Privacy Policy

1.1 The Customer is the controller and Recavo is the processor of Customer Personal Data processed to provide the Service. Recavo processes Customer Personal Data only on the Customer's documented instructions unless required by law.

2.1 Recavo processes Customer Personal Data for the duration of the agreement for the purpose of hosting, securing and otherwise processing Customer Personal Data to provide spend-management, receipt-capture, expense-policy, approval-routing and reporting functionality, including via the AI features described in our Terms of Service.

3.1 Identification and contact data, role and department data, expense and transaction metadata, receipt content (which may include names and other details), and any other personal data the Customer chooses to submit. Data subjects include the Customer's owners, administrators, employees, contractors and other personnel, and individuals named on receipts or in expense records.

4.1 Recavo ensures personnel authorised to process Customer Personal Data are bound by confidentiality obligations.

4.2 Recavo implements appropriate technical and organisational measures taking into account the state of the art and the risks of processing.

5.1 The Customer authorises Recavo to engage sub-processors and others added from time to time. Recavo will give notice of intended changes and impose data-protection obligations on each sub-processor substantially equivalent to these terms. The Customer may object to a new sub-processor on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected Service.

6.1 Taking into account the nature of processing, Recavo will assist the Customer (by appropriate measures and so far as possible) with: responding to data-subject rights requests; security of processing; personal data breach notification; data protection impact assessments; and prior consultation with the ICO.

6.2 Recavo will promptly forward to the Customer any request it receives directly from a data subject relating to Customer Personal Data, and will not respond except on the Customer's instruction or as required by law.

7.1 Recavo will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with the information reasonably available to assist the Customer's own obligations.

7.2 Where Recavo transfers Customer Personal Data outside the UK, it will ensure an appropriate transfer mechanism is in place.

8.1 On termination or on the Customer's request, Recavo will (at the Customer's choice) return or delete Customer Personal Data, except to the extent retention is required by law, within a reasonable period.

8.2 Recavo will make available information reasonably necessary to demonstrate compliance with these terms and allow for audits, subject to reasonable confidentiality, frequency, security and cost conditions.

9.1 In the event of conflict between this Data Processing Addendum and the rest of the Terms of Service in respect of the processing of Customer Personal Data, this Data Processing Addendum prevails.