Privacy Policy

FlyExpense is committed to protecting your privacy and the privacy of your organization's data. This policy explains how we collect, use, store, and protect information when you use the FlyExpense platform.
Data we collect
FlyExpense collects only the data necessary to provide the platform and its services.
- Account information: name, email address, job title, and organization details
- Transaction data: expense amounts, vendors, categories, receipts, and approval history
- Card data: card usage, merchant details, and transaction metadata (card numbers are never stored in plaintext)
- Usage data: platform activity logs for security, audit, and product improvement
- Integration data: limited data from connected accounting, HR, and payment systems
How we use your data
We use your data solely to provide, improve, and secure the FlyExpense platform. We do not sell personal data to third parties.
- Processing and approving expenses, bills, and procurement requests
- Enforcing your organization's expense policies and controls
- Detecting duplicate transactions and potential fraud
- Generating financial reports and audit trails
- Providing customer support and platform notifications
- Improving platform features based on aggregated, anonymized usage patterns
Data security
FlyExpense applies bank-grade security controls to protect your data at rest and in transit.
- 256-bit AES encryption for all data at rest
- TLS 1.2+ encryption for all data in transit
- SOC 2 Type II certified security controls
- PCI-DSS compliant card data handling
- TOTP-based two-factor authentication and SSO support
- Strict multi-tenant isolation: no organization can access another's data
Your rights (GDPR, KVKK, CCPA)
Depending on your jurisdiction, you have the following rights regarding your personal data.
- Right to access: request a copy of your personal data
- Right to rectification: correct inaccurate or incomplete data
- Right to erasure: request deletion of your personal data where legally permissible
- Right to portability: receive your data in a structured, machine-readable format
- Right to object: opt out of certain data processing activities
- To exercise any right, contact privacy@flyexpense.com
Data residency and international transfers
FlyExpense offers EU data residency options for organizations subject to GDPR. Data transfers outside the EEA rely on Standard Contractual Clauses (SCCs) as the legal mechanism.
- EU data residency available on Business and Enterprise plans
- GDPR-compliant data processing agreement (DPA) available on request
- KVKK-compliant processing for Turkish organizations
- Sub-processor list available to Enterprise plan customers
Frequently Asked Questions
Does FlyExpense sell my data?
No. FlyExpense does not sell personal data to any third party. Your data is used solely to provide the platform and its services.
Is FlyExpense GDPR compliant?
Yes. FlyExpense is GDPR compliant with EU data residency options, a signed DPA, ISO 27001 controls, and right-to-erase workflows.
How do I request deletion of my data?
Contact privacy@flyexpense.com with your data deletion request. We process deletion requests within 30 days in accordance with GDPR and KVKK requirements.