Shoeboxed and GDPR

At Shoeboxed we understand that our user’s privacy is paramount. This means we strive to provide top-level security while being transparent about our data practices. It is important to us that our users understand the steps we take to protect their valuable information. Below, you will find information about GDPR, how Shoeboxed complies with it, and how Shoeboxed protects user data.

What is GDPR?

General Data Protection Regulation (GDPR) is a European Union regulation which provides guidelines for collection and processing of personal data of individuals within the European Union. The GDPR went into effect on May 25th, 2018.

How does it impact Shoeboxed?

Since Shoeboxed provides service to users in the European Union, we are required to comply with the guidelines provided by GDPR, and we do. We have worked hard to ensure that our practices around data storage and processing not only protect our users but also comply with GDPR guidelines.

What data does Shoeboxed collect from you?

We collect Personal Data about you when you provide such information directly to us, when third parties such as our business partners or service providers provide us with Personal Data about you, or when Personal Data about you is automatically collected in connection with your use of our Services.Information we collect directly from you: We receive Personal Data directly from you when you provide us with such Personal Data, including without limitation the following:

  • First and last name
  • Company name, VAT number
  • Email address
  • Mailing address
  • Telephone number
  • Address
  • IP Address
  • Username
  • Account Code (can include email addresses)
  • Browser information
  • Credit card and credit card CVV
  • Transaction and Billing Data

Information we receive from third-party sources: Some third parties such as our business partners and service providers provide us with Personal Data about you, such as the following:

  • Account information for third party services: If you interact with a third party service when using our Services, such as if you use a third-party service to log-in to our Services (e.g., Facebook Connect or Google), or if you share content from our Services through a third party social media service, the third party service will send us information about you, such as information from your public profile, if the third party service and your account settings allow such sharing. The information we receive will depend on the policies and your account settings with the third-party service.

Information we automatically collect when you use our Services: Some Personal Data is automatically collected when you use our Services, such as the following:

  • IP address
  • Device identifiers
  • Web browser information
  • Page view statistics
  • Browsing history
  • Usage information
  • Transaction information (e.g. transaction amount, date and time such transaction occurred)
  • Cookies and other tracking technologies (e.g. web beacons, pixel tags, SDKs, etc.).
  • Location information (e.g. IP address, zip code)
  • Log data (e.g. access times, hardware and software information)

Shoeboxed uses Personal Data to:

  • Create and manage user profiles
  • Communicate with you about the Services
  • Process orders
  • Contact you about Service announcements, updates or offers
  • Provide support and assistance for the Services
  • Personalize website content and communications based on your preferences
  • Meet contract or legal obligations
  • Respond to user inquiries
  • Fulfill user requests
  • Comply with our legal or contractual obligations
  • Resolve disputes
  • Protect against or deter fraudulent, illegal or harmful actions
  • Enforce our Terms of Service

We will only process your Personal Data if we have a lawful basis for doing so. Lawful basis for processing include consent, contractual necessity and our “legitimate interests” or the legitimate interest of others, as further described below.

  • Contractual Necessity: We process the following categories of Personal Data as a matter of “contractual necessity”, meaning that we need to process the data to perform under our Terms of Service with you, which enables us to provide you with the Services. When we process data due to contractual necessity, failure to provide such Personal Data will result in your inability to use some or all portions of the Services that require such data.
  • First and last name
  • Email address
  • Mailing address
  • IP Address
  • Credit card and credit card CVV
  • Transaction and Billing Data

  • Legitimate Interest: We process the following categories of Personal Data when we believe it furthers the legitimate interest of us or third parties.
  • First and last name
  • Email address
  • Mailing address
  • Examples of these legitimate interests include:
  • Operation and improvement of our business, products and services
  • Marketing of our products and services
  • Provision of customer support
  • Protection from fraud or security threats
  • Compliance with legal obligations
  • Completion of corporate transactions

  • Consent: In some cases, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, it will be expressly indicated to you at the point and time of collection.
  • Other Processing Grounds: From time to time we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.

What has Shoeboxed changed in order to comply?

Luckily for us, we haven’t had to change a lot as almost all of our practices are already GDPR compliant. We have reviewed our data systems and security to ensure complete compliance, and updated our privacy policy and terms of service to further explain how we handle data. The added explanations are:

  • When a user deletes their account, Shoeboxed deletes their raw data within 90 days.
  • Document data may still be kept in backup files for up to one year (these backups are not accessible by any non-Shoeboxed personnel). These backups are done on a rolling window and are deleted after a year.
  • Account data may still be kept in backup files for up to three years (these backups are not accessible by any non-Shoeboxed personnel), for audit purposes.
  • Random action event data (actions a user takes while logged into Shoeboxed) can be deleted upon request. Otherwise, Shoeboxed may retain this data to analyze in aggregate what our users do on our platform and how we might be able to help them better accomplish those tasks in the future.


Not sure about something or have a question? Shoot us an email to

star 4.4 / 5 on Capterra, G2 Crowd and a review score 4.5/5 on Techradar Pro

Turn business receipts into data & deductibles

Join over 1 million businesses scanning receipts, creating expense reports, and reclaiming multiple hours every week—with Shoeboxed.
Try Shoeboxed for free
Shoeboxed mascot, winking in a box full of receipts and documents ready to get scanned