ONexpense Privacy Policy
Version 2.0 — June 2025
This privacy policy (the "Policy") describes how ONappli SAS, a company registered with the Toulouse RCS under number 793 220 914, with capital of €32,000, whose registered office is located at Chemin des Vivans, 31600 Muret, France ("ONappli", "we", "our"), acts as a data processor within the meaning of Regulation (EU) 2016/679 ("GDPR") on behalf of its professional clients when they use the ONexpense platform (the "Platform").
Any questions may be addressed to: support@onexpense.com.
1. Definitions
| Term | Meaning |
|---|---|
| Client | Company or independent worker who has subscribed to the ONexpense Terms and Conditions and creates User accounts. |
| User | Natural person (employee, administrator or freelancer) using the Platform. |
| Business Data | Expense receipts (image/PDF) and extracted metadata: issuer, amount, VAT, date, location, payment method, etc. |
| Account Data | Identifiers (professional email, hashed password), role, custom attributes, organization ID. |
| Technical Data | IP address, browser agent, server logs, anonymized analytics events. |
| Sub-processor | Third-party provider processing data on behalf of ONappli. |
2. Categories of data processed
- Business Data (included in receipts). If a receipt exceptionally contains sensitive data (e.g. health information written on an invoice), this data is stored but not exploited; the Client remains responsible for its legality.
- Account Data.
- Technical Data.
No deliberate extraction or use of sensitive data within the meaning of Art. 9 GDPR is carried out.
3. Purposes and legal bases
| Purpose | Legal basis (art. 6 GDPR) | Details |
|---|---|---|
| Platform operation (expense report management, probative archiving NF Z42-013) | Contract performance (art. 6 §1 b) | Main functionality identified in the Terms and Conditions. |
| Legal archiving 10 years ("Archive Plus" option) | Legal obligation (art. 6 §1 c) | French tax compliance. |
| Logs, security, product improvement (anonymous PostHog analytics) | Legitimate interest (art. 6 §1 f) | Secure, maintain and develop the Platform. Minimal impact on privacy. |
| Automatic recognition (OCR) via Azure OpenAI | Contract performance | Transient processing to extract amount/VAT. |
| Analytics cookies (marketing site) | Explicit consent | Activated only after acceptance via CNIL-compliant banner. |
No direct marketing prospecting activity (newsletter, upsell) is carried out without prior consent.
4. Retention periods
| Category | Duration | Justification |
|---|---|---|
| Receipts & accounting data | 10 years minimum or duration set by the Client, then secure deletion | Tax & contractual requirements. |
| Logs & Technical Data | 6 months | Debugging and security audits. |
| Encrypted Azure backups | 1 rolling year | Business continuity. |
The Client may request early deletion of their data; we execute this within 15 business days (cf. § 10).
5. Recipients and sub-processors
| Provider | Purpose | Location | Transfer outside EU | Safeguards |
|---|---|---|---|---|
| Microsoft Azure | SaaS hosting, backups | EU (France/Europe) | No | ISO 27001 compliant data centers. |
| PostHog Cloud EU | Anonymous analytics (product usage) | EU (Ireland) | No | No nominative personal data collected. |
| Azure OpenAI | OCR & VAT extraction | EU (France) | Transient processing; storage in EU | Standard Contractual Clauses being signed; no persistence outside EU. |
ONappli maintains an internal register of sub-processors; any substantial modification will be notified to Clients.
6. International transfers
Data remains physically stored in the European Union. API calls to Azure OpenAI may involve transient processing outside the EU; no persistence takes place. Standard Contractual Clauses ("SCCs") are being finalized to cover this flow.
7. Data security
- TLS 1.2+ encryption in transit; AES-256 at rest (Azure Storage Encryption).
- Multi-factor authentication (MFA) mandatory for ONappli staff.
- Access controls based on the principle of least privilege; centralized logging.
- Formal data breach notification procedure: CNIL and Client information ≤ 72h after detection.
8. Cookies and trackers
The public site onexpense.com uses PostHog (EU mode, anonymized IP). No marketing or targeting cookies are deployed. The consent banner, compliant with CNIL guidelines, allows to:
- Accept all cookies;
- Refuse;
- Configure finely.
The Platform (app.onexpense.com) also uses PostHog under the same conditions to understand product usage and improve its use.
9. Data subject rights
In accordance with articles 15 to 22 GDPR, each User has the rights: access, rectification, erasure, restriction, objection, portability.
Exercise of rights: send an email to support@onexpense.com with proof of identity. Response within 30 days (extendable by 2 months in case of complex request).
Complete data deletion: performed within a maximum of 15 business days, except legal obligation to the contrary.
12. Policy updates
This Policy may be updated at any time to reflect legal, technical or business developments. Clients will be informed by email at least 15 days before the new version comes into effect.
13. Contact
Privacy officer: support@onexpense.com
Competent supervisory authority: Commission Nationale de l'Informatique et des Libertés (CNIL) – www.cnil.fr
Last update: June 30, 2025