Privacy Policy
Effective date: 19 February 2026 · Last updated: 19 February 2026
1. Data Controller
SpendApproval ("we", "us", "our") operates the media spend approval platform at spendapproval.com.
- Registered address: [TO BE CONFIRMED]
- Company registration number: [TO BE CONFIRMED]
- Data Protection Officer: [TO BE CONFIRMED]
- Privacy contact: [email protected]
2. Data We Collect
We collect personal data only as necessary to provide the SpendApproval service. The categories of data we process are set out below in accordance with Article 30 GDPR.
2.1 User Account Data
Name, email address, phone number, role within organisation, authentication credentials (hashed), and session data.
2.2 Approval Request Data
Approval request details including spend amounts, campaign identifiers, media platform references, client names, approver assignments, approval decisions, timestamps, and cryptographic receipt hashes.
2.3 Contact Data
Names, email addresses, and phone numbers of approvers and other contacts added to the platform by the data controller (the agency).
2.4 Communication Logs
Records of email, SMS, and Slack notifications sent through the approval escalation workflow, including delivery status and timestamps.
2.5 Call Session Data
Records of automated phone calls made for approval escalation, including call duration, DTMF input (approval/rejection keypress), and timestamps. Call audio is not recorded.
2.6 Lead Data
Contact information voluntarily provided through marketing forms, including name, email, company name, and role.
3. Legal Basis for Processing (Article 6 GDPR)
| Data Category | Legal Basis | Justification |
|---|---|---|
| User account data | Contract performance (Art. 6(1)(b)) | Necessary to provide the SpendApproval service under the user's agreement |
| Approval request data | Legitimate interest (Art. 6(1)(f)) | Financial record-keeping and audit trail obligations for media spend |
| Contact data | Contract performance (Art. 6(1)(b)) | Necessary to deliver approval notifications to designated approvers |
| Communication logs | Legitimate interest (Art. 6(1)(f)) | Audit trail for delivery verification and escalation compliance |
| Call session data | Legitimate interest (Art. 6(1)(f)) | Audit trail for phone-based approval decisions |
| Lead data | Consent (Art. 6(1)(a)) | Provided voluntarily through marketing forms with explicit consent |
4. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Approval request data (including receipts) | 7 years from creation | Financial record-keeping obligations |
| Communication logs | 3 years from creation | Audit trail and dispute resolution |
| Call session data | 2 years from creation | Audit trail for phone-based approvals |
| User PII (account data) | Until account deletion + 30 days | Grace period for account recovery; then permanently deleted |
| Lead data | 2 years from collection | Marketing follow-up; deleted automatically after expiry |
5. Data Recipients and Processors
We share personal data only with the sub-processors necessary to operate the service. A current list of sub-processors is maintained at spendapproval.com/legal/subprocessors.html.
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
6. International Data Transfers
Data may be processed in the United States, Canada, and the European Union depending on the sub-processor. Where data is transferred outside the EEA, we rely on:
- EU Standard Contractual Clauses (SCCs) with each sub-processor
- Adequacy decisions where applicable
Details of transfer mechanisms per sub-processor are available in our Data Processing Agreement.
7. Security Measures
- Encryption at rest using AES-256-GCM for sensitive fields
- Encryption in transit using TLS 1.3
- Cloudflare WAF and DDoS protection on all endpoints
- API authentication and authorization at the edge
- Cryptographically signed approval links with rotating keys
- Secrets managed via Infisical (self-hosted, not shared with third parties)
8. Your Rights
Under the GDPR and applicable data protection laws, you have the following rights:
- Right of access (Art. 15) — Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — Request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17) — Request deletion of your personal data, subject to legal retention obligations.
- Right to data portability (Art. 20) — Request your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — Object to processing based on legitimate interests.
- Right to restrict processing (Art. 18) — Request restriction of processing in certain circumstances.
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, contact [email protected]. We will respond within 30 days.
9. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been infringed.
Lead supervisory authority: [TO BE CONFIRMED]
10. Cookies
The SpendApproval application uses strictly necessary session cookies for authentication. These cookies are:
- Secure, HttpOnly, SameSite=Lax
- Scoped to
.spendapproval.com - No third-party tracking cookies are used in the application
The marketing site at spendapproval.com uses PostHog for anonymous usage analytics. PostHog is configured to respect Do Not Track headers.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the email address associated with your account. The "Last updated" date at the top of this page reflects when the policy was most recently revised.
12. Contact
For any questions regarding this Privacy Policy or our data practices, contact:
- Email: [email protected]
- Address: [TO BE CONFIRMED]