GeriPayBack to sign up

Privacy Policy

Last updated: Oct 2, 2025

This Privacy Policy explains how GeriPay, Inc. (“GeriPay,” “we,” “us,” “our”) collects, uses, discloses, and protects personal data when you use our websites and services (collectively, the “Service”). We are committed to handling personal data in accordance with applicable data protection laws, including the EU/UK GDPR and the California Consumer Privacy Act (CCPA/CPRA), where applicable.

1. Scope and Roles

GeriPay primarily provides a multi-tenant platform for organizations to track receipts and export PDFs. Depending on the context:

  • For account-level data (Admin contact info, authentication, billing), GeriPay acts as a controller.
  • For Customer Data uploaded to the organization workspace (receipt images, metadata), GeriPay acts as a processor (or service provider) on behalf of the Customer (the controller).

2. Personal Data We Collect

  • Account Data: name, email, password hash, organization affiliation, role (admin/member), optional phone.
  • Customer Data (workspace): receipt images and metadata (dates, descriptions, amounts), status toggles, and PDF export selections.
  • Usage & Device Data: log data, IP address, browser type, device identifiers, pages viewed, and interactions with features.
  • Support & Communications: messages, tickets, feedback, and related metadata.
  • Cookies & Similar Technologies: session cookies, authentication tokens, and analytics identifiers (see Section 8).

3. Sources of Personal Data

  • Directly from you (e.g., account registration, support requests).
  • From your organization’s Admins (e.g., invitations, role assignments).
  • Automatically via the Service (e.g., logs, device and usage data).
  • Service providers and partners (e.g., payment processors, email delivery services).

4. How We Use Personal Data

  • To provide and secure the Service, including authentication, access control, and fraud prevention.
  • To operate organization workspaces as processor, processing Customer Data solely in accordance with Customer’s instructions.
  • To communicate with you, such as sending transactional emails (invitations, security notices) and responding to inquiries.
  • To improve the Service, including troubleshooting, usage analytics, testing, and developing new features.
  • To comply with law and enforce our Terms, including protecting rights, property, and safety.

5. Legal Bases (EU/UK)

  • Contract necessity (Art. 6(1)(b)) for providing the Service to your organization.
  • Legitimate interests (Art. 6(1)(f)) for security, improvement, and analytics proportionate to your privacy interests.
  • Legal obligations (Art. 6(1)(c)) for compliance with applicable laws and regulations.
  • Consent (Art. 6(1)(a)) where we expressly request it for specific optional features; you may withdraw consent at any time.

6. Sharing and Disclosures

  • Service Providers/Sub-Processors: hosting, storage, email delivery, analytics, and support tooling under appropriate contracts and data protection terms.
  • Legal Compliance: when required by law, subpoena, or valid governmental request.
  • Business Transfers: in connection with mergers, acquisitions, or asset sales, subject to this Policy’s protections.
  • With Your Organization: Admins may access Member activity and Customer Data within the organization workspace.

7. International Transfers

We may transfer personal data to countries outside your country of residence. Where required, we use appropriate safeguards, such as Standard Contractual Clauses (SCCs) and the UK Addendum, to ensure an adequate level of protection.

8. Cookies and Similar Technologies

We use strictly necessary cookies (e.g., security, authentication) and, where applicable, analytics cookies to understand feature usage and improve the Service. You can manage cookie preferences through your browser settings. Disabling certain cookies may impair core functionality (e.g., staying signed in).

9. Data Retention

We retain personal data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Customer Data is retained according to Customer’s instructions and lifecycle events (e.g., account closure). We may retain Aggregated/De-identified data for analytics and improvement.

10. Security

We implement reasonable technical and organizational measures designed to protect personal data, including encryption in transit and at rest where appropriate, access controls, and monitoring. No method of transmission or storage is 100% secure; please safeguard your credentials and notify us of suspected compromise.

11. Your Rights

EEA/UK Individuals

Subject to conditions and exceptions under GDPR, you may have the right to access, rectify, erase, restrict, or object to processing, and the right to data portability. Where we process based on consent, you may withdraw consent at any time.

California Residents (CCPA/CPRA)

You may have the right to know, access, correct, delete, and opt-out of “sharing” for cross-context behavioral advertising. We do not “sell” personal information as defined by the CCPA/CPRA. You will not be discriminated against for exercising rights.

Exercising Your Rights

To exercise rights, contact us at privacy@geripay.com. We may need to verify your identity and, where applicable, coordinate with your organization (as controller) to fulfill the request. Authorized agents may submit requests per applicable law.

12. Children’s Privacy

The Service is not directed to children under 16 (or the age defined by local law). We do not knowingly collect personal data from children without appropriate consent. If you believe a child has provided us personal data, contact us to request removal.

13. Do Not Track; Global Privacy Control

The Service may not respond to browser “Do Not Track” signals. Where applicable, we will honor Global Privacy Control (GPC) signals for opt-out of sharing/targeted advertising as required by law.

14. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date reflects the latest revision. Material changes will be communicated through the Service or by email where appropriate.

15. Contact Us

Questions or requests regarding this Policy may be sent to privacy@geripay.com. If you are in the EEA/UK, you may also have the right to lodge a complaint with your local supervisory authority.

This Privacy Policy is a comprehensive template and does not constitute legal advice. Please consult your counsel to tailor it to your specific data flows, jurisdictions, and organizational practices.