Privacy Policy

Data We Collect

We collect and process various types of information to provide our services. This may include:

Business Information: Details about the company or business you represent, such as company name, business address, contact details, and tax or registration numbers.
Employee Information: Personal data of employees or users who are enrolled in our platform, such as name, work email, contact details, position or role, and identification information (if needed for verification).
Financial Data: Information related to expenses and transactions, including purchase amounts, dates, expense categories, receipts or invoices uploaded, and account balances or spending limits.
Payment Details: Payment and card information necessary for our card and spend management services. For example, this can include credit or debit card numbers, bank account details for settlements, and transaction history on those cards.
Usage and Technical Data: When using our website or app, we may collect technical information such as IP address, browser type, device identifiers, and usage logs (e.g. login times and activity on the platform), which help us secure the service and improve user experience.

We collect personal data either directly from you (for instance, when you fill out forms or submit expense reports) or from your employer or organization if they set up an account on your behalf. In all cases, we only collect data that is necessary for the purposes described in this policy.

Purpose of Processing

Rally processes your personal data for clear and specific purposes. We will only use your data as needed to operate and improve our services, as outlined below:

Providing Our Services: To provide and deliver our expensing, spend management, and card services to you. This includes processing expense reports, issuing and managing payment cards, handling transactions, and enabling you to manage your expenses in real time. We use your data to ensure that purchases and expense submissions are correctly attributed and processed.
Account Management and Support: To manage your user account (e.g., setting up your profile, authenticating your access, and maintaining account preferences) and to provide customer support. For example, we may use your contact information to send service confirmations, respond to inquiries, or notify you about important changes or issues related to your account.
Legal Compliance: To ensure compliance with applicable laws and regulations. As a financial services provider, we are required to process certain personal data to meet legal obligations – for example, verifying identities for Know-Your-Customer (KYC) and anti-money laundering regulations, keeping transaction records for financial reporting and audits, and complying with tax and employment laws. Your data is used to fulfill these obligations and to cooperate with regulators or law enforcement where legally required.
Security and Fraud Prevention: To enhance security of our platform and prevent fraud or misuse. We monitor and analyze data (such as transaction patterns and login activity) to detect suspicious or unauthorized activities. This helps us protect your account and our services against fraud, theft, or other harmful actions. For instance, we may use automated systems to flag unusual spending activity on a company card to prevent fraud, or use authentication data to prevent unauthorized access.
Improvement of Services and Legitimate Business Interests: To operate and improve our business and services under our legitimate interests. This includes analyzing usage trends to enhance user experience, developing new features or tools that make expense management easier, and performing internal processes like testing and quality assurance. We only use data for these purposes when it does not override your privacy rights. For example, we might review how users interact with certain features to inform product improvements, or use aggregated expense data to improve our budgeting tools – all in ways that respect your confidentiality.

We will not use your personal data for any purpose that is incompatible with the purposes outlined above. If we need to use your data for a new purpose, we will inform you and, if required, obtain your consent.

Legal Basis for Processing

Under the GDPR, we must have a valid legal basis to process your personal data. Rally relies on the following legal grounds for processing:

Consent: We process certain data based on your consent. When you create an account with Rally or otherwise provide us with your personal information, you are typically asked to agree to this Privacy Policy and our Terms of Service. In these cases, your consent allows us to use your data for the specified purposes. For example, by signing up and inputting your information, you consent to our processing of that data to operate your account. Where we rely on consent, you have the right to withdraw it at any time (see Your Rights below), though note that withdrawing consent will not affect the lawfulness of any processing already performed. Some data uses (like certain optional marketing communications or cookies) will only be done with your explicit consent.
Performance of a Contract: Many data processing activities are necessary to perform the contract between you (or your employer) and Rally. In other words, we need to process your data to provide the services you have requested. This legal basis applies whenever processing your information is required to fulfill our obligations to you under our user agreement. For instance, processing your expense submissions and payment transactions is necessary to carry out the services we’ve agreed to provide. Without this data, we wouldn’t be able to deliver the core functionality of our platform.
Legal Obligation: We also process data when it is necessary for compliance with a legal obligation. This means if European Union or member state laws require us to collect or keep certain information, we must do so. For example, financial regulations may require us to retain transaction records for a minimum period, or anti-fraud/anti-terrorism laws may require us to collect and sometimes share information for identity verification. In such cases, the law is the basis for processing, and we will only process the minimum amount of data required to meet our legal duties.
Legitimate Interests: In some situations, we process your data for legitimate interests pursued by Rally Europe B.V. or a third party, provided these interests are not overridden by your fundamental rights and freedoms. We believe that our legitimate interests in operating a safe, efficient, and innovative expense management service benefit both us and our users. Examples of processing under this basis include: improving and optimizing our platform’s functionality, conducting business analytics (in a privacy-conscious way) to make informed decisions, preventing fraud and securing our system, and communicating with our customers about product updates or industry-related insights. When relying on legitimate interests, we always consider and balance any potential impact on you and your rights. We will not use your data for activities where our interests are outweighed by the possible risk to your privacy. (For instance, if we ever wanted to use data in a way you wouldn’t reasonably expect, we would either seek your consent or ensure it’s covered by another legal basis.)

In summary, Rally will only process your personal data when we have a lawful basis to do so, such as your consent or our legitimate need to provide and improve our services in a manner that respects your privacy. If you have questions about the legal basis for any specific processing activity, feel free to contact us for more information.

Data Sharing with Third Parties

We treat your personal data with care and do not sell or rent your information to third parties for their own commercial purposes. However, to run our business and provide our services, we sometimes need to share data with trusted third parties. We only share the minimum necessary data and only for the purposes described in this policy. The types of third parties with whom we may share personal data are:

Service Providers (Processors): These are third-party companies that perform services on our behalf, such as cloud hosting providers, data storage services, email and communication platforms, customer support tools, analytics services, and other IT support. We share data with these providers only to the extent needed for them to perform their tasks (for example, storing data on a secure cloud server, or sending an email notification). All our service providers are bound by data processing agreements that require them to handle personal data in compliance with GDPR and to use it solely for providing services to Rally. They are not permitted to use your data for their own purposes.
Financial and Payment Partners: Since Rally offers card services and expense management, we may work with banking institutions, payment processors, card networks, or financial infrastructure partners. Your personal and financial data may be shared with such partners as necessary to process payments, execute transactions, or issue cards. For example, when you perform a card transaction, details of that transaction and your identity must be shared with the payment processor or bank that handles the payment. These partners are also subject to strict privacy and security obligations.
Compliance and Regulatory: If required, we will share data with regulatory authorities, law enforcement agencies, or auditors. This sharing will only occur to the extent that we are legally obligated to do so – for instance, responding to a lawful request from law enforcement, or providing data to regulators like the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or financial oversight authorities. We may also disclose information to enforce our terms of service or to protect our rights (or the rights of our users or others) in cases of security incidents or violations – but only in accordance with applicable laws.
Business Transfers: In the event that Rally Europe B.V. undergoes a business transaction such as a merger, acquisition, corporate reorganization, or sale of assets, your personal data might be part of the assets transferred or shared with involved parties (e.g., a due diligence review). If such a transfer occurs, we will ensure that the recipient of the data is bound by privacy obligations at least as strict as those in this policy, and we will inform you of any significant changes in ownership or data handling.

In all cases of third-party sharing, we strive to minimize the data shared and ensure that appropriate safeguards are in place. We require any third party receiving personal data to provide sufficient guarantees that your data will be kept secure and used only for the intended purpose. Rally never shares your personal data with third parties for their marketing purposes or any use not described in this Privacy Policy. If we ever need to share your data for any other reason, we will obtain your consent or inform you clearly of the reason and legal basis.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with applicable legal and regulatory requirements. This means:

Active Account: If you have an active account with Rally, we will retain your personal information for as long as your account is in use or as needed to provide you with our services. This allows us to provide the service continuously (e.g., to maintain your expense history and account settings).
Closed Account or Inactivity: If you choose to close your account or if it becomes inactive, we will delete or anonymize your personal data after a reasonable period, unless we are required to keep it longer for legal reasons. Before deletion, we may retain your data for a short period in case you reactivate your account or in order to resolve any pending issues (such as an open support ticket or a pending transaction).
Legal and Compliance Requirements: Certain information may be retained longer to meet legal obligations or legitimate business needs. For example, financial transaction records and associated personal data might be kept for a number of years as required by tax law, anti-money laundering regulations, or accounting rules. These laws often mandate retaining data for a fixed period (for instance, financial records might be kept for 7 years under some regulations). During this retention, your data will remain subject to strict access controls and will only be used for compliance or legitimate internal purposes.
Disposal: When personal data is no longer needed for any permitted purpose, we will ensure it is securely deleted, destroyed, or anonymized (so that it can no longer be associated with you). We have procedures in place to periodically review the data we hold and erase or anonymize data that is no longer required.

In summary, Rally does not keep personal data indefinitely. We aim to store data for the shortest time necessary, taking into account our legal obligations and the needs of our services. If you have specific questions about our data retention periods for different types of data, you can contact us for more detailed information.

Security Measures

We take the security of your personal data very seriously. Rally implements strong security measures designed to protect your information from unauthorized access, disclosure, alteration, or destruction. In accordance with legal requirements, we apply appropriate technical and organizational safeguards to ensure a level of security appropriate to the risk. Our security measures include:

Encryption: Sensitive data (such as payment details and passwords) is encrypted both in transit (using TLS/SSL encryption when data is sent between your device and our servers) and at rest (when stored in our databases) to prevent unauthorized reading of your data.
Access Control: We restrict access to personal data to authorized personnel on a need-to-know basis. Our staff are trained on data protection principles and are bound by confidentiality obligations. We also implement role-based access controls within our systems, ensuring that each employee or service provider can only see the data necessary for their role.
Security Testing and Updates: Our systems are regularly updated with security patches, and we perform periodic security assessments, vulnerability scans, and penetration testing to identify and fix potential weaknesses. We also monitor our systems for suspicious activity and have intrusion detection/prevention systems in place.
Organizational Measures: Internally, we maintain policies and procedures to safeguard data (for example, policies on device security, incident response plans, and least-privilege data access). We ensure that any third-party contractors or service providers we use are also required to uphold robust security standards. Before engaging a new vendor, we assess their security practices and continue to monitor their compliance.

While we strive to protect all information, please be aware that no method of transmission over the internet or electronic storage is 100% secure. However, we continuously work to update and improve our security practices to meet or exceed industry standards and legal requirements. In the unlikely event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by GDPR. By using Rally’s services, you acknowledge that you understand these security measures and are aware of the inherent risks, but rest assured we do everything we reasonably can to safeguard your data.

Your Rights Under GDPR

As a user of Rally’s services and a data subject under the GDPR, you have a number of rights regarding your personal data. The GDPR grants individuals specific rights to give you control over how your data is used. You may exercise any of the following rights by contacting us (see Contact Us section below). These rights include:

Right to Be Informed: You have the right to be informed about the collection and use of your personal data. This Privacy Policy is part of our effort to keep you informed. We aim to be transparent about how we use your data and will notify you of significant changes in our data processing.
Right of Access: You can request a copy of the personal data we hold about you. This enables you to understand what information we have and to verify that we are processing it lawfully. Upon request, we will provide you with a summary of your personal data that we process, typically within 30 days and free of charge (reasonable fees may apply for excessive or repetitive requests as permitted by law).
Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to keep your account information up-to-date, and you can usually make certain changes yourself via your account settings. For other changes, contact us and we will make the corrections promptly.
Right to Erasure (Right to be Forgotten): You may ask us to delete your personal data in certain circumstances. For example, if the data is no longer necessary for the purposes it was collected, or if you have withdrawn your consent and we have no other legal basis to continue processing. Upon a valid request, we will erase your data, provided there is no legal obligation or overriding legitimate interest that requires us to keep it. Please note that due to legal requirements (such as financial regulations) we might need to retain some information despite your request, but we will inform you if that is the case.
Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under certain conditions. This means we would store your data but pause any other processing activities. You might exercise this right if you contest the accuracy of your data (while we verify it), or if you object to processing based on our legitimate interests (while we consider your objection). When processing is restricted, we will inform you before lifting the restriction.
Right to Data Portability: You have the right to obtain the personal data you provided to us in a structured, commonly used, machine-readable format and have it transmitted to another controller when feasible. In practice, this means that upon request, we can provide you with an electronic file of your basic account information and other data that you have given us, so that you can move it to a different service. This right applies when the processing is based on your consent or on a contract and is carried out by automated means.
Right to Object: You have the right to object to certain types of processing of your personal data. In particular, you can object to processing that we conduct based on legitimate interests or for direct marketing purposes. Direct Marketing: Rally does not send promotional emails without your consent, but if we ever do, you can opt out at any time and we will honor your choice. Legitimate Interests: If you object to processing based on our legitimate interests (for example, if you did not want your usage data to be used for analytics), you can contact us with your objection. We will then reassess our processing in light of your situation, and unless we have a compelling legitimate ground to continue, we will stop the processing in question.
Right not to be subject to Automated Decisions: You have the right not to be subject to a decision based solely on automated processing, including profiling, if that decision produces legal effects or similarly significant effects for you. Rally’s services typically do not make any decisions about you without human involvement. We may use automated tools to flag transactions or expenses for review (for instance, detecting potential fraud or policy violations), but final decisions involve human assessment. If you believe you have been subject to an unfair automated decision, you can request human intervention and contest the decision.
Right to Withdraw Consent: If we are processing any of your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the legality of processing we conducted prior to your withdrawal. If you withdraw consent for a service or feature, we may not be able to continue providing that feature (for example, if you withdraw consent to use your phone’s camera for receipt capture, you won’t be able to upload receipts through the app, but you could still enter expenses manually). We will advise you if such circumstances arise.
Right to Lodge a Complaint: If you have concerns about how we are handling your personal data, you have the right to file a complaint with a supervisory authority (a data protection regulator). Rally Europe B.V. is based in the Netherlands, so our lead supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You can contact them or your local EU data protection authority. Of course, we encourage you to contact us first at Rally with any complaints or issues – we will do our best to address them to your satisfaction.

We will not usually charge a fee for you to exercise these rights, and we aim to respond to requests within one month. If your requests are complex or numerous, we may need more time (up to an additional two months, per GDPR), but we will inform you of any extension. To protect your privacy, we may ask you to verify your identity before fulfilling certain requests (such as providing access to your data or deleting data) to ensure that we do not disclose information to an unauthorized person.

Cookies and Tracking Technologies

Our website and online services use cookies and similar tracking technologies to provide a smooth user experience and to help us understand how our services are used. A cookie is a small text file that is stored on your device (computer, smartphone, etc.) when you visit a website. We use cookies for a variety of purposes:

Essential Cookies: These cookies are necessary for the website and app to function properly. They enable core features such as user authentication, session management, and user preferences (for example, keeping you logged in as you navigate through different pages, or remembering your language settings). Without these cookies, our services might not work correctly. Because they are essential, they are used without requiring consent – however, you can still block them via your browser settings if you choose (but note that some features may then not work).
Analytics and Performance Cookies: We use these cookies to collect information about how users interact with our website and services. This helps us improve our platform and services. For instance, we may use Google Analytics or a similar tool to gather aggregated information on which pages are visited, how long users stay, and which features are used most. The data collected is typically anonymized or pseudonymized – we look at trends and statistics, not at individual behavior. These analytics cookies are not strictly necessary and where required by law we will ask for your consent before placing them. You have the option to decline analytics cookies via our cookie banner or settings, and our service will still function normally for you.
Functionality Cookies: These cookies remember choices you make (such as filling out forms or setting preferences) to provide enhanced and personalized features. For example, if our web portal offers a “Remember Me” option at login or if it saves certain dashboard settings for your convenience, those might use functionality cookies.
No Third-Party Advertising Cookies: Rally does not use third-party advertising cookies or track you for advertising purposes. We do not display third-party ads on our platform, so we are not profiling you for advertising. If this ever changes in the future, we will update our policy and obtain any necessary consents. Our goal is to use cookies only to support our service delivery and improvement, not for invasive tracking.

In addition to cookies, we may use related technologies such as web beacons (small graphic images in emails or on web pages) or SDKs in our mobile app. For example, if we send you a notification or an email, a web beacon might tell us if you opened it, which helps us gauge the effectiveness of our communications. We might also use device identifiers or similar technology in the mobile application for push notifications or to analyze app usage. These technologies are used in accordance with the same purposes as cookies (ensuring functionality and improving our service).

Your Choices: When you first visit our website, you will be presented with a cookie notice or banner, especially if non-essential cookies are in use. You can choose to accept or reject certain cookies. Even after accepting, you can always manage or delete cookies through your browser settings. Most web browsers allow you to refuse new cookies, delete existing cookies, or notify you when new cookies are set. You can typically find these options in the “privacy” or “security” settings of your browser. For our mobile app, your device’s operating system may let you opt out of certain tracking (for example, resetting your advertising ID or limiting ad tracking, though as noted we don’t serve ads). Keep in mind that disabling certain cookies (especially essential ones) may impact your ability to use the full functionality of our services.

We provide more details about our use of cookies (like a full list of the cookies and their purposes) in our Cookie Notice available on our website (if applicable). We abide by applicable laws regarding cookies and tracking, including the GDPR and the ePrivacy Directive, which means we seek consent for non-essential cookies and provide you with clear information about their use.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. We are here to help and will respond as promptly as we can.

Contact Email: contact@getrally.com

You can reach out to us via this email for any inquiries about your privacy, to exercise your rights (as described in the Your Rights section), or to ask any question about how we handle personal data. We may ask you to verify your identity before executing certain requests to ensure your data security.

Additionally, if you prefer to contact us by mail or another method, please send your request to Rally Europe B.V.’s business address (you can find our registered address on our website or official documents) with attention to the Privacy Team. (For the purposes of this policy, email is usually the fastest way to reach us.)

Data Protection Officer (if applicable): If we have appointed a Data Protection Officer or specific privacy contact, you can also reach them through the above contact email. (At this time, our privacy team monitors the contact@getrally.com address.)

We value your privacy and will do our utmost to address any issues. If you contact us with a privacy-related request or question, we will respond within a reasonable timeframe (within 1 month for GDPR-related requests, unless the request is complex).

Thank you for trusting Rally with your business and personal data. We are dedicated to keeping that trust by maintaining the privacy and security of your information. If you have any feedback or suggestions regarding privacy or data protection, we also welcome you to share them with us at any time.

Select Language