Privacy Policy

Introduction and who we are

This privacy policy will help you understand how we may collect and use your personal information. This policy also describes your rights and how you can use your rights. You can easily contact Medius if you have any questions related to this policy.

References to "Medius" on this site should be considered as references to Medius Sverige AB and all of its subsidiaries and affiliates. Medius Sverige AB is a Swedish limited company with registration number 556820-2765, VAT number SE556820276501, registered office and address at Platensgatan 8, 582 20 Linköping , Sweden and email info@medius.com and phone +46 13 12 16 30. Jim Lucier is the CEO of the Medius Group.

Medius is the owner and publisher of the websites accessible at https://www.medius.com and https://www.expensya.com. Medius is acting in the capacity of Controller when collecting and processing personal data on its own behalf and for its own purposes. This means situations in which Medius determines the purposes and the means of such processing at its own discretion.

What personal data do we process and from whom is such data collected?

The type of personal data that Medius processes about you may be:

• Your contact details, such as name, address, telephone number and email address
• Your job title, position including preferences and interests in a professional context and your company’s name
• Website traffic information as provided by your web browser such as browser type, language and the address of the referring website and other traffic information such as IP address
• Website visitor behavior such as which links you click and when
• Any other information that we collect online from you and maintain in association with your account, such as your user name and password
• Any other information that you provide to use when you are communicating with us

How we collect your personal information and how it is held

Medius may collect personal data directly from you when you make purchases of products and services, you request support for a product or service, you create a user account, you participate in surveys and evaluations or when you submit questions or comments to us.

On Medius’ websites you can register to access educational content, subscribe to our newsletters, sign up to our events and fill in a contact request. In general, Medius collects personal data directly from you when you register on our sites or fill out a form. We may also, with your consent, use cookies and other tracking technology when you use our websites in order to optimize your experience of these.

Cookie policy for www.medius.com and www.expensya.com

We may also collect information about you from other sources, including publicly available databases or third parties from whom we have purchased data or to whom you have provided your data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyze our records, identify new prospects for marketing, and provide information about our products and services that may be of interest to you.

How we use the information we collect and receive

Your personal data may be saved and processed by Medius for the following purposes:

• In order to answer a contact request or to send you educational content, newsletters, press release and similar information or invitations for seminars and similar events to you. Accordingly, if you do not provide the requested personal information, Medius will not be able to respond to a contact request or to send you any newsletters or invitations and information.
• For marketing and market research, as well as basis for Medius’ market and customer analyses, business and product development, and statistics
• To personalize your experience (your information helps us to better respond to your individual needs)
• To improve our websites (we continually strive to improve our websites offerings based on the information and feedback we receive from you)
• To allow Medius to provide, maintain, monitor, improve and develop our business and services and to personalize our services for you

Purpose and lawful basis for the processing

In accordance with Medius’ assessment, the processing is necessary for the purposes of Medius' legitimate interest to enable our business and in answering a contact request, for the performance of a contract, or administering newsletters, information and invitations to you in accordance with your wishes to be contacted or to receive requested information, respectively.

In addition, Medius’ processing of your personal data for marketing purposes, for market research, for market and customer analysis, business and product development and statistics, is based on a legitimate interest. According to Medius’ assessment, the processing is necessary for Medius' legitimate interest to market its products and services, and to analyze and develop its business and operations.

Medius may also use your personal data for the purpose of compliance with applicable laws and protection of our legitimate business interests and legal rights, including but not limited to, use in connection with legal claims, compliance, regulatory, investigative purposes (including disclosure of such information in connection with legal process or litigation).

How long do we store your personal data?

In general, Medius will only retain your personal data for as long as necessary for the stated purpose, while also taking into account our need to answer queries or resolve problems and to comply with legal requirements under applicable law. This means that we may retain your personal data for a reasonable period after your last interaction with us (normally for a period of three calendar years from your last interaction with us but if you are representing a customer of Medius, we may keep your information for the duration of the contractual relationship and to the extent permitted also after the end of that relationship for as long as necessary to perform the purpose). When the personal data that we collect is no longer required in this way, we destroy or delete it in a secure manner.

Personal data provided in connection with newsletter subscriptions, event registrations or information requests are stored by Medius until you unsubscribe from the Medius Communications or Expensya Communications applicable service. However, if you unsubscribe, Medius will continue to process your personal data to the extent necessary to ensure by technical means that no further posting of newsletters, event invitations, educational information and similar are sent to you. If Medius does not save your personal data in this respect, Medius will not be able to ensure that no further newsletters, invitations or information will be sent to you. The continued processing of your personal data is, according to Medius' assessment, necessary for the purposes of Medius’ legitimate interest in preventing sending of newsletters, information and invitations to you in accordance with your expressed desire.

Your rights

You have the right to request a confirmation from Medius as to whether or not personal data concerning you are being processed and, where that is the case, obtain access to your personal data. You also have the right to request that Medius corrects any inaccuracies in your personal data and that Medius shall erase your personal data or restrict the processing of your personal data. You further have the right, at any time, to object to Medius’ processing of your personal data if you believe that Medius has no legitimate interest in processing the personal data or to the use of your personal data for the purposes of direct marketing. You have the right not to be subject to decisions based on automated decision-making (if any) that has a legal or significant effect on you as an individual. If the processing of your personal data is based on your consent or on performance of a contract to which you are a party, you shall have the right to receive your data in a structured, commonly used and machine-readable format (data portability). You are finally entitled to lodge a complaint regarding Medius’ processing of your personal data with a local supervisory authority in your country of residence. You can contact Medius for more information about these rights.

How do we share your personal data?

Ensuring your privacy is important to Medius. We do not share your personal data with third parties except as described in this privacy policy. We may share your personal data with:

• Third party service providers (for example to email and hosting providers and partners that are administrating webinars or websites or distributing press releases and other information on behalf of Medius and to any other third parties to the extent such disclosure is required to enable products or services to be provided to you and/or our clients);
• Business partners and channel partners;
• Affiliated companies within our corporate structure; and
• As needed for legal purposes (for example to authorities in accordance with applicable laws and regulations).

Medius may also share your personal data in connection with mergers, acquisitions or divestiture of all or parts of Medius’ business, where the acquiring entity as well as its consultants and Medius’ own consultants may obtain access to data managed by Medius.

When sharing your personal data with third parties we take appropriate technical, organizational and legal measures in accordance with applicable data protection legislation. Medius has also established Data Processing Agreements with any third party with which your personal data is shared.

Transfer of personal data

For personal data collected within EEA, the personal data collected is generally processed within EEA. In cases where Medius transfers your personal data outside the EEA, such transfer is based either on a decision by the EU Commission that the third country in question ensures an adequate level of protection, or on appropriate safeguards to ensure that your rights are protected. Examples of appropriate protection measures are standard contract clauses in combination with additional safeguards or binding corporate rules.

We may disclose personal information to our related third-party service providers located overseas. We take reasonable steps to ensure that the overseas recipients of your personal information do not breach the applicable privacy obligations relating to your personal information. We may disclose your personal information to entities that transfer data as provided in Exhibit 1.

Specifics about emails

In cases where an e-mail sent to or from Medius contains personal data, Medius’ receipt/dispatch and further processing of such e-mail means that we process personal data. E-mails almost always contain personal data because the e-mail address itself is usually considered as personal data. The e-mail may also contain other information that is considered as personal data. When Medius sends e-mails, we either do so to communicate with the recipient (e.g. to reply to an e-mail from him/her or to ask a question), or to inform the recipient of something.

The content of incoming e-mail is usually unknown when the email is received by Medius. When that is the case, the personal data contained in the e-mail is processed by Medius for the purpose of receiving and reading the e-mail to assess if the e-mail shall be deleted or if Medius shall take action. For e-mails sent from Medius, similar considerations are made in connection with dispatch of the e-mails.

If Medius, after receipt of an incoming e-mail, or in connection with sending an outgoing e-mail, considers that the e-mail should not be deleted, and that further processing is necessary, Medius will on a case-by-case basis decide the legal basis, means and period for the processing. The legal basis for the processing of e-mails depends among other things on the content of the e-mail and whether Medius has any relationship with the recipient/sender.

If an email received by Medius contains personal data about a third-party individual, Medius will inform such individual that Medius processes personal data about him/her, provided (i) the identity of the individual is clear and (ii) the provision of such information proves impossible or would involve a disproportionate effort for Medius.

If Medius upon receipt/dispatch of an e-mail, determines that the e-mail shall be deleted, deletion will be made within a reasonable time after receipt/dispatch. If Medius determines that further actions will be taken, it depends on the content of the e-mail, as well as the continued processing and purpose of the same, how long the e-mail, including the personal data, will be kept by Medius.

Specifics about customer facing services

For certain services, Medius has been retained by our customers to process personal data as a Processor. In such cases, Medius shall process your personal data on behalf of and based on the specific instructions given by our customer as the Controller. The subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, together with the rights and obligations of the parties with respect to such processing will be covered by a data processing agreement (or equivalent terms) agreed between Medius and our customer. For example: suppliers who are invited by Medius’ customers to interact with them on the Medius Supplier Portal and employees of Medius’s customers who are using Medius’s services should take note that the Medius customer is the Controller in relation to the processing of their personal data. As such, business partners and other users of Medius’s services are encouraged to connect directly with the respective Medius customer to find out how their personal data is processed.

For certain expense management services, individual data subjects may subscribe personally to the services. In such case, the Medius entity offering the subscription, will act as data controller and will collect and process the following personal data: Name, email address, telephone number and company name (if any). This data is processed for the purpose of managing its business relationship and providing the subscribed services.

Specifics about E-Invoicing Services for France

When you use the Medius E-Invoicing Solution for France (the ‘Solution’), Medius acts as data processor on behalf of your organisation under a Data Processing Agreement. Iopole, our technical infrastructure provider, acts as a sub-processor under a data processing agreement with Medius. Invoice data is transmitted to the French tax authority (DGFIP) via the public invoicing portal (PPF) as required by French law. All personal data processed in connection with the Solution remains within the European Economic Area (EEA).

1. Why we process your data and on what legal basis

   Purpose and legal basis	Categories of personal data	Retention period
   Identity verification. Medius processes your data to ensure a reliable verification of the identity of the person using the Solution and their status as the legal representative, agent, or delegate of the taxable entity at the time of account creation on the Solution or when subscribing to the services offered through the Solution. This purpose includes: creating the user file; extracting and analyzing information contained in the submitted documents; automatically comparing the provided data with the extracted data to certify the identity; and confirming the identity. This processing is based on a legal obligation to ensure a reliable verification of the person using an electronic invoicing platform.	Identity data (such as your first and last names, images) Contact data (such as your email and postal address) Professional data (such as your status as legal representative and the relevant company) Data extracted from your identity document ID card or passport (such as document type, expiration date, issuing country, and identifier)	The data is processed immediately during the identity verification process and retained in intermediate storage for up to 5 years for evidential purposes in case of disputes.
   Recording proof of consent to identity verification. Medius processes your data to ensure proof of your consent to identity verification. This processing is based on Medius's legitimate interest in being able to demonstrate that your consent was properly obtained.	Connection data (IP address) and the date when consent was given	The data is retained for 6 months.
   Creating and updating the central electronic invoicing directory (French companies). Medius processes your data to create and update the central electronic invoicing and/or Peppol directory with the information necessary to route invoices to the recipient (approved platform chosen by the recipient and the recipient). This processing is based on a legal obligation.	Email address SIREN, SIRET, or any company identification code provided by a public authority (including the tax administration)	The data is processed during the use of the Solution and is retained until December 31 of the second year following the date on which the information necessary for routing invoices is no longer effective in the central electronic invoicing and/or Peppol directory.
   Recording proof of consent to directory registration (French companies) Medius processes your data to ensure proof of the formal consent you give to create and update, in the central electronic invoicing and/or Peppol directory, the information necessary for routing invoices to the recipient. This processing is based on a legal obligation.	The mandate Email address	The data is processed during the use of the Solution and is retained until December 31 of the second year following the date on which the information necessary for routing incoming invoices, as specified in the formal agreement, is no longer effective in the central directory.
   Creating and updating the central directory (companies governed by foreign law) Medius processes your data to create and update, in the central electronic invoicing and/or Peppol directory, the information necessary for routing to the recipient. This processing is based on a legal obligation.	Email address SIREN, SIRET, or any company identification code provided by a public authority (including the tax administration)	The data is processed during the use of the Solution and is retained until December 31 of the second year following the date on which the information necessary for routing invoices is no longer effective in the central electronic invoicing and/or Peppol directory.
   Enabling compliance with electronic invoicing obligations Medius processes your data to enable you to comply with your obligations related to electronic invoicing. This purpose includes enabling you to: (i) enter, upload, issue, or transmit your electronic invoices under conditions that ensure the authenticity of origin, integrity of content, and legibility, as well as the data required under the French General Tax Code; (ii) identify the recipients of electronic invoices via the central directory and ensure the transmission of your electronic invoices to the approved platforms chosen by the recipients or to the public invoicing portal; (iii) receive and make available to your recipients the electronic invoices sent by other approved platforms or by the public invoicing portal; (iv) manage the processing statuses of your electronic invoices; and (v) extract invoicing data intended for the tax authorities and ensure its transmission to the public invoicing portal. This processing is based on a legal obligation.	All data relating to electronic invoicing	The data is processed during the use of the Solution and is retained for up to 10 years for invoice data whose retention is legally required.
   Mandate compliance checks Medius processes your data to carry out checks related to the mandate specified in the French General Tax Code. This processing is based on a legal obligation.	Data relating to the mandate	The data is retained during the use of the Solution.
   Transaction data compliance checks Medius processes your data to ensure mandatory compliance checks regarding the transmitted transaction data. This processing is based on a legal obligation.	Transaction data	The data is processed during the use of the Solution and retained for up to 5 years for evidential purposes in case of disputes.
   Securing the Solution and managing technical incidents Medius processes your data to secure access to and use of the Solution and, where applicable, to manage bugs related to access to or use of the Solution. This processing is based on Medius's legitimate interest in ensuring the maintenance and security of the Solution.	Identity data (such as your first and last names, images) — Contact data (such as your email and postal address) — Connection data — Data related to bugs	The data is processed immediately during the bug analysis process and retained in intermediate storage for up to 5 years for evidential purposes in case of disputes, except for connection data, which is not retained beyond 6 months.
   Internal security audits Medius processes your data to conduct internal security audits. This processing is based on Medius's legitimate interest in ensuring the maintenance and security of the Solution and to provide justification in case of an audit.	Identity data (such as your first and last names, images) Contact data (such as your email and postal address) Professional data (such as your status as legal representative and the relevant company) Data extracted from the identity document ID card or passport (such as document type, expiration date, issuing country, and identifier)	The data is processed immediately during the identity verification process and retained in intermediate storage for 96 hours for data related to the identity document, and up to 5 years for other data for evidential purposes in case of disputes.
   Managing evidence in case of dispute or fraud Medius processes your data to manage the evidence related to identity verification in case of dispute or fraud. This processing is based on Medius's legitimate interest in retaining proof in case of audit or dispute.	Identity data (such as your first and last names, images) Contact data (such as your email and postal address) Professional data (such as your status as legal representative and the relevant company) Data extracted from the identity document ID card or passport (such as document type, expiration date, issuing country, and identifier)	The data is processed immediately during the identity verification process and retained in intermediate storage for 96 hours for data related to the identity document, and up to 5 years for other data for evidential purposes in case of disputes.
   Responding to data subject rights requests Medius processes your data to respond to any request to exercise a right related to the protection of personal data. This processing is based on a legal obligation.	Identity data (such as your first and last names) Contact data (such as your email) — Data related to the request made	The data is used for the duration of the process to exercise a right and retained in intermediate storage for up to 5 years for evidential purposes in case of disputes.
   Managing personal data breaches Medius processes your data to manage any personal data breaches. This processing is based on a legal obligation.	Data related to the personal data breach	The data is used for the duration of the procedure following a personal data breach and retained in intermediate storage for up to 5 years for evidential purposes in case of disputes.

2. Your rights

   The rights described in the "Your rights" section of this policy apply equally to the processing described above. To exercise your rights or ask any questions about how we process your personal data in connection with E-Invoicing Services, please contact us at privacy@medius.com.

Complaints

You may exercise your rights by emailing us at privacy@medius.com or submitting a request here. We will respond to the complaint within 5 days of receipt and will take all the reasonable steps to reach a decision on the complaint within 30 days from the receipt of the complaint. We may disclose information regarding the complaint to any relevant contractor and/or provider that holds the personal information about the subject of the complaint. In the event you are not satisfied with the decision or resolution given by Medius, you may file a complaint to the relevant data protection authority, which, for Australian residents, can be done on the Information Commissioner’s website at www.oaic.gov.au and for the UK, can be done on the Information Commissioner’s Office (ICO) website at https://ico.org.uk/make-a-complaint/.

Automated Decision-making

We do not use automatic decision-making or profiling of individuals.

Security

Medius takes security seriously. We take various steps to protect information you provide to us from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the information we collect, process and store, and the current state of technology. Please visit our trust center (https://www.medius.com/trust-center/) to read more about our security measures.

California Residents

View the Privacy Notice to California Residents

Changes to this privacy policy

We may change this policy from time to time and if we do we will post any changes on this page. If you continue to interact with us after those changes are in effect, you are agreeing to the revised policy. You can see previous versions of our privacy policy below.

Previous privacy policies:

• May 18, 2026 - June 14, 2026
• February 7, 2025 - May 17, 2026
• May 6, 2024 - February 6, 2025
• June 9, 2021 - December 19, 2021
• January 27, 2020 - June 8, 2021
• June 18, 2019 - January 26, 2020
• February 7, 2019 - June 17, 2019
• April 13, 2018 - February 6, 2019
• Prior to April 13, 2018