European Economic Area (EEA), under the General Data Protection Regulation (GDPR) you have the following rights in respect of your personal information that we hold:
- Right of access. You have the right to obtain:
- confirmation of whether, and where, we are processing your personal information;
- information about the categories of personal information we are processing, the purposes for which we process your personal information and information as to how we determine applicable retention periods;
- information about the categories of recipients with whom we may share your personal information; and
- a copy of the personal information we hold about you.
- Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal information to another person.
- Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal information we hold about you without undue delay.
- Right to erasure. You have the right, in some circumstances, to require us to erase your personal information without undue delay if the continued processing of that personal information is not justified.
- Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you.
- Right to object. You have a right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal information, and we will assess and inform you if that is the case. You can object to marketing activities for any reason.
If you are resident in France, you also have the right to set guidelines for the retention and communication of your personal information after your death.
10. DATA RETENTION
We will only retain your personal information for no longer than necessary for the purposes for which it was collected (as described in further detail in Attachments 1 and 2), and if necessary to comply with our legal obligations and legitimate business interests. If you no longer want us to use your personal information to provide the Services to you, you can request that we erase your personal information and close your account. Please be aware that because we maintain the Services to protect from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time.
11. Data Security
We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure, and currently self-attest as a Payment Card Industry (PCI) compliant service provider. Unfortunately, no method of transmission over the internet or method of electronic storage is 100% secure. Therefore, while we strive to protect your personal information, we cannot guarantee its absolute security. If you have any questions about the security of our Services, please contact us at firstname.lastname@example.org.
12. Children Under the Age of 16
The Services are not intended for children under 16 years of age, and we do not knowingly collect personal information from children under 16. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us at email@example.com or by using the contact information set forth below.
13. Your California Privacy Rights
California Civil Code Section 1798.83 permits users of our Services that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact us at firstname.lastname@example.org.
14. INTERNATIONAL DATA TRANSFER
Your personal information may be transferred to, stored, and processed in the United States or a country that is not regarded as providing the same level of protection for personal information as the laws of your home country. We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to provide adequate protections for your personal information.
Whenever we transfer the personal information of individuals resident in the European Economic Area (EEA) to countries out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission.
- Where we use certain service providers, we may use specific contractual provisions approved by the European Commission which give personal information the same protection it has in the EEA.
16. Lodging Complaints
You have the right to lodge complaints about the data processing activities carried out by Gorilla Expense before your local data protection authority. Further information about how to contact your local data protection authority is available at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. In addition, residents in other jurisdictions may also have similar rights to the above. Please contact us at email@example.com if you would like to exercise one of these rights, and we will comply with any request to the extent required under applicable law.
17. Contact Information