Privacy Policy

How Spifex processes personal data and your privacy rights.

Revised January 12, 2026

Overview

This Privacy Policy explains how Spifex (“Spifex”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data when you:

  • visit our websites and marketing pages (the “Website”),
  • create or administer a Spifex account,
  • use our platform and products (collectively, the “Services”), including modules such as Cashflow, Banking & Payments, Spend & Settlements, Ledger, Projects, Departments, CRM, and Inventory,
  • communicate with us (sales, support, partnerships), or
  • participate in events, webinars, or marketing campaigns.

Spifex is designed primarily for business customers. Personal data may be processed about administrators, employees, contractors, vendors, customers, prospects, and other individuals whose data is entered into the Services by our business customers.

This Policy is written to align with European data protection principles, including the General Data Protection Regulation (GDPR) and, where applicable, rules on cookies and similar technologies under the ePrivacy framework.

If you do not agree with this Policy, please do not use the Services.

Key roles under EU data protection law

Depending on how the Services are used, Spifex may act as:

  • Controller (we decide “why” and “how” personal data is processed), for example for:

    • website visitors,
    • sales and marketing leads,
    • account creation and administrative user profiles,
    • billing and contract administration,
    • security and fraud prevention for our platform.

  • Processor (we process personal data on behalf of a business customer), for example for:

    • data uploaded or generated in the Services by our business customers, such as cashflow entries, vendor records, contact records, approvals, attachments, reconciliations, ledger classifications, and related audit trails (“Customer Data”).

Where Spifex acts as a processor, the business customer is typically the controller and is responsible for determining the lawful basis for processing Customer Data and for providing appropriate notices to individuals.

What personal data we collect

The personal data we collect depends on your interaction with us and the features you use.

1) Data you provide to us

Account and profile data

  • Name, work email, role/title, company name, department/team, authentication credentials (hashed passwords or authentication tokens), and user preferences.

Billing and commercial data

  • Billing contact details, invoicing address, tax identifiers (where applicable), subscription plan, and payment confirmation details (we typically rely on payment processors for payment card handling).

Communications

  • Messages and metadata when you contact sales/support, submit forms, request demos, report issues, or provide feedback.

Marketing data

  • Newsletter opt-ins, event registrations, webinar participation, content downloads, and campaign interactions.

2) Data processed within the Services (Customer Data)

Depending on the modules enabled by your organization, Customer Data may include:

Financial operations and cashflow

  • planned and executed movements, settlements, transfers, reconciliations, references, categories, projects/departments, and audit trails.

Banking & payments

  • bank account identifiers (as provided or connected), beneficiary/vendor payment details, payment instructions, remittance references, transaction identifiers, and status events (e.g., approved, scheduled, executed, failed).

Spend & settlements

  • requests, approvals, policies, receipts/invoices uploaded as files, spend allocations, and settlement events.

Ledger

  • chart of accounts, classifications, mapping rules, accounting metadata, and audit-ready structure and change history.

Projects and departments

  • allocations, budgets, ownership structures, approval routing, and KPI metadata linked to initiatives and teams.

CRM

  • contacts, pipeline signals, deal stages, communications notes entered by users, and linkage of pipeline signals to planning/forecasting.

Inventory

  • items/SKUs, operational inputs, movement/consumption records, costing references, and linkage to financial outcomes.

Customer Data may include personal data about individuals (e.g., vendor contacts, employees, approvers). Spifex does not require “special category data” (GDPR Art. 9) and we ask customers not to upload it unless strictly necessary and lawfully permitted.

3) Data we collect automatically

When you access the Website or Services, we may collect:

  • Device and log data: IP address, device type, browser type, OS, time zone, language, access timestamps, pages/screens viewed, error logs, and diagnostic data.
  • Usage data: feature interactions, clickstream, session metadata, and performance metrics.
  • Approximate location: inferred from IP address at a city/region level.

4) Data from third parties

We may receive data from:

  • Business customers (e.g., when you are invited as an authorized user).
  • Integrations you enable (e.g., accounting tools, banking connections, data import tools).
  • Service providers supporting analytics, hosting, identity/security, customer support, and payments.
  • Public or professional sources for B2B contact enrichment where permitted by law.

Why we process personal data and lawful bases (GDPR)

We process personal data for the purposes below. Under GDPR, we must have a lawful basis for each purpose.

PurposeExamplesLawful basis (typical)
Provide and operate the Servicesaccount creation, authentication, feature delivery, customer supportContract (Art. 6(1)(b))
Platform security and abuse preventionaccess control, audit logs, monitoring suspicious activityLegitimate interests (Art. 6(1)(f)); Legal obligation where required
Product improvement and performanceusage analytics, reliability, debugging, feature testingLegitimate interests (Art. 6(1)(f))
Sales and customer relationship managementdemo requests, communications, account managementLegitimate interests (Art. 6(1)(f)) and/or Contract
Marketing (where allowed)newsletters, campaigns, eventsConsent (Art. 6(1)(a)) and/or Legitimate interests (B2B contexts may vary by jurisdiction)
Compliance and legal obligationstax, accounting records, responding to lawful requestsLegal obligation (Art. 6(1)(c))
Payments and billinginvoicing, subscription administrationContract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we consider and balance our interests against your rights and freedoms. You may object to processing based on legitimate interests in certain circumstances (see “Your rights”).

How we use personal data in the system context

Spifex is built to connect planning, execution, and reconciliation with governance and auditability. In practice, personal data may be used to:

  • identify and authenticate users,
  • configure organization settings, roles, permissions, and entitlements,
  • route approvals and enforce policies (e.g., spend limits, approval chains),
  • record operational events (e.g., approval timestamps, settlement status),
  • generate audit trails (who did what, when, and why),
  • connect modules (e.g., allocating spend to projects/departments, classifying entries to the chart of accounts),
  • produce reporting and KPIs (generally at an organizational level, not to profile individuals for consumer advertising),
  • support incident response, security monitoring, and anti-fraud controls.

Cookies and similar technologies

We use cookies and similar technologies to:

  • keep you signed in and secure sessions,
  • remember language and preferences,
  • measure performance and usage of the Website and Services,
  • support marketing attribution (where enabled and permitted).

Where required by EU law, we request consent for non-essential cookies. You can manage cookies through your browser settings and any cookie preference tools we provide. If you disable certain cookies, some features may not function properly.

How we share personal data

We share personal data only as necessary for the purposes described above, including with:

1) Service providers (subprocessors)

Vendors that help us operate the Services (e.g., cloud hosting, analytics, monitoring, customer support tools, email delivery, payment processors). They are contractually required to protect data and use it only to provide services to us.

2) Integrations and third-party services (at your direction)

If you enable integrations (e.g., accounting systems, banking connections, automation tools), data may be shared with the provider of that integration as instructed by you or your organization.

3) Within your organization

Authorized users with appropriate permissions may access Customer Data. Your organization controls roles, visibility, and governance.

4) Legal and safety

We may disclose information to comply with applicable law, lawful requests, or to protect the rights, safety, and security of Spifex, our customers, users, and the public.

5) Business transfers

If Spifex is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred as part of that transaction, subject to appropriate safeguards and notices where required.

We do not sell personal data in the sense of transferring it for third-party commercial use unrelated to providing the Services.

International data transfers

Spifex may process data in countries other than where you live (for example, where our hosting or service providers operate). When transferring personal data from the EEA/UK/Switzerland to countries that do not provide an adequate level of protection, we implement appropriate safeguards, such as:

  • the European Commission Standard Contractual Clauses (SCCs) (and UK addendum where applicable), and
  • additional technical and organizational measures where appropriate.

You may request information about relevant transfer safeguards by contacting us (see “Contact us”).

Data retention

We retain personal data only as long as necessary for the purposes described in this Policy, including to:

  • provide the Services,
  • maintain security and prevent abuse,
  • comply with legal and contractual obligations,
  • resolve disputes, and
  • enforce our agreements.

Retention periods vary depending on the type of data, configuration by the customer, and applicable legal requirements. Where Spifex acts as a processor, we retain Customer Data according to the customer’s instructions and contractual terms.

Security

We implement technical and organizational measures designed to protect personal data, including (as appropriate):

  • encryption in transit and at rest,
  • access controls and least-privilege permissions,
  • logging and monitoring,
  • backups and disaster recovery practices,
  • vulnerability management and security testing.

No system is perfectly secure. You are responsible for maintaining the confidentiality of your credentials and using secure devices and networks.

Your rights (EEA/UK and similar regions)

If GDPR applies to you, you may have the right to:

  • Access your personal data,
  • Rectify inaccurate or incomplete data,
  • Erase data (in certain circumstances),
  • Restrict processing (in certain circumstances),
  • Data portability (where applicable),
  • Object to processing based on legitimate interests,
  • Withdraw consent at any time where processing is based on consent (withdrawal does not affect prior processing).

If we process your personal data as a processor on behalf of your organization, your requests may need to be directed to the organization (the controller). We will support our customers in responding to requests as required by law and contract.

Complaints

You also have the right to lodge a complaint with a data protection authority, particularly in the EU member state where you reside, work, or where an alleged infringement occurred.

Automated decision-making

Spifex may use automated signals to detect suspicious activity and protect the Services (e.g., unusual login patterns). We do not use automated decision-making that produces legal or similarly significant effects on individuals without appropriate safeguards. Where required, you may request human review.

Children’s data

The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from children.

Changes to this Privacy Policy

We may update this Policy from time to time. If changes are material, we will provide notice through the Website, the Services, or other appropriate channels. The “updatedAt” date above indicates when this Policy was last revised.

Contact us

For questions, requests, or concerns about this Privacy Policy or our data practices, contact us at:

  • Privacy contact: privacy@spifex.com (replace with your official privacy contact if different)
  • Company: Spifex (add your legal entity name and address here)

If you are an authorized user of a business customer, you may also contact your organization’s administrator regarding Customer Data processed within your organization’s Spifex workspace.