← Back to home

Privacy Policy

Last updated: June 8, 2026

1. Introduction

ApprovalRail ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide, including:

  • Name and email address
  • Company or organization name
  • Profile information
  • Payment information (if applicable)

2.2 Usage Data

We automatically collect certain information about your use of our service:

  • IP address and browser type
  • Pages visited and features used
  • Time and date of visits
  • Device information

2.3 Cookies and Similar Technologies

We use cookies and similar tracking technologies to track activity on our service and hold certain information. See our Cookie Policy for more details.

3. How We Use Your Information

We use the information we collect to:

  • Provide and maintain our service
  • Process and manage approval workflows
  • Communicate with you about your account and our service
  • Improve and personalize user experience
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

Legal Basis for Processing: We process your personal data based on your consent (where applicable), contract performance (to provide the service), and legitimate interest (security, fraud prevention).

4. Google User Data

If you choose to connect your Google account or use Google services with ApprovalRail, we may access certain Google user data in accordance with your permissions. This may include:

  • Basic profile information (name, email)
  • Google Workspace data (if applicable and authorized)

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

We do not sell Google user data. We only use this data to provide and improve our services, and we do not transfer it to third parties except as necessary to provide our service or as required by law.

5. Data Sharing and Disclosure

We may share your information with:

  • Service Providers: Third-party vendors who help us operate our service
  • Business Partners: With your consent, for integration purposes
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes:

  • AES-256-GCM encryption for sensitive data
  • Secure authentication with session management
  • Role-based access controls
  • Regular security reviews and updates

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.

7. Data Retention

We retain your personal information for the following periods:

  • User Account & Profile: Retained until you delete your account, plus a 30-day grace period during which deletion can be cancelled.
  • Approval Requests & Comments: Retained while your account is active. Upon account deletion, this data is permanently removed.
  • Audit Logs: Retained for 2 years after account deletion for security and compliance purposes.
  • Invoices & Billing Records: Retained for 10 years from the date of issuance to comply with tax and accounting legal requirements.

You may request deletion of your account and personal data at any time through your account settings or by contacting us.

8. Your Rights

Depending on your location, you may have the following rights:

  • Access: You can view your personal information through your account settings. For a complete copy of all data we hold about you, contact us at [email protected]. We will respond within 30 days.
  • Correct: You can update your profile information directly in your account settings.
  • Delete: You can delete your account through your account settings. This initiates a 30-day grace period before permanent deletion.
  • Data Portability: You may request a copy of your data in a structured, commonly used format by contacting us at [email protected].
  • Object or Restrict: Contact us if you wish to object to or restrict certain processing activities.
  • Withdraw Consent: Where we rely on your consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

9. Data Subject Requests

If you are located in the European Economic Area (EEA), Switzerland, or the UK, you have certain data protection rights. We are committed to facilitating these rights.

How to Make a Request

To submit a data subject request, please email us at [email protected] with the subject line "Privacy Request" and include:

  • Your name and email address associated with your account
  • The specific right you wish to exercise (access, deletion, portability, etc.)
  • Any additional details that help us process your request

Response Time

We will acknowledge your request within 5 business days and provide a substantive response within 30 days of receipt. If your request is complex or requires additional time, we will inform you of any extension.

Verification

To protect your privacy, we may request information to verify your identity before fulfilling your request. We will only use this information for verification purposes.

10. Children's Privacy

Our service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it promptly.

11. International Data Transfers

We prioritize using service providers that store and process data within the European Union. However, some of our third-party services may process data in countries outside the EU/EEA, including the United States.

Our approach: We actively seek EU-based alternatives and migrate services when feasible. For services that operate outside the EU, we ensure appropriate safeguards are in place, including:

  • Data Processing Agreements (DPAs) with all our service providers
  • Standard Contractual Clauses (SCCs) where required
  • Services certified under the EU-US Data Privacy Framework (where applicable)

For questions about our data providers or where your data is stored, contact us at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us at: [email protected]