Privacy Policy

Effective: April 21, 2021

This Privacy Policy describes the privacy practices of OpenEnvoy, Inc., its subsidiaries, and affiliates (collectively, “OpenEnvoy”, “we”, “us”, or “our”) with respect to personal information. This Privacy Policy describes the personal information that OpenEnvoy collects from or about users of our websites, our products and services, and sets out how we collect, use, disclose, and otherwise process the information, as well as the rights available to individuals with respect to their information.

OpenEnvoy is the data controller in relation to the personal information we process in connection with our websites (including job applications submitted through our websites) and is primarily responsible for how our website users’ personal information is processed. OpenEnvoy is the data processor in relation to the personal information we process in connection with our products and services and we process such information only on behalf of and upon the instruction of the relevant customer.

Personal information we collect

Whose information we collect

We may collect information about a variety of individuals who interact with OpenEnvoy, including visitors to our websites, our customers as well as their employees or contractors, and others.

How we collect the information

We may collect information about individuals:

  • Directly from individuals
  • Through our websites
  • From customers of our products and services
  • From third-party expense reporting tools, as authorized by our customers
  • From social media services that you connect with through our websites or when using our products or services
  • From third-party vendors or business partners

Types of information we collect

The types of information we collect include:

  • Contact information (such as name, employer name, and email address)
  • Employee identification number
  • Expense report details (such as merchant information)
  • Information individuals submit in connection with expense reports such as copies of receipts, names, and affiliations of attendees at activities incurring expenses, and explanations of business purposes/justifications
  • Username and password that an individual may select in connection with establishing an account for use of our products and services
  • Geolocation information from users of our websites
  • For job applicants, information of the type that would be included on a resume, such as work experience, education, and languages spoken
  • We, our service providers, and our business partners may also collect certain information about the use of our websites by automated means. Please see the “Cookies and other information collected by automated means” section of this Privacy Policy for more information.

How we use personal information

In this section, we set out the purposes for which we process personal information and identify the legal grounds on which we rely to process the information.

In some cases, OpenEnvoy has a legitimate interest to process the personal information that we collect, such as to support our recruitment activities, administer our products and services (including to support, communicate about, and analyze the use of our products and services), establish and maintain customer accounts, and operate, evaluate, and improve our business, our websites, and other products and services we offer (including research and development of new products and services), or facilitate a sale of assets or merger or acquisition.

In other cases, OpenEnvoy processes personal information to fulfill our contracts with our customers and provide the requested products and services.

OpenEnvoy may also process personal information with individuals’ consent, for which individuals will receive notice at the time of collection.

In limited situations, it may be necessary for OpenEnvoy to process personal information in order to comply with our legal obligations, such as to protect against, identify, investigate, and respond to fraud, illegal activity (such as incidents of hacking or misuse of our websites, products or services), claims and other liabilities, including by enforcing the terms and conditions that govern the services we provide.

We may also aggregate and/or de-identify any information that we collect, such that the information no longer identifies any specific individual. We may use, disclose, and otherwise process such information for our own legitimate business purposes – including historical and statistical analysis as well as business planning – without restriction.

How we share personal information

OpenEnvoy may share personal information as described in this Privacy Policy. In all cases, we take measures to share only the information that is needed to fulfill the purposes for which we share the information.

We may share personal information with:

  • OpenEnvoy affiliates and subsidiaries, for the purposes described in this Privacy Policy
  • Service providers that perform services on our behalf, or partners whom we may collaborate with, in each case for the purposes described in this Privacy Policy. The types of service providers and partners with whom we may share personal information may include:
  • Customer service and support providers
  • Technology providers (including technology support, central reservation system providers, keyless entry providers, email and web hosting providers, and email communications providers)
  • Advertising and marketing partners
  • Analytics organizations
  • Unless prohibited by applicable law, we reserve the right to transfer the information we maintain in the event we sell or transfer all or a portion of our business or assets (or during the negotiations of such sale or transfer). If we engage in such sale or transfer (or related negotiations), we will – where required by applicable law – make reasonable efforts to direct the recipient to use the personal information we provide in a manner that is consistent with this Privacy Policy. After such sale or transfer, individuals may contact the recipient with any inquiries concerning the processing of their personal information.

In addition, we may share personal information to comply with legal and regulatory requirements to protect against and prevent fraud or illegal activity, (such as identifying and responding to incidents of hacking or misuse of our websites, products or services), claims, and other liabilities.

Cookies and other information collected by automated means

We, our service providers, and our business partners may collect certain information about the use of our website by automated means, such as cookies, web beacons, and other technologies. A “cookie” is a text file that websites send to a visitor‘s computer or other Internet-connected devices to uniquely identify the visitor’s browser or store information or settings in the browser. Please see our Cookies Policy for further information. A “web beacon,” also known as an Internet tag, pixel tag, or clear GIF, is used to transmit information back to a web server. We, and our service providers and business partners, may collect information about individuals’ online activities over time and across third-party websites when an individual uses our website.

The information that may be collected by automated means includes:

  • Details about the devices that are used to access our websites (such as IP address, operating system, and web browser)
  • Location information, for example, of a mobile device accessing our websites
  • Dates and times of visits to, and use of, our websites
  • Information about how our websites are used (such as the content that is viewed on our websites and how users navigate between our web pages)
  • URLs that refer visitors to our website
  • Search terms used to reach our websites
  • Web browsers may offer users of our websites the ability to disable certain types of cookies; however, if cookies are disabled, some features or functionality of our websites may not function correctly.

Some of the business partners that collect information about users’ activities on our websites may be members of organizations or programs that provide choices to individuals regarding the use of their browsing behavior for purposes of targeted advertising. For example, users may opt-out of receiving targeted advertising on websites through members of the Network Advertising Initiative or the Digital Advertising Alliance. European users may opt-out of receiving targeted advertising on websites through members of the European Interactive Digital Advertising Alliance, selecting the user’s country, and then clicking “Choices” (or similarly-titled link). Please note that we also may work with companies that offer their own opt-out mechanisms and may not participate in the opt-out mechanisms that we linked above.

Because there is not yet a consensus on how companies should respond to web browser-based do-not-track (“DNT”) mechanisms, we do not respond to web browser-based DNT signals at this time.

Data retention

Our retention periods for personal information are based on business needs and legal requirements. We retain personal information for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible related purpose. When we no longer need the personal information we collect, we either irreversibly anonymize the information (in which case, we may further retain and use the anonymized information) or securely destroy the information.

Privacy preferences, rights, and choices

Individuals have certain rights and may make certain choices regarding OpenEnvoy’s processing of their personal information.

Please note that if the exercise of these rights limits our ability to process personal information, we may be precluded from providing our products or services to individuals who exercise these rights, or from otherwise engaging with such individuals going forward.

We reserve the right to verify the identity of the individual in connection with any requests regarding personal information to help ensure that we provide the information to individuals whom the information pertains to and allow only those individuals or their authorized representatives to exercise rights with respect to that information.

You can make choices about OpenEnvoy’s collection and use of your data. How you can access or control your personal data will depend on which Sites or Services you use.

Your communication preferences.

  • You can choose whether to receive promotional email, text messages, telephone calls and/or postal mail from OpenEnvoy. To manage your available communication preferences:
  • Visit our Subscription Center to opt-out of receiving email.
  • Follow the instructions included in a promotional email from us to unsubscribe.
  • Send us a message to the email or postal address, including your name, email address and specific, relevant information about the communications you no longer wish to receive.For information about the rights and choices users have in respect to cookies, online advertising and tracking, please see the “Cookies and other information collected by automated means” section of this Privacy Policy.
  • General objections to the processing of personal information

To the extent provided by applicable law, individuals may withdraw any consent previously provided to us or object at any time on legitimate grounds, to the processing of their personal information. We will apply these preferences going forward. In some circumstances, withdrawing consent to OpenEnvoy’s use or disclosure of personal information may mean that OpenEnvoy will no longer be able to provide certain products or services to individuals who withdraw consent.

Access to personal information

Individuals may request access to the personal information OpenEnvoy maintains about them. If we grant this request, we will provide the individual with a copy of the personal information we maintain about them in the ordinary course of business, in a commonly used format. Individuals may request to correct any errors in their personal information. We may reject such requests to access or correct personal information, as permitted by applicable law. If we reject such requests, we will notify the requester of the reason(s) for the rejection.

Deletion of personal information

Individuals may request that we delete their personal information. We may reject such requests, as permitted by applicable law. If we reject such a request, we will notify the requester of the reason(s) for the rejection.

Marketing emails

Individuals may unsubscribe from receiving marketing or other commercial emails from OpenEnvoy by following the instructions included in the email or by contacting OpenEnvoy using the contact information below. However, even if an individual opts out of receiving such communications, we retain the right to send them non-marketing communications (such as changes in our website terms).

How we protect personal information

OpenEnvoy maintains reasonable administrative, technical, and physical safeguards designed to protect the personal information we maintain against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure, or use. However, we cannot guarantee that the measures we maintain will ensure the security of personal information. ibe from receiving marketing or other commercial emails from OpenEnvoy by following the instructions included in the email or by contacting OpenEnvoy using the contact information below. However, even if an individual opts out of receiving such communications, we retain the right to send them non-marketing communications (such as changes in our website terms).

Links to websites and third-party content

We may provide links to websites and other third-party content that are not owned or operated by OpenEnvoy. The websites and third-party content to which we link may have separate privacy notices or policies. OpenEnvoy is not responsible for the privacy practices of any entity that it does not own or control.

Your California Privacy Rights

This section provides information regarding Californian residents’ rights under the California Consumer Privacy Act (CCPA). The CCPA provides rights to California consumers to be notified about the collection, use and sale of their personal information, their right to request access to their personal information, request to opt out of the sale of personal information, request for deletion of personal information and the right to non-discrimination for exercising these rights.

You have a right to know about personal information OpenEnvoy has collected, used, or disclosed about you in the last 12 months. We do not sell personal information. You may exercise your rights allowed to you under the CCPA by completing and submitting this form here or by emailing to We may ask you to verify your identity prior to us fulfilling your request.

OpenEnvoy will not discriminate against you for exercising your rights under CCPA. Specifically, we will not:

  • Deny access to our software or services;
  • Charge a different rate for the use of our software or services; or
  • Provide a different quality of product or service;
  • International data transfers
  • Privacy Shield for EEA and Swiss Individuals

OpenEnvoy complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. OpenEnvoy has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Framework, and to view our certification, please visit

The US Federal Trade Commission (FTC) has jurisdiction with enforcement authority over OpenEnvoy.

OpenEnvoy’s participation in the Privacy Shield applies to all personal data that is received from the European Union and Switzerland. OpenEnvoy will comply with the Privacy Shield Principles in respect to such personal data.

The types of personal data received by OpenEnvoy in the course of it providing its subscription service to a customer typically include names, addresses, email, network files (such as Expense Receipts, Microsoft Word, PowerPoint, Excel docs), HR Information, Supplier Address, Supplier Contact, Supplier Payment Information and image files. All data received by OpenEnvoy including personal data will be preserved in its original state throughout processing.

Pursuant to the Privacy Shield Frameworks, OpenEnvoy acknowledges the following:

EU & Swiss individuals whose data has been transferred into the United States have the right to access that data. If OpenEnvoy holds this data in its capacity as a data processor, any individual requests for access will be referred to our appropriate customer, who is the controller of that data. If you are an EU or Swiss individual who wishes to exercise this right and you either do not know who your controlling data entity is, or you are unable to reach them, please refer to the “How To Contact Us” section of this policy below and we will assist you in locating the correct party.

We may be required to disclose an individual’s personal data in response to lawful requests from public authorities including to meet national security and law enforcement requirements.

OpenEnvoy will only use the data it receives from a customer for the specific purposes outlined in our agreement with that customer.

No personal information will be disclosed to any non-agent third parties for purposes other than those for which the data was originally provided. If in the future, this practice changes, OpenEnvoy will update this Privacy Policy and provide individuals with a choice regarding the sharing of their personal data with such non-agent third parties.

OpenEnvoy may share data with agent third parties. For more information on this data sharing practice, please refer to the, “How we share personal information,” section above.

OpenEnvoy remains liable for the onward transfer of EEA and Swiss personal data according with the Privacy Shield Principles including the onward transfer liability provisions. Whenever we transfer your personal information out of the EEA to countries not deemed by the European Commission to provide an adequate level of personal information protection, or out of Switzerland, the transfer will be based on one of the following safeguards recognized by the European Commission as providing adequate protection for personal information, where required by EU data protection legislation:

Contracts approved by the European Commission which impose data protection obligations on the parties to the transfer. For further details, see EU Model Clauses for the transfer of personal information to third countries. For transfers to third parties in the United States, ensuring they participate in the EU-U.S. Privacy Shield Framework or Swiss-US Privacy Shield Framework. Please contact us if you want further information on the specific mechanism used by us when transferring your personal information out of the EEA or Switzerland.

In compliance with the Privacy Shield Principles, OpenEnvoy commits to resolve complaints about our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding our data privacy practices should contact here.

OpenEnvoy has further committed to refer unresolved Privacy Shield complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU Privacy Shield. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit for more information and to file a complaint. The services of BBB EU Privacy Shield are provided at no cost to the individual.

As further explained in the Privacy Shield Principles, an individual has the option, under certain conditions, to invoke binding arbitration for complaints not resolved by any of the other Privacy Shield mechanisms noted above. Click here for more detailed information on binding arbitration provisions.

OpenEnvoy commits to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by the panel or Commissioner with regard to human resources data transferred from the EU or Switzerland in the context of the employment relationship.

Updates to our Privacy Policy

OpenEnvoy reserves the right to change this Privacy Policy at any time. When we make any updates to this Privacy Notice that are deemed material under applicable legal requirements, we will notify individuals of such changes by updating the date of this Privacy Policy and providing other notification as required by applicable law. We may also provide notification of such changes to the Privacy Policy in other ways, such as via email or using other contact information provided to us.

For all other changes, please review the Privacy Policy from time to time to stay informed of how we are processing personal information.

How to contact us

Individuals may contact us with questions, comments, or complaints about this Privacy Policy or our privacy practices, or to exercise any of the rights or choices they may have under applicable law. Our contact information is as follows:

Outside of the EEA & Swiss

Attn: Privacy
OpenEnvoy, Inc.
317 South 6th
Las Vegas, NV 89138

Via Email

OpenEnvoy Cookies Policy

Effective date: September 1, 2020.

Consent & Cookie Settings

Customize your cookie settings by going to the Cookie Preference Center

What are cookies?

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating web domain on your subsequent visits to that domain. Most web pages contain elements from multiple web domains so when you visit the website, your browser may receive cookies from several sources.

Cookies are useful because they allow a website to recognize a user’s device. Cookies allow you to navigate between pages efficiently, remember preferences and generally improve the user experience. They can also be used to tailor advertising to your interests through tracking your browsing across websites.

Session cookies are deleted automatically when you close your browser and persistent cookies remain on your device after the browser is closed (for example to remember your user preferences when you return to the site).

What types of cookies does OpenEnvoy use?

We describe the categories of cookies OpenEnvoy and its service providers or business partners use at the Cookie Preference Center. You can customize your cookie settings there.

Furthermore, some parties that set cookies via our site may offer the ability to opt-out of cookies via the Network Advertising Initiative’s consumer opt-out tool, the European Interactive Digital Advertising Alliance’s consumer opt-out tool, or the Digital Advertising Alliance’s Consumer Choice Page.

Cookies Policy does not cover third-party websites

Please note that this Cookies Policy does not apply to, and we are not responsible for, the cookie practices of third party websites which may be linked to this Website.

Changes to the Cookies Policy

We may update this Cookies Policy and we encourage you to review the policy from time to time to stay informed of how we are using cookies.

This Data Processing Addendum (hereinafter “DPA”) is effective as of the “Effective Date” specified on the executed Order Form that incorporates this DPA by reference. This DPA is between the Customer (the “Controller”) and OpenEnvoy Inc (“OpenEnvoy”) having its offices at 317 South 6th, Las Vegas NV 89101. The Controller and OpenEnvoy are individually referred to as a “Party” and collectively as the “Parties”. This DPA supplements the OpenEnvoy Services Agreement between the Parties (“Agreement”) under which the Processor provides the Controller software and other services (the “Services”).

The Parties seek to implement this DPA in order to comply with the requirements of GDPR (defined hereunder) in relation to Processor’s Processing of Personal Data as part of its obligations under the Agreement. The terms “Process”, “Processing” and “Personal Data” used in this DPA shall have the same meaning as defined in the GDPR.

This DPA shall apply to OpenEnvoy’s processing of Personal Data, whether provided by the Controller or its data subject (the “Subject”) or/and its affiliates, its end users or otherwise, as part of OpenEnvoy’s obligations under the Agreement.

Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:

1.1. “Data Transfer” means (1) a transfer of the Personal Data from the Subject to Controller or to OpenEnvoy on behalf of the Controller; or (2) an onward transfer of the Personal Data from the Controller to OpenEnvoy, or between two establishments of OpenEnvoy, or with a Subprocessor by OpenEnvoy.

1.2. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.3. “Standard Contractual Clauses” means the contractual clauses attached hereto as Schedule 1 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection.

1.4. “Subprocessor” means a processor/ sub-contractor appointed by OpenEnvoy for the provision of all or parts of the Services and who Processes the Personal Data as provided by the Controller and/or OpenEnvoy.

2. Purpose of this Addendum

This DPA sets out various obligations of OpenEnvoy in relation to the Processing of Personal Data and shall be limited to OpenEnvoy’s obligations under the Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.

3. Categories of Personal Data and Data Subjects

The Controller authorizes OpenEnvoy to Process such Personal Data the extent of which is determined and controlled by the Controller. The current nature of the Personal Data is specified in Appendix 1 to Schedule 1 to this DPA.

4. Purpose of Processing

The objective of Processing of Personal Data by OpenEnvoy shall be limited to OpenEnvoy’s provision of the Services to the Controller/ its Subject, pursuant to the Agreement.

5. Controller’s Processing of Personal Data

The Controller warrants that it has the right and authority to request OpenEnvoy to Process the Personal Data and that its instructions for the Processing of Personal Data shall comply with applicable data protection laws and regulations. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which the Controller acquired Personal Data.

6. Duration of Processing

OpenEnvoy will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the Controller.

7. OpenEnvoy’s obligations

a. OpenEnvoy will follow written and documented instructions received, including by email, from the Controller, its affiliate, agents or personnel, with respect to the Processing of Personal Data (each, an “Instruction”).

b. The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Controller.

c. At the Controller’s request, OpenEnvoy will provide reasonable assistance to the Controller in responding to/ complying with requests / directions by Data Subject in exercising their rights or of the applicable regulatory authorities regarding OpenEnvoy’s Processing of Personal Data.

8. Data Secrecy

To Process the Personal Data, OpenEnvoy will only use personnel who are (i) informed of the confidential nature of the Personal Data, (ii) actually performing the Services in accordance with the Agreement. Further, OpenEnvoy will maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of the Personal Data. For this clause, an email form of communication by the Parties in determining project specific security standards shall be accepted.

9. Audit Rights

a. Upon Controller’s reasonable request, OpenEnvoy will make available to the Controller, information as is reasonably necessary to demonstrate OpenEnvoy’s compliance with its obligations under the GDPR or other applicable laws in respect of its Processing of the Personal Data. When the Controller wishes to conduct the audit (by itself or through a representative) at OpenEnvoy’s site, it shall provide at least fifteen (15) days’ prior written notice to OpenEnvoy; OpenEnvoy will provide reasonable cooperation and assistance in relation to audits, including inspections, conducted by the Controller or its representative.

b. The Controller shall bear the expense of such an audit.

10. Mechanism of Data Transfers

If the Agreement requires Data Transfer for the purpose of Processing by OpenEnvoy from a country in the European Economic Area (the “EEA”) to a country outside the EEA the Parties agree to be bound by the Standard Contractual Clauses. Where the transfer of Personal Data outside of the EEA is required for the performance of the Agreement and such model clauses have not been executed at the same time as the Agreement or this DPA are accepted, the Standard Contractual Clauses shall be deemed in effect for the purposes and duration of the Agreement upon acceptance of the Agreement or this DPA.

11. Subprocessors

a. The Controller acknowledges and agrees that OpenEnvoy may engage third-party Subprocessor(s) in connection with the performance of the Services, provided such Subprocessor(s) take technical and organizational measures to ensure confidentiality of Personal Data shared with them. If Subprocessor(s) do comply with the aforementioned requirement, it will be deemed that the Controller has approved appointment of such Subprocessor(s). In accordance with Article 28(4) of the GDPR, OpenEnvoy shall remain liable to Controller for any failure on behalf of a Subprocessor to fulfill its data protection obligations under the DPA in connection with the performance of the Services.

b. OpenEnvoy shall execute the appropriate written agreements with the Subprocessors in accordance with, and not less protective than, the provisions of this DPA.

c. If the Controller has a concern that the Subprocessor(s) Processing of Personal Data is reasonably likely to cause the Controller to breach its data protection obligations under the GDPR, the Controller may object to OpenEnvoy’s use of such Subprocessor and OpenEnvoy and Controller shall confer in good faith to address such concern.

12. Personal Data Breach Notification

a. OpenEnvoy shall maintain defined procedures in case of a Personal Data Breach (as defined under the GDPR) and shall without undue delay notify Controller if it becomes aware of any Personal Data Breach, unless such Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons.

b. OpenEnvoy shall provide the Controller with all reasonable assistance to comply with the notification of Personal Data Breach to Supervisory Authority and/or the Data Subject, to identify the cause of such Data Breach and take such commercially reasonable steps as reasonably required to mitigate and remedy such Data Breach.

c. Processor’s notification of or response to a Personal Data Breach under this DPA will not be construed as an acknowledgement by OpenEnvoy of any fault or liability with respect to the data incident.

13. Deletion of Personal Data

Within thirty (30) days of the expiration or termination of the Agreement, OpenEnvoy will delete or otherwise destroy all the Personal Data of Controller still in OpenEnvoy’s possession.

14. Technical and Organizational Measures

Having regard to the state of technological development and the cost of implementing any measure

15. Unlawful Processing of Personal Data

OpenEnvoy will take appropriate technical and organizational measures against the unauthorized or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure a level of security appropriate to: (a) the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage; and (b) the nature of the data to be protected.


Demo request received

We have received your demo request. An OpenEnvoy representative will follow up soon.