PRIVACY POLICY
Version 2.0 — June 2025
Preamble
This privacy policy (the "Policy") describes how ONAPPLI SAS, a simplified joint stock company with a share capital of €32,000, registered with the Toulouse Trade and Companies Register under number 793 220 914, with its registered office located at 52 chemin des Vivans, 31600 Muret, France ("ONappli", "we", "our", "the Service Provider"), collects, processes, and protects your personal data when you use the ONexpense application (the "Application") and the associated website (the "Site").
ONappli undertakes to comply with the applicable regulations regarding the protection of personal data, particularly Regulation (EU) 2016/679 of April 27, 2016 (General Data Protection Regulation – "GDPR") and Law No. 78-17 of January 6, 1978 as amended relating to data processing, files, and freedoms.
Article 1 – Data Controller and DPO
1.1 Data Controller
For data relating to the commercial relationship and management of Customer accounts:
- Data Controller: ONAPPLI SAS
- Representative: Mr. Frédéric SOUHCKOFF, President
- Address: 52 chemin des Vivans, 31600 Muret, France
- Email: support@onexpense.com
For data processed via the ONexpense application on behalf of Clients (particularly data relating to users and expense reports):
The Client is the data controller. ONappli acts as a processor within the meaning of GDPR. The rights and obligations of the Parties in this regard are specified in Article 10 of this Policy.
1.2 Data Protection Officer
A Data Protection Officer (DPO) has been designated within ONappli.
- Email: dpo@onexpense.com
- Postal Address: DPO – ONAPPLI SAS, 52 chemin des Vivans, 31600 Muret, France
Article 2 – Categories of Data Collected
Depending on the use of the Application and the Site, we may collect the following categories of personal data:
2.1 Identification Data
- Last name, first name
- Professional email address
- Phone number (optional)
- Password (stored in hashed form)
- Company name, SIRET number, VAT number (for customer companies)
2.2 Data Related to Expense Management
- Images or PDF files of receipts uploaded by users
- Information extracted from receipts: vendor, date, amount, VAT, payment method, location
- Metadata associated with expense reports: creation date, status, validation
- Accounting classifications and analytical allocations
2.3 Technical and Navigation Data
- IP address
- Browser type and version
- Operating system
- Consultation date and time
- Pages viewed and interactions with the Application
- Unique device identifier (for mobile application)
2.4 Billing Data
- Billing address
- Payment information (bank card details are not stored by ONappli but transmitted directly to Stripe)
- Invoicing history
Article 3 – Purposes and Legal Bases of Processing
| Purpose | Legal Basis (GDPR) |
|---|---|
| Management of user accounts and authentication | Contract performance (Art. 6.1.b) |
| Expense report management (capture, analysis, validation) | Contract performance (Art. 6.1.b) |
| Legally binding archiving of receipts | Legal obligation (Art. 6.1.c) – French Tax Procedures Book |
| Customer relationship management and technical support | Contract performance (Art. 6.1.b) |
| Billing and payment management | Contract performance (Art. 6.1.b) |
| Security of the Application and fraud prevention | Legitimate interest (Art. 6.1.f) |
| Statistical analysis and service improvement | Legitimate interest (Art. 6.1.f) – Anonymous or pseudonymous data |
| Sending commercial communications (newsletter, offers) | Consent (Art. 6.1.a) |
| Audience measurement (cookies) | Consent (Art. 6.1.a) – Via cookie banner |
Article 4 – Data Recipients
Personal data may be communicated to the following categories of recipients:
4.1 Internal Recipients
- Authorized ONappli personnel (technical team, customer support, management)
- Access is limited to persons whose function requires access to the data
4.2 External Recipients (Subprocessors)
ONappli uses the following subprocessors for the performance of its services:
| Subprocessor | Purpose | Data Location |
|---|---|---|
| Microsoft Azure | Data and application hosting, backups | Northern Europe / Western Europe (EU) |
| Azure OpenAI | Optical character recognition (OCR) for data extraction | France (EU) – Transient processing only |
| Stripe | Payment processing | European Union / United States (SCCs) |
| PostHog | Product analytics (anonymous) | European Union (Ireland) |
| Universign | Electronic signature and certified timestamping | France (EU) |
| Novarchive | Legally binding long-term archiving | France (EU) |
| Cloudflare | Website hosting (CDN and security) | European Union |
| Ancillary services (Crashlytics, Firebase Analytics for mobile application) | United States (SCCs) |
All subprocessors are bound by contractual clauses imposing confidentiality and security obligations compliant with GDPR.
4.3 Legal Authorities
Data may be communicated to competent authorities (tax administration, judicial authorities) in case of legal obligation or judicial requisition.
Article 5 – International Data Transfers
General principle: All personal data is stored in the European Union.
Exceptions: Certain subprocessors (Stripe, Google) are established in the United States. Data transfers to these subprocessors are governed by:
- The European Commission's Standard Contractual Clauses (SCCs)
- Any other appropriate mechanism recognized by GDPR (adequacy decisions, binding corporate rules)
OCR Processing: In the context of optical character recognition processing (Azure OpenAI), technical data (receipt images) may be transmitted for processing without permanent storage outside the EU.
Article 6 – Data Retention Period
| Data Category | Retention Period |
|---|---|
| User account data | Duration of the subscription + 3 years (statute of limitations) |
| Expense report data and supporting documents | 10 years (legal obligation – French Tax Procedures Book) |
| Archived data with legal value | 10 years from archiving date |
| Billing data | 10 years (accounting obligation) |
| Technical logs (security) | 6 months |
| Cookies | Maximum 13 months from deposit |
| Backups (encrypted Azure) | 1 rolling year |
At the end of the retention period, data is securely deleted or anonymized.
Article 7 – Data Security
ONappli implements appropriate technical and organizational measures to ensure data security:
7.1 Technical Measures
- Encryption in transit: TLS 1.2+ for all communications
- Encryption at rest: AES-256 for stored data (Azure Storage Encryption)
- Secure hosting: Microsoft Azure data centers certified ISO 27001, SOC 2, GDPR compliant
- Regular backups with restoration procedure
- Continuous security monitoring and intrusion detection
7.2 Organizational Measures
- Least privilege principle: Access restricted to authorized personnel
- Multi-factor authentication (MFA) mandatory for ONappli employees
- Staff awareness and training on data protection
- Data breach notification procedure: Information to CNIL and Clients within 72 hours of detection
Article 8 – Cookies and Trackers
8.1 Types of Cookies Used
| Category | Purpose | Consent |
|---|---|---|
| Strictly necessary cookies | Authentication, security, storing consent choice | Not required |
| Functional cookies | Language preferences, user settings | Not required |
| Analytics cookies (PostHog) | Audience measurement, Application improvement | Required (via banner) |
Note: No advertising or targeting cookies are used on the Site or in the Application.
8.2 Consent Management
A CNIL-compliant cookie consent banner is displayed on the first visit to the Site. You can at any time:
- Accept all cookies
- Refuse non-essential cookies
- Configure your choices precisely
- Modify your preferences via your browser settings
8.3 Cookie Duration
Cookies are kept for a maximum of 13 months from their deposit, in accordance with CNIL recommendations.
Article 9 – Rights of Data Subjects
In accordance with GDPR (Articles 15 to 22), you have the following rights over your personal data:
| Right | Description |
|---|---|
| Right of access | Obtain confirmation of processing and a copy of your data |
| Right of rectification | Request correction of inaccurate or incomplete data |
| Right to erasure ("right to be forgotten") | Request deletion of your data (subject to legal obligations) |
| Right to restriction of processing | Request limitation of data processing |
| Right to data portability | Receive your data in a structured, commonly used format |
| Right to object | Object to processing based on legitimate interest |
| Right to withdraw consent | Withdraw your consent at any time (for consent-based processing) |
| Right to lodge a complaint | Lodge a complaint with CNIL (www.cnil.fr) |
How to Exercise Your Rights
Send your request by email to: dpo@onexpense.com, accompanied by proof of identity.
Response will be provided within 30 days from receipt of the request (extendable by 2 months in case of complex request).
For complete data deletion requests, processing is carried out within a maximum of 15 business days.
Article 10 – Subprocessor Relationship (Data Processing Agreement)
When ONappli acts as a processor on behalf of Clients (for data relating to users and expense reports), the following obligations apply:
10.1 ONappli Obligations
- Process data only on documented instructions from the Client
- Ensure that authorized persons are committed to confidentiality
- Implement appropriate security measures
- Not engage another subprocessor without prior written authorization from the Client
- Assist the Client in responding to data subject requests
- Delete or return data at the end of the service, according to the Client's choice
- Make available all information necessary to demonstrate compliance
10.2 Client Obligations
- Ensure the legality of data processing carried out via the Application
- Inform users of data processing
- Obtain necessary consents where applicable
- Comply with data subject rights requests
Article 11 – Modifications to the Policy
This Policy may be updated at any time to reflect legal, technical, or organizational developments.
In case of substantial modification, Clients will be informed by email at least 15 days before the new version comes into effect.
Continued use of the service after notification constitutes acceptance of the new Policy.
Article 12 – Contact
For any questions regarding this Policy or the processing of your personal data:
- DPO: dpo@onexpense.com
- General Support: support@onexpense.com
- Postal Address: ONAPPLI SAS, 52 chemin des Vivans, 31600 Muret, France
Competent Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL) – www.cnil.fr