Effective:  March 2017

Introduction

                Itemize is committed to building excellent relationships with its user community.  Toward that end, Itemize maintains the confidentiality and security of the information about its users and their organizations that they provide to Itemize or that Itemize may learn as result of their use of Itemize services.

                This Privacy Policy describes the types of information Itemize may obtain when a user establishes or uses an Itemize account, whether by way of the Itemize website or through the Itemize mobile apps, and how Itemize may use this information.

When users establish an Itemize account, they provide certain personally identifiable information (“PII”) to Itemize.  When users access and use their account, Itemize automatically gathers and stores additional information about how and when Itemize services are being used.  This information is not tied to a user’s PII and cannot be accessed to retrieve personally identifiable information about any user.

All PII and other information Itemize obtains about a user is and remains the user’s property.  Itemize does not acquire any ownership interest in any of the information.

If any user has any question about this Privacy Policy or the manner in which Itemize administers it, or believes that Itemize has violated this Privacy Policy, please contact: support@itemizecorp.com.  Itemize will respond to such questions as promptly as reasonably practicable.

This Privacy Policy is incorporated into and is a part of the Itemize Terms of Service.  By establishing an account with Itemize through its website or mobile app, or by using Itemize services, users automatically agree to the provisions of the Terms of Service and this Privacy Policy, including the provisions that permit Itemize to process, use and disclose user information in accordance with this Privacy Policy and the provisions that limit Itemize’s liability under certain circumstances and for certain matters.

Information Provided by Subscribers

When users establish an Itemize account, and when they access the account, they will be requested to provide an e-mail address, and may be requested to provide certain additional information such as their name and the country where they reside or work.  In addition, when a user becomes a paid subscriber, it will be required to provide payment account information to Itemize’s third party payment processor.  Itemize does not have any access to and does not store the credit card or other payment account number a user provides to the payment processor.

Itemize may also receive a user’s PII from third persons with which Itemize has a joint marketing, co-branding or other partnership arrangement, from companies that offer their products and/or services through Itemize services and from companies that provide services in connection with Itemize services, such as expense management and payment processing services, accounting software providers, credit card processing companies and commercial banking and other financial institutions. These third persons are referred to as “Partner Companies.”

At the request of Itemize, a user may provide non-personally identifiable personal information, such as demographic information, including postal code, gender and education, and information about preferences, attitudes and behavior. Itemize does not request any information from its users unless it is relevant to the services provided by Itemize.

Itemize will not sell, rent or license a user’s PII.  Itemize will not use a user’s name or company’s name in its marketing materials without the user’s prior consent.

By establishing an Itemize account, users authorize Itemize to gather and retain information relating to the users’ online and offline purchases, and to organize, arrange, sort and parse this information. This information should not include a user’s payment account details, such as the user’s uniquely identifying credit or debit card number, pin or access code.  Such data is prohibited to be displayed in a receipt by applicable law in the United States and elsewhere.  If a merchant issues a receipt or other purchase document that contains this information, or if a user scans or otherwise uploads to its account an image of a credit card, check, bank or credit card account statement or other document that displays such information, Itemize will attempt to delete the information when it processes the purchase document, but Itemize cannot assure users that any such attempt will be successful.

Users may elect to connect their e-mail or other accounts with Itemize.  By establishing this connection, users automatically authorize Itemize to act on their behalf to search their e-mail or other accounts to extract and store documents that the Itemize system recognizes as purchase documents, such as receipts, bills, invoices, purchase orders, shipping notices and reservations, and to extract transaction data and other information contained in these documents.  Some of the documents extracted may in fact not be purchase documents.  Itemize will attempt to delete and not store any document that is not a purchase document, but Itemize cannot assure users that any such attempt will be successful.

By subscribing to certain Itemize services, users authorize Itemize to transfer information it obtains from a user to Partner Companies with which the user also maintains an account.  For example, a user may elect to connect its Itemize account to its account with a provider of accounting software services.  A user thereby authorizes Itemize to transfer to its accounting records data contained in payment documents that the user uploads to its Itemize account and to extract data from the the user’s accounting records.

A user may also elect to connect its Itemize account to its credit card and bank account for the purpose of matching purchase transactions evidenced by payment documents that the user uploads to its Itemize account to transactions indicated on the user’s credit card or bank statement. As a result, Itemize will have access to data included in the user’s credit card or bank statement.  Itemize only has access to such data through third parties on an anonymized basis and should not be able to connect the data to any identifiable user.  This data should not include the user’s credit card or bank account number or other PII.

Any PII that a user provides to Itemize or that Itemize obtains about a user from Partner Companies will be stored and managed with appropriate care.  Itemize has entered into a contract with a nationally recognized third party provider of cloud-based storage services and forwards the information that a user uploads to his or her account for storage under this contract.  Itemize subcontracts with other service providers to assist Itemize in providing its services.  Itemize may furnish PII of users to these service providers to enable them to provide their services to Itemize.  The arrangements with these service providers include appropriate confidentiality provisions with respect to users’ PII.

Itemize may have liability pursuant to the EU-US Privacy Shield with respect to the onward transfer to third parties of data it receives from users in the European Union. Itemize will provide European Union users an opt-out or opt-in choice before sharing their data with third parties, other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized.

The Itemize website may from time to time offer publicly accessible blogs or community forums.  Users may comment on our blogs and submit information to these forums, including, if they choose, PII and other sensitive information.  In addition, the Itemize website may display reviews of its services and products that users have posted on third party sites.  Users should be aware that this information, including the reviews of Itemize services and products, can be read, collected and used by other users of Itemize services.  Itemize is not responsible for the information users choose to include in any comment on our blogs or our community forums or in a review that a user posts on a third party site, and this Privacy Policy does not apply to any such information.

 

Information Automatically Collected and Stored by Itemize

                Itemize automatically collects and stores certain information about users’ visits to their Itemize accounts. This information includes, among other matters, the visitor’s web request, Internet Protocol address, browser type, referring/exiting pages and navigational data like Uniform Resource Locators (URL’s), geographic location, domain names, pages viewed and the date, time and duration of the visit.

Itemize collects this information through cookies, which are small text files placed in the computer of a user, and electronic Newlmages, known as web beacons or single-pixel gifs.  Cookies and beacons do not collect PII.  Information from cookies and beacons is not combined with a user’s PII to identify an individual user’s browsing frequency, purchasing activity or other behavior.  Cookies and beacons are never shared with third persons.

Users may disable Itemize cookies by following Internet browser help file instructions on their computer.  However, Itemize recommends that users not do this.  Disabling cookies may diminish the utility of the Itemize services in significant ways.

 

Use of Information Provided by Users

                Itemize will use the information it obtains from a user to render reports requested by the user and to provide other services requested by the user, such as transferring payment document data to accounting records or matching payment transactions between payment documents and credit card or bank statements.

Itemize will also use the information it obtains about users to monitor and analyze their request and usage patterns in order to allow Itemize to customize and improve the content, features and functionality of its system and Itemize services, to help users better manage their Itemize accounts and to enhance the benefit they derive from Itemize services.  Itemize will also use the information to ensure that users are complying with the Itemize Terms of Service and if it is necessary to correct a problem with Itemize’s system.  In addition, Itemize will use the information to take appropriate action with respect to suspected fraud or illegal activities or if disclosure is required by applicable law, including in response to a subpoena or other court process.  Lastly, Itemize may be required to disclose information obtained from a user, including personal information, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Certain services provided by Itemize involve the transfer of users’ information to other accounts of the user.   Itemize may also use the information to market to its users Itemize services and products or services offered by third persons.  The information may also be anonymized and/or aggregated with like information of other users to compile statistical and other information, including information about the preference of users of Itemize services.  This anonymized or aggregated statistical and other information may be provided to Partner Companies and other third persons which may be interested in evaluating market trends or in marketing their own products or services.

Itemize does not disclose personally identifiable or sensitive information about a user to any third person without the user’s prior consent, except for the purposes described in the last two sentences of the second paragraph of this section.   Itemize may also share some or all of a user’s PII with subsidiaries and other affiliates of Itemize. Any information that is provided to a subsidiary or other affiliate will be subject to this Privacy Policy.

With respect to users in Australia, Itemize is unlikely to disclose personal or sensitive information to a recipient outside of Australia.  However, Itemize is likely to process information uploaded to users’ accounts in the United States and may provide anonymized and aggregated data that includes information with respect to Australian users to its Partner Companies and other third persons, which are likely to be in the United States, Canada, the United Kingdom and countries that are members of the European Union.  Any information Itemize provides to a third person will be provided under appropriate confidentiality and security arrangements.

 Links to other Sites and Accounts

                The Itemize website may provide links to other websites as a convenience to Itemize users.  Itemize may, as requested and authorized by the user, transfer information in the user’s Itemize account to other accounts of the user, such as an account with a provider of accounting software services and credit card and bank accounts.  Itemize does not review and has no control over these linked sites or accounts.  This Privacy Policy does not apply to information Itemize users furnish after they enter a linked site or to information after Itemize transfers it to a linked account.  Itemize is not responsible for the privacy or use of any information users furnish to the linked site or that is stored in the linked account after it is transferred by Itemize.  Before users access any link provided by Itemize or request Itemize to transfer information to another account of the user, users should read carefully the privacy and other policies posted on the linked website or applicable to the linked account.  Itemize does not provide a warning to its users about any of the foregoing matters before they enter a linked site or information is transferred to a linked account.

Each user that subscribes to Itemize transaction matching services expressly authorizes and grants Plaid Technology, Inc. (“Plaid”) the right, power and authority, acting on behalf of such user, to access and transmit the user’s bank account data to Itemize in accordance with Plaid’s privacy policy, which is available at [               ].   By subscribing to or using Itemize transaction matching services, the user agrees to Plaid’s privacy policy.

Change, Suppression or Deletion of Information

                Itemize acknowledges that users have the right to access the personal information that Itemize maintains about them.  A user who seeks access, or who seeks to correct or amend inaccurate PII or other data or information, should log on to its account and follow the appropriate prompts provided.

If a user determines that a purchase document that has been uploaded contains full credit or debit card or bank statement information, or other sensitive information that the user does not want Itemize to have access to or to store, the user may suppress the display of the information by logging on to its Itemize account and following the appropriate prompts provided.  The user may also request that the information be deleted  by contacting Itemize at support@itemizecorp.com.  Itemize will comply with any such request as soon as reasonably practicable.

If a user does not want to receive electronic or other mailings from Itemize with respect to marketing or other matters, the user should contact Itemize at support@itemizecorp.com and provide its exact name and postal or e-mail address.  Itemize will then remove the user’s name from its mailing list, except for communications regarding security breaches and other administrative matters.  However, even if a user has opted not to receive notices from Itemize, certain notices may affect or govern the use of Itemize services and the user will be bound by these notices in connection with its use of the affected Itemize services.

Upon termination of service, a user may request that any information, document or image stored in its Itemize account be deleted irretrievably by contacting Itemize at: support@itemizecorp.com.  Itemize will comply with any such request as soon as reasonably practicable.

With respect to users in Australia, if Itemize is satisfied, having regard for the purpose for which the information is held, that the information is inaccurate, out of date, incomplete or misleading, Itemize will take such steps, if any, that are reasonable in the circumstances to correct such information so that, having regard for the purposes for which the information is held, it is accurate, up-to-date, complete, relevant and not misleading.  If Itemize corrects personal information about an individual that previously has been disclosed to another entity, Itemize will take such steps, if any, that are reasonable in the circumstances to notify the other entity of such correction.

Security                                                                         

The personal and sensitive information that users upload to and is stored in their account is protected by the users’ unique e-mail address and password login.  Itemize takes reasonable steps that are appropriate to secure the information stored in users’ accounts. Only Itemize employees who need access to users’ PII will have access to this information.  These employees are made aware of and periodically reminded about this Privacy Policy and Itemize’s security practices.

Itemize follows generally accepted industry practices and standards to protect PII and other information submitted to Itemize by users.   These practices include the encryption of the transmission of information using secure socket layer (“SSL”) technology.  Nevertheless, no method of transmission over the Internet or method of electronic storage of information is completely secure, and Itemize cannot guarantee the security of the information users provide to Itemize.

In addition, there are many events and circumstances beyond Itemize’s control that could interfere with access to or the use of Itemize services. Among others, these events and circumstances could include electrical and other interruptions, human error, loss or corruption of data, a breach of security or other unauthorized intrusion.  Itemize is not responsible for any of these events or circumstances.

If Itemize becomes aware of a material security breach or other unauthorized intrusion affecting its system, Itemize will use reasonable commercial efforts to notify users electronically, either by email or by posting an appropriate notice on its website.  In addition, Itemize will provide users with any notice required by applicable law in the form and manner required by law in the event of any security breach.   Users consent to any such notice, as well as to communications to them regarding privacy and administrative issues.

 Certain Information Concerning Government Regulation

                Itemize is hosted primarily in the United States.  Information hosted in the United States is subject to the laws, rules and regulations as to privacy, data protection and other matters of the United States and its various states.  Itemize is also subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.  Users who are resident in California may request and obtain once a year, free of charge, certain information about any PII Itemize disclosed to its Partner Companies or other third persons in the prior calendar year.  Any user resident in California who wants such information should send such request to Itemize at support@itemizecorp.com.

The U.S. Health Insurance Portability and Accountability Act (“HIPAA”) prohibits the disclosure by certain “covered entities” and their business associates of an individual’s protected health information without a valid authorization of the individual.  If and to the extent that Itemize is a covered entity (or a business associate of a covered entity) under HIPAA, by using Itemize services, a user automatically authorizes Itemize to use and disclose any protected health information uploaded by the user to its Itemize account in the same manner and for the same purposes that Itemize may use non-personally identifiable information about the individual as described in this Privacy Policy.

The Itemize Terms of Service contains certain additional information about certain laws and regulations applicable to Itemize services.

Certain Provisions Applicable to Users in the European Union

Itemize complies with the EU-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from countries that are members of the European Union.   Itemize has certified that it adheres to the EU-US Privacy Shield Principles of notice; choice; accountability for onward transfer of data to third persons; security; data integrity and purpose limitation; access; and recourse, enforcement and liability.  If there is any conflict between the provisions of this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principals shall govern.  For more information about the EU-US Privacy Shield Program, and to view our certification page, please visit https://www.privacyshield.gov/

                If Itemize utilizes data processors to perform tasks on behalf of or under the instruction of Itemize, Itemize will require these data processors to enter into a written agreement that requires them to provide an appropriate level of protection for the personal and sensitive information that Itemize itself provides.

If a user is located in the European Union, Australia or another country, the laws in those jurisdictions governing data collection and use may differ from the laws of the United States.  In order to comply with laws of the European Union or its member states, or the laws of other jurisdictions, Itemize may transfer a user’s information to a hosting location operated or maintained by Itemize or one of its affiliates, or by a third person on its behalf, in a location that complies with the laws of such jurisdiction. By using Itemize services, a user consents to any of these transfers.

Limitation of Liability    

                 Itemize’s Terms of Service contains exclusions and limitations on its responsibility and liability with respect to a number of matters, including the loss, unauthorized use, corruption or lack of accuracy, completeness or correctness of any information in a user’s Itemize account or of any information that is provided to a user by Itemize based on information in the user’s account or that is transferred to Itemize from, or by Itemize to, another account of the user.

Resolution of Disputes

The Itemize Terms of Service require that any dispute in the United States relating to the Terms of Service, including a dispute relating to this Privacy Policy, be resolved in a court located in the City, County and State of New York. The resolution of disputes brought by EU individuals under the EU-US Privacy Shield is described in the next two paragraphs.

In compliance with the EU-US Privacy Shield Principles, Itemize commits to resolve complaints from European Union citizens about their privacy and Itemize’s collection and use of their personal information.  European Union citizens with inquiries or complaints regarding this Privacy Policy should first contact Itemize’s general counsel at legal@itemizecorp.com.

Itemize has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If a user does not receive timely acknowledgment of its complaint, or if the complaint is not satisfactorily addressed, the user may visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. If a user’s complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.

Merger or Sale of Itemize

                In the event of a merger, consolidation, business combination or other sale of Itemize or a sale or other transfer of its business and assets, the information Itemize has collected from users, including PII, will be transferred to the person or entity to which Itemize is sold or the business and assets are transferred.  After the transfer, such information will be subject to the applicability of this Privacy Policy or the privacy policy of the entity that acquires Itemize or its business and assets.

Amendments to this Privacy Policy; Copies

Itemize reserves the right to change this Privacy Policy in whole or in part at any time and from time to time.  Changes will be posted on the Itemize website and will be effective upon posting. If Itemize makes any material change to this Privacy Policy, it will make a reasonable commercial effort to notify users a reasonable time prior to the effectiveness of the change either by email or by posting the notification on its website.  Use of Itemize services following any such change constitutes a user’s acceptance of the change.

A user in Australia may request a copy of this Privacy Policy in a particular form by contacting Itemize at support@itemizecorp.com.   Itemize will take reasonable steps to provide the user with a copy in the form requested.