ExpenseCaptureAI

Data Processing Addendum

Article 28-style data processing terms for business customers whose personal data is processed through ExpenseCaptureAI.

Effective

2026-03-31

Last updated

2026-03-31

Version

1.0

Applies to

ExpenseCaptureAI business customers where Luminyst Estates, Lda processes Customer Personal Data on the customer's behalf

On this page 24 items

This Data Processing Addendum ("DPA") forms part of the agreement between Luminyst Estates, Lda ("Processor", "we", "us", or "our") and the applicable customer of ExpenseCaptureAI ("Customer" or "Controller") that uses the Service in a business or professional capacity.

This DPA applies where, and only to the extent that, we process Customer Personal Data on behalf of the Customer as a processor or service provider.

1. Definitions

In this DPA:

  • "Applicable Data Protection Law" means the GDPR, UK GDPR where applicable, and any other data-protection law applicable to the processing covered by this DPA.
  • "Customer Personal Data" means personal data contained in Customer Content that we process on behalf of the Customer through the Service.
  • "Service" means ExpenseCaptureAI and its related website, application, APIs, and features.
  • "Subprocessor" means a third party authorised under this DPA to process Customer Personal Data on our behalf.

Terms not defined here have the meaning given in the main customer agreement or, where required, in Applicable Data Protection Law.

2. Scope and Roles

2.1 The Customer acts as the controller or equivalent business user for Customer Personal Data.

2.2 We act as the processor or equivalent service provider for Customer Personal Data.

2.3 This DPA does not apply to personal data that we process as an independent controller, including:

  • account-administration data
  • billing and payment-administration data
  • security and fraud-monitoring data
  • support and contractual relationship data

Those controller activities are described in our Privacy Policy.

3. Subject Matter, Nature, and Purpose of the Processing

We process Customer Personal Data only as needed to provide the Service, including:

  • receiving uploaded or emailed business documents
  • storing and organising Customer Content
  • extracting structured information from Customer Content
  • supporting review, correction, export, and workflow features
  • troubleshooting, security, abuse prevention, and support

The duration, categories, and further details of the processing are described in Annex A.

4. Customer Instructions

4.1 We will process Customer Personal Data only:

  • on the Customer's documented instructions
  • as necessary to provide the Service
  • to comply with applicable law

4.2 The Customer instructs us to process Customer Personal Data:

  • to host, store, transmit, organise, transform, analyse, and return Customer Content and Output through the Service
  • to use Subprocessors in accordance with this DPA
  • to provide support, maintenance, security, abuse prevention, and incident response relating to the Service

4.3 If we believe an instruction violates Applicable Data Protection Law, we may suspend the relevant processing and notify the Customer where legally permitted.

5. Customer Responsibilities

The Customer is responsible for:

  • ensuring it has a lawful basis to collect and submit Customer Personal Data to the Service
  • providing any required notices to data subjects
  • ensuring its instructions are lawful
  • determining whether the Service is appropriate for the Customer's intended use
  • deciding what Customer Personal Data to upload, retain, export, or delete

Unless explicitly agreed by us in writing, the Customer must not use the Service for processing that requires special contractual, regulatory, or sector-specific commitments beyond those in this DPA.

6. Confidentiality

We will ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

7. Security Measures

7.1 We will implement and maintain reasonable technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

7.2 Our current baseline security measures are described in Annex C.

7.3 The Customer acknowledges that no system can be completely secure and that the Customer remains responsible for configuring the Service and its own workflows appropriately for the Customer's risk profile.

8. Subprocessors

8.1 The Customer authorises us to use the Subprocessors listed in Annex B.

8.2 We may appoint or replace Subprocessors from time to time, provided that we remain responsible for the Subprocessor's processing to the extent required by Applicable Data Protection Law.

8.3 Where required by law or contract, we will make updated Subprocessor information available through our legal documentation or by notice to the Customer.

9. Assistance

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to the Customer with:

  • data subject requests
  • security obligations
  • personal data breach obligations
  • data protection impact assessments and prior consultations, where applicable

Any assistance beyond the normal features of the Service may be subject to reasonable charges and resource availability.

10. Personal Data Breaches

If we become aware of a personal data breach affecting Customer Personal Data, we will notify the Customer without undue delay after confirmation, taking into account the information reasonably available to us and any restrictions imposed by law.

11. International Transfers

11.1 Some Service providers, especially AI providers and their upstream model providers, may process Customer Personal Data outside the EEA.

11.2 Where we transfer Customer Personal Data internationally, we will aim to rely on an appropriate lawful transfer mechanism, such as:

  • an adequacy decision
  • standard contractual clauses
  • or another mechanism recognised under Applicable Data Protection Law

11.3 The Customer acknowledges that the Service may involve OpenRouter and the underlying model providers selected through our configuration, which may process submitted content outside the EEA.

12. Deletion and Return

Upon termination of the relevant Service relationship, we will delete or return Customer Personal Data in accordance with:

  • the Service's standard deletion or export functionality
  • the Customer's lawful written instructions
  • our legal obligations
  • our ordinary backup retention and overwrite cycle

We may retain Customer Personal Data to the extent required by law or where necessary to establish, exercise, or defend legal claims, subject to appropriate safeguards.

13. Audits and Information

13.1 We will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.

13.2 Any audit right will be exercised in a manner that:

  • is limited to once per 12-month period unless a verified security incident or legal requirement justifies more
  • begins with documentation review and remote information requests
  • avoids unreasonable disruption to our business and other customers
  • is subject to reasonable confidentiality protections

13.3 On-site audits, if ever required, must be agreed in advance, limited in scope, and carried out at the Customer's expense unless otherwise required by law.

14. Liability and Order of Precedence

14.1 Each party's liability under this DPA is subject to the liability allocation and limitations in the main customer agreement, except to the extent prohibited by Applicable Data Protection Law.

14.2 If there is a conflict between this DPA and the main customer agreement on data-protection matters, this DPA prevails to the extent of the conflict.

15. Contact

For privacy or DPA questions:

  • privacy@expensecaptureai.com
  • legal@expensecaptureai.com

Annex A — Details of Processing

A1. Subject Matter

Provision of the ExpenseCaptureAI Service for business receipt, invoice, and expense-document workflows.

A2. Duration

For the duration of the customer relationship and any additional period during which we retain Customer Personal Data in accordance with the customer agreement, lawful instructions, legal obligations, or ordinary backup retention.

A3. Nature and Purpose

Processing operations may include:

  • collection
  • receipt
  • storage
  • organisation
  • classification
  • analysis
  • extraction
  • transformation
  • retrieval
  • correction support
  • export
  • deletion
  • support and security processing

The purpose is to provide the Service and related support, security, and maintenance.

A4. Categories of Data Subjects

Depending on how the Customer uses the Service, data subjects may include:

  • the Customer's personnel, contractors, or authorised users
  • employees or workers whose expenses or reimbursements are processed
  • suppliers, merchants, service providers, or invoice counterparties
  • customers or counterparties whose details appear on submitted business documents
  • other individuals whose personal data appears in receipts, invoices, bills, or attachments submitted by the Customer

A5. Categories of Personal Data

Depending on use, Customer Personal Data may include:

  • names
  • email addresses
  • company or employer identifiers
  • business contact details
  • invoice and receipt details
  • financial and transaction details appearing in business documents
  • tax identifiers or VAT details appearing in business documents
  • travel, accommodation, meal, or reimbursement details appearing in business documents
  • document metadata
  • extracted structured expense data

A6. Special Categories / Sensitive Data

The Service is not intended for the routine processing of special-category personal data or criminal-offence data. If the Customer nonetheless includes such data in Customer Content, the Customer remains responsible for ensuring it has a lawful basis and an appropriate risk assessment for doing so.

Annex B — Current Subprocessors

Subprocessor Purpose Location / transfer notes
Amazon Web Services cloud infrastructure, object storage, email infrastructure, queues, and related support services EU infrastructure, including eu-north-1 for the current validated stack
OpenRouter, Inc. and the underlying model providers selected through our configuration AI inference and document-extraction request routing may involve processing outside the EEA depending on the configured model path
EEA-based VPS hosting provider engaged for the application runtime application hosting and related infrastructure support EEA; provider details may change from time to time and will be reflected in our then-current subprocessor information

Annex C — Security Measures

Our current baseline measures include:

  • account authentication controls
  • session cookies configured as first-party, httpOnly, and sameSite=lax
  • access controls limiting access to operational systems
  • logging and security monitoring for service operations
  • use of private object-storage configuration for customer documents
  • encryption in transit for external service communications
  • server-side storage protections and cloud-provider controls where configured on the live stack
  • backup and recovery procedures appropriate to the scale of the Service
  • reasonable vendor-management controls for third-party providers involved in the Service
  • incident-response handling for suspected security events

These measures may evolve over time so long as the overall level of security for the processing is not materially decreased.