Ağustos 25, 2025

Privacy Policy OptX

OptX Masraf — Privacy Policy

Last updated: August 25, 2025
Owner / Publisher: BIGA YAZILIM TEKNOLOJI DANISMANLIK ITHALAT VE IHRACAT ANONIM SIRKETI (“Biga”,”Biga Technology” “we”, “us”, or “our”)
Application: OptX Masraf (iOS and Android expense management app integrated with an ERP system)

Plain‑English summary
OptX Masraf helps employees capture receipts, fill expense details, and submit them to their Organization’s ERP. We collect only what’s needed to run the app, we don’t sell your data, and we don’t show advertising. Your Organization typically controls (is the controller of) the expense data; Biga operates the service as a processor on their instructions. You can exercise your rights via your Organization or by contacting us.

1) Scope & Roles

This policy describes how Biga Technology processes personal data in the OptX Masraf mobile application and related services.

  • Controller vs. Processor. For Expense Data submitted through the app, your Organization is usually the controller and Biga is the processor. For certain items (e.g., account administration, security logs, diagnostics), Biga may act as a controller.
  • Definitions. “User” means an employee/contractor authorized by an Organization to use the app. “Expense Data” means expense details and associated content (amounts, currencies, categories, cost centers, dates, merchants, taxes, notes, attachments, receipt images, OCR text, and related metadata).

2) Data We Collect

Data categories vary by Organization settings and your choices:

A. Account & Profile
Name, work email, employee/HR ID, role/department, Organization identifier; authentication data (hashed identifiers, access tokens); optional SSO identifiers (e.g., from Azure AD/Google/Okta) if your Organization enables SSO. We do not collect your SSO password.

B. Expense Data (User Content)
Amounts, currencies, categories, cost centers/project codes, tax/VAT details, merchant, purchase date/time; receipt photos and other attachments (e.g., PDFs); OCR text extracted from receipts (OCR can run on‑device or server‑side depending on Organization configuration); optional notes you add.

C. Device & Technical
Device model, OS and app version, language, time zone, IP address at sync, crash logs, performance metrics, and basic in‑app events (e.g., screen opens/feature usage) for reliability and support. No cross‑app behavioral profiling.

D. Permissions/Optional Data
– Camera (capture receipts)
– Photos/Media/Files (attach images/PDFs)
– Notifications (submission status, approvals, reminders)
– Location (optional; Organization‑controlled, off by default) to attach place of purchase
– Biometric unlock (optional) for local device access only; raw biometric data never leaves your device

E. Support Communications
Messages, screenshots, logs, or files you send to support; diagnostics generated during troubleshooting.

Special categories / sensitive data: We do not intentionally collect special‑category data. Receipts can incidentally contain such data; please avoid attaching sensitive information unless your Organization policy requires and law permits it.

3) Purposes & Legal Bases

Service delivery & account administration — operate the app, authenticate users, sync with ERP, maintain user accounts.
Legal bases: Contract (to provide the service), Legitimate interests.

Expense capture & processing — capture photos, run OCR, validate, classify, submit Expense Data to ERP, prevent duplicate claims.
Legal bases: Contract, Legitimate interests; Consent for optional features (e.g., location).

Security & fraud prevention — detect misuse, enforce policies, protect users and systems.
Legal bases: Legitimate interests; Legal obligation.

Support & product improvement — respond to tickets, fix bugs, improve reliability using aggregated or de‑identified analytics.
Legal bases: Legitimate interests.

Compliance — meet tax, accounting, audit, and regulatory requirements; respond to lawful requests.
Legal bases: Legal obligation.

4) Sharing & Disclosures

We share data only as necessary: – Your Organization & ERP. Expense Data and relevant identifiers flow to your Organization’s ERP and connected systems. – Service providers (processors). Hosting, storage, OCR, analytics, crash reporting, support tools — bound by DPAs, confidentiality, and our instructions. – Affiliates.Within Biga corporate group for operations (if applicable). – Legal & safety. If required by law or to protect rights, safety, and system integrity.

We do not sell personal data and do not share it for cross‑context behavioral advertising.

5) International Transfers

Data may be processed and stored outside your country. Where required (e.g., EEA/UK/Switzerland), we use Standard Contractual Clauses (SCCs) or other lawful mechanisms. For Türkiye (KVKK), transfers follow applicable provisions and, where necessary, explicit consent or other approved mechanisms.

6) Data Retention

We keep data only as long as needed for the purposes above or as required by law.

Data categoryTypical retention
Expense Data in ERPPer Organization policy and applicable tax/accounting laws (often several years)
App account/profileWhile the account is active and 12 months after deactivation for audit/security 
Diagnostics & crash logs3–18 months depending on tooling 
Support ticketsFor the life of the ticket plus 24 months 

When retention ends, we delete or de‑identify data. If you leave your Organization, consult them regarding ERP data retention.

7) Security

We use administrative, technical, and physical safeguards, including encryption in transit and at rest, access controls, least‑privilege, monitoring, and secure development practices. No method is perfectly secure, but we continually improve our controls. Security contact: developer@bigatechnology.com

8) Your Rights & Choices

Your rights depend on your location: – Access, correction, deletion, portability, restriction/objection — available under many laws.
– Withdraw consent — for optional features you previously enabled (e.g., location).

How to exercise
– Organization‑controlled Expense Data: Contact your Organization (controller). We assist them as processor.
– Biga‑controlled data (account/diagnostics): Contact us (see Section 15).
– We target response within 30 days (or the statutory period). If we decline, you may appeal by emailing privacy@bigatechnology.com with subject line: “Privacy Request Appeal”.

Regional notices
– EEA/UK/Switzerland: You can contact your supervisory authority. Where Biga is controller, we rely on Contract/Legitimate interests and consent for optional features; transfers use SCCs or equivalent.
– Türkiye (KVKK): Exercise Article 11 rights with your controller (your Organization) and, where applicable, with Biga. If Biga is a relevant controller, use the contact details in Section 15. Include your employee ID and Organization name.
– California (CCPA/CPRA): We do not sell/share personal information. You may know, delete, correct, and limit use of sensitive information. We will not discriminate for exercising rights.

9) Children’s Privacy

OptX Masraf is for business use and not directed to children. We do not knowingly collect data from children under the age required by local law.

10) Cookies & Web Portal

The native mobile apps do not use cookies. If you access a web portal or help site, cookies may be used; see the Website Cookie Policy URL for details.

11) Automated Decision‑Making

The app does not use automated decision‑making that produces legal or similarly significant effects about you. Automated classification (e.g., category suggestions) assists data entry but does not make binding decisions.

12) Do Not Track

We do not respond to browser “Do Not Track” signals. Our mobile apps do not track users across third‑party apps or websites for advertising.

13) Changes to This Policy

We may update this policy to reflect changes in technology, law, or our services. We will post updates in‑app and revise the “Last updated” date. For material changes, we may provide additional notice.

14) Contact Information

Biga Technology (service provider)
Legal entity name: BIGA YAZILIM TEKNOLOJI DANISMANLIK ITHALAT VE IHRACAT ANONIM SIRKETI
Registered address: BILISIM VADISI T.G.B.1.ETAP, NO: 143-8 MUALLIMKOY MAHALLESI DENIZ CADDESI, GEBZE Kocaeli 41400
Email: privacy@bigatechnology.com
Phone: +90 542 765 92 99

EU/UK Representative (if applicable): N/A
Data Protection Officer (if applicable): N/A
Türkiye VERBİS registration (if applicable): N/A

For Expense Data held by your Organization, contact your HR/Finance/IT administrator.

15) Platform Disclosures (Apple & Google)

Apple App Store — App Privacy (summary)

  • Data Linked to You (no third‑party ads): Contact info (name, email), Identifiers (employee/user ID), User Content (receipt images, notes), Financial info (expense amounts, taxes), Diagnostics (crash, performance).
  • Tracking: We do not track users across apps/sites for advertising.

Google Play — Data Safety (summary)

  • Data collected: Personal info (name, email, employee ID), Financial info (expense amounts), Photos/Media/Files (receipt images/PDFs), App activity (feature usage), Device or other IDs (for security/diagnostics), Diagnostics.
  • Data sharing: With your Organization’s ERP and our processors only; not sold.
  • Security: Data encrypted in transit and at rest.
  • Deletion: Users can request deletion via their Organization or Biga; admin tools/support available.
  • Purpose: Core app functionality, account management, security, analytics/diagnostics.

Your Organization’s configuration may change which data elements are collected or required. Admins can disable optional features like location.

16) SSO & Payment Card Data

If your Organization enables SSO, we process identity tokens and basic profile attributes provided by your Identity Provider. We do not receive your SSO password.
We do not intentionally process full payment card numbers; if a receipt image contains card data, we store it as part of the image/ OCR text for recordkeeping. Your Organization should ensure policies comply with applicable standards.

17) Publisher Checklist (fill before publishing)

Replace bracketed items throughout this policy: 1. Biga legal entity name and registered address (Section 14).
2. Privacy contact email and phone (Section 14).
3. EU/UK representative and DPO details, if required (Section 14).
4. VERBİS registration number, if applicable in Türkiye (Section 14).
5. Security contact (Section 7).
6. Retention periods for account data, diagnostics, and support (Section 6 table).
7. Website Cookie Policy URL (Section 10).
8. Clarify OCR mode (on‑device/server/both) (Section 2B).
9. Confirm whether Location is enabled or remove references (Sections 2D & 3).
10. Add or link a Sub‑processor list (optional but recommended).

18) Version History

  • v1.0 — August 25, 2025: Initial public release of OptX Masraf Privacy Policy.
Facebook
Twitter
LinkedIn
Pinterest

More articles