Legal
GDPR & India DPDP
We design for the stricter of GDPR and India's DPDP Act 2023.
Your rights
- Access — request a copy of your personal data.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion, subject to statutory financial-record retention.
- Portability — receive your data in a structured, machine-readable format.
- Restriction & objection — limit or object to certain processing.
- Withdraw consent — for any processing based on consent.
How to request
If you are a user of a customer organization, contact your Org Admin — they have self-serve tools to fulfill most requests. You can also email privacy@reimburseflow.com directly. We respond within 30 days.
Erasure vs. financial retention
Where deletion conflicts with statutory financial or audit retention, we anonymize affected records and document the legal basis for retaining them.
Breach notification
If a personal data breach affects you, we notify the relevant supervisory authority and affected controllers within 72 hours of becoming aware, as required by GDPR Article 33.
Supervisory authority
You have the right to lodge a complaint with your local supervisory authority (e.g. your EU member state DPA, or the Data Protection Board of India under DPDP).
Records of Processing Activities (RoPA)
We maintain a RoPA. Enterprise customers can request a summary under NDA.
Contact
Privacy contact: privacy@reimburseflow.com