Privacy Policy

Updated December, 2025

Introduction

This Privacy Policy describes how Poppy Technologies, Inc. (“Poppy,” “we,” “our,” or “us”) collects, uses, and shares personal information when you visit our website at www.poppylegal.com (the “Site”) and when you use our legal spend management software application and related services (the “Services”).

This Privacy Policy also describes your choices and rights regarding your personal information.

Important Information About Our Roles

Our role depends on the context in which personal information is processed:

  • Customer Data in the Services: When our business customers (each a “Customer”) use the Services to submit or manage information, we process that information on the Customer’s behalf. In that context, the Customer is generally the data controller, and Poppy is generally a data processor/service provider. If you are an end user or other individual whose data is included in a Customer’s use of the Services, please direct privacy requests to the relevant Customer. We will assist our Customers in responding to requests as required by our agreements and applicable law.

  • Service Data and Business Relationship Data: We process certain information as a controller to operate our business and provide, secure, and support the Services (for example, account administration information, authentication data, security logs, and support communications).

Personal Information We Collect

Information You Provide to Us (Site and Services)

Depending on how you interact with us, we may collect information you provide directly, such as:

  • Contact information: Name, work email address, phone number, company name, and job title.

  • Account information: Username, organization/admin information, and authentication-related details.

  • Support communications: Information you provide in support requests (which may include attachments or information you choose to share).

Information We Collect Automatically (Site and Services)

We may collect certain information automatically, such as:

  • Log and device data: IP address, browser type, device identifiers, operating system, timestamps, and pages/screens accessed.

  • Security and audit logs in the Services: Login events and user actions necessary to maintain auditability.

  • Error and performance data: Error reports and diagnostic information generated by your use of the Services.

Cookies and Similar Technologies (Site and Services)

We use cookies and similar technologies on the Site and Services to enable functionality and understand usage. These may include:

  • Essential cookies: Necessary for functionality.

  • Analytics cookies: To understand how visitors use the Site and Services.

  • Marketing cookies: If we engage in advertising or marketing measurement (where used, you will have choices through our cookie tools and/or browser settings).

Cookie retention periods vary: essential cookies typically expire at session end or within one year; analytics and marketing cookies may persist for up to two years. You can manage or delete cookies through your browser settings at any time.

Sources of Personal Information

In addition to information you provide directly, we may receive personal information about individuals from our Customers when they upload or submit data to the Services (for example, names and contact information of attorneys or other personnel appearing on invoices). If your personal information was provided to us by a Customer, please direct any inquiries about that information to the relevant Customer.

How We Use Personal Information

We use personal information for the following purposes:

  • To operate the Site and Services: Including account creation, authentication (including SSO), and providing the requested functionality.

  • To maintain security, integrity, and auditability: Including monitoring for suspicious activity, preventing fraud, and maintaining audit logs of key actions.

  • To provide support and respond to requests: Including troubleshooting and communicating with you.

  • To improve our Site and Services: Including debugging, quality assurance, and product improvement.

  • To communicate with you: Including service-related communications and (where permitted) marketing communications. You can opt out of marketing communications at any time.

  • To comply with legal obligations: And to enforce our agreements.

Automated Processing and Artificial Intelligence

We use artificial intelligence (AI) and automated systems to assist in providing the Services, such as parsing invoices and flagging potential billing anomalies for review.

  • Human Oversight: These technologies are designed to flag issues for human review; they do not make legally binding decisions about you automatically without human intervention.

  • No Training on Customer Data: We do not use Customer Data (including personal information contained within invoices) to train AI models.

Legal Bases for Processing (EEA/UK and Similar Jurisdictions)

Where applicable law requires a legal basis (for example, in the EEA and UK), we rely on one or more of the following:

  • Performance of a contract: (e.g., providing the Services).

  • Legitimate interests: (e.g., securing the Services, preventing fraud, improving the Services, responding to support requests).

  • Legal obligations: (e.g., compliance, recordkeeping).

  • Consent: (e.g., where required for certain cookies or marketing).

How We Share Personal Information

We may share personal information with:

  • Service providers and subprocessors: Who help us operate our business and provide the Site and Services (for example, hosting/infrastructure, identity and email, monitoring/logging, customer support tooling, and security/compliance tooling). We maintain an up-to-date list of subprocessors available at https://trust.poppylegal.com/subprocessors.

  • Professional advisors: Such as lawyers, auditors, and insurers, where necessary.

  • Law enforcement or government authorities: Where required by law, or to protect rights and safety.

  • In connection with a corporate transaction: Such as a merger, acquisition, or sale of assets.

We do not sell personal information.

Security Measures

We implement appropriate technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, access controls and authentication requirements, regular security assessments, employee security training, and incident response procedures. We maintain a SOC 2 Type II compliance program and conduct regular audits of our security controls.

International Data Transfers

We are headquartered in the United States and our Services are hosted in the United States. If you access the Site or Services from outside the U.S., your personal information may be transferred to and processed in the U.S. and other locations where we or our service providers operate.

To ensure your data is protected when transferred out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (and the UK International Data Transfer Addendum, where applicable), along with appropriate supplementary measures to ensure a valid transfer mechanism.

Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, including for security, audit, compliance, and dispute resolution.

  • Customer Data in the Services: We delete Customer Data within 60 days after contract termination, subject to any legal obligations or legitimate purposes (e.g., security, dispute resolution) that require longer retention.

  • Service Data (e.g., account and security logs): We retain this information for as long as needed to operate, secure, and support the Services and comply with legal obligations.

Your Choices and Rights

Marketing and Communications

You can opt out of marketing communications at any time by using the unsubscribe link in our emails or contacting us at privacy@poppylegal.com. We may still send you non-marketing service communications (e.g., security or account notices).

Cookies

You can control cookies through your browser settings and any cookie preference tools we provide.

Privacy Rights (EEA/UK and Other Jurisdictions)

Depending on your location and applicable law, you may have rights to:

  • Request access to and a copy of your personal information.

  • Request correction or deletion.

  • Object to or restrict certain processing (including processing based on legitimate interests, where we will cease processing unless we demonstrate compelling grounds).

  • Request portability.

  • Withdraw consent (where processing is based on consent).

  • Lodge a complaint with a data protection authority.

If you remain dissatisfied, then you have the right to apply directly to your local data protection authority. You can find the list at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en for EU data subjects. For UK data subject, you can visit: https://ico.org.uk/make-a-complaint/.

Important: If your request relates to Customer Data processed in the Services on behalf of a Customer, you should direct your request to that Customer. If your request relates to Service Data (such as your account/admin information), you may contact us directly at privacy@poppylegal.com.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have certain rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of the sale or sharing of personal information (where applicable), and the right not to be discriminated against for exercising your rights. To exercise your California rights, email privacy@poppylegal.com. We will verify your identity before processing your request and respond within the time required by law.

Children’s Privacy

The Site and Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13.

If we become aware that we have inadvertently collected personal data from a child without appropriate consent, we will take steps to delete such data as soon as possible. If you are a parent or guardian and believe that your child has provided us with their personal information without your consent, please contact us at privacy@poppylegal.com, so that we can take appropriate action.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on our Site and update the “Last Updated” date.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Poppy Technologies, Inc.
2370 E Stadium Blvd, #2655
Ann Arbor, MI 48104
privacy@poppylegal.com

EU/UK Representative

We have appointed a representative in the EU and UK for data protection matters. You may contact them at:

EU Representative:

Instant EU GDPR Representative Limited
Office 2 12A Lower Main Street
Lucan Co. Dublin K78 X5P8 Ireland

Reporting Link: https://poppytechnologiesinc.gdprlocal.com/eu

UK Representative:

GDPRLocal Ltd.
1st Floor Front Suite 27-29 North Street
Brighton England BN1 1EB

Reporting Link: https://poppytechnologiesinc.gdprlocal.com/uk