GDPR Compliance

Last updated: March 3, 2026

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. MailExpense is fully compliant with GDPR requirements.

2. Lawful Basis for Processing

We process your personal data based on the following lawful bases under GDPR:

2.1 Consent (Article 6(1)(a))

You explicitly consent to our processing of your Gmail data for transaction extraction and categorization. Consent can be withdrawn at any time.

2.2 Legitimate Interest (Article 6(1)(f))

We process data for service improvement, security, and fraud prevention, which are legitimate interests that do not override your rights.

2.3 Contractual Necessity (Article 6(1)(b))

Processing is necessary to provide the expense tracking service you've requested.

3. Your GDPR Rights

3.1 Right to be Informed (Article 13-14)

You have the right to be informed about the collection and use of your personal data. This privacy notice explains what we collect, why we collect it, and how we use it.

3.2 Right of Access (Article 15)

You can request access to all personal data we hold about you. We'll provide a complete copy within 30 days.

3.3 Right to Rectification (Article 16)

You can request correction of inaccurate personal data. We'll correct errors promptly.

3.4 Right to Erasure (Right to be Forgotten) (Article 17)

You can request deletion of your personal data when it's no longer necessary for the purpose it was collected.

3.5 Right to Restrict Processing (Article 18)

You can request restriction of processing your data in certain circumstances.

3.6 Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format and transfer it to another service.

3.7 Right to Object (Article 21)

You can object to processing of your personal data in certain circumstances.

3.8 Rights Related to Automated Decision Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing.

4. Data Protection Measures

4.1 Technical Measures

  • End-to-end encryption (TLS 1.3)
  • AES-256 encryption for data at rest
  • Regular security updates and patching
  • Intrusion detection and prevention systems
  • Secure authentication mechanisms

4.2 Organizational Measures

  • Regular staff training on data protection
  • Access controls based on need-to-know principle
  • Data protection impact assessments
  • Incident response procedures
  • Regular compliance audits

5. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify affected individuals within 72 hours of discovery
  • Provide details of the breach and its impact
  • Outline steps taken to mitigate the breach
  • Recommend measures to protect personal data

6. International Data Transfers

For EU users, we ensure:

  • Data processing within EU when possible
  • Adequacy decisions for non-EU transfers
  • Standard Contractual Clauses (SCCs) for transfers
  • Equivalent protection measures for international transfers

7. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance:

Email: dpo@mailexpense.com

Address: [Your Business Address]

Role: GDPR compliance oversight and user rights assistance

8. Exercising Your Rights

To exercise your GDPR rights:

Step 1: Self-Service Options

  • Download your data from the dashboard
  • Delete your account through settings
  • Manage Gmail integration preferences

Step 2: Data Export

Download all your personal data in machine-readable format:

Export as JSON Export as CSV

Step 3: Contact Us

Email: gdpr@mailexpense.com

Include: Your name, email address, and specific request

Response time: Within 30 days

⚠️ Account Deletion

To permanently delete your account and all associated data:

Step 4: Escalation

If unsatisfied with our response, you can:

  • Contact our Data Protection Officer
  • File a complaint with your local data protection authority
  • Seek judicial remedy

9. Special Categories of Data

We do not process special categories of personal data (health, religion, political opinions, etc.) unless necessary for financial transaction processing.

10. Records of Processing Activities

We maintain detailed records of all personal data processing activities, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Data retention periods
  • Security measures implemented
  • International transfer details

11. Contact Information

GDPR Inquiries: gdpr@mailexpense.com

Data Protection Officer: dpo@mailexpense.com

Legal Address: [Your Legal Business Address]

Registration: [Company Registration Number]