Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Grasp Technologies is a travel and expense data management platform used by corporations, travel management companies and travel agencies to unify fragmented booking, card and ERP data into a single source of truth. The Grasp marketing website also uses analytics cookies to measure visitor behaviour. For EU customers, Grasp processes traveller and expense data on US infrastructure, which raises GDPR consent and international data transfer questions for any organisation deploying it.
Grasp Technologies is a United States based travel and expense data management platform. It consolidates booking, expense and payment data from travel management companies, corporate card programmes, online booking tools and ERPs, then exposes the unified data set through dashboards, scheduled reports and APIs. The Grasp marketing website also uses standard web analytics cookies to measure visitor activity. EU corporations and TMCs deploy Grasp to gain a single view of travel spend across vendors.
On the public Grasp website, analytics cookies log IP address, user agent, operating system, browser, screen resolution and plugins. Inside the Grasp platform, the data set covers traveller name records, itineraries, ticket numbers, corporate card transactions, supplier identifiers, project codes and cost centres. Traveller data can be sensitive because it reveals presence, movement patterns and sometimes health context (visa requirements, medical evacuation).
Two layers of compliance apply. First, the analytics cookies dropped on the Grasp marketing site require prior consent under article 5(3) ePrivacy. Second, traveller data uploaded to Grasp is processed by Grasp acting as a processor for EU corporate controllers under article 28 GDPR. A signed Data Processing Agreement, documented sub processors and a clear retention schedule are all mandatory.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent is required only for the analytics cookies on the public Grasp site. Inside a corporate deployment, employee travel data is processed on the basis of the employment contract, legitimate interest, or compliance with a legal obligation, not consent. Employees should still receive transparent information under articles 13 and 14 GDPR about the use of Grasp, the categories of data processed, retention and recipients.
Default Grasp infrastructure is hosted in the United States. EU customers must rely on Standard Contractual Clauses, the EU US Data Privacy Framework where Grasp is certified, and supplementary measures such as encryption in transit and at rest, granular access controls and pseudonymisation where feasible. A transfer impact assessment is expected before relying on these transfers, especially after the Schrems II decision.
Sign a GDPR compliant DPA with Grasp including SCCs and a sub processor list. Run a transfer impact assessment for the US transfer. Conduct a DPIA covering travel monitoring. Update the internal privacy notice for employees. Configure a Consent Management Platform to block Grasp marketing analytics until consent is given. Limit access to the Grasp portal, enable MFA and define a clear retention period for traveller data.
Websites using Grasp must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally required where Grasp processes traveller data of EU employees on US infrastructure, given the systematic monitoring of travel patterns, the volume of data and the transfer to a third country. Assess proportionality, data minimisation, retention, access controls and the effectiveness of supplementary measures such as encryption and SCCs.
Sample consent text
We use Grasp Technologies to consolidate travel and expense data. This involves transferring booking and card data to Grasp servers in the United States under Standard Contractual Clauses. The Grasp website also uses analytics cookies that we activate only after your consent.
Third-party domains contacted
grasptech.comapp.grasptech.comwww.google-analytics.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _ga | persistent | 2 years | Google Analytics first party cookie used on the Grasp marketing website to distinguish unique visitors and measure traffic. Requires consent under article 5(3) ePrivacy. |
| _gid | persistent | 24 hours | Google Analytics short term cookie used on the Grasp marketing website to track session level activity. Requires consent. |
| grasp_session | session | session | Authentication session cookie set when a user logs into the Grasp travel and expense platform. Strictly necessary for authenticated access. |
Grasp collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The Grasp marketing website sets analytics cookies that record IP address, user agent, operating system, browser type, screen resolution and plugins. Inside the Grasp travel and expense platform itself, sessions are managed with authentication cookies that are strictly necessary for the logged in user. Any cross site tracking cookies depend on the specific Grasp deployment.
Consent is required only for the analytics cookies on the Grasp marketing website, where prior consent under article 5(3) ePrivacy applies. Inside a corporate deployment, traveller data is processed for performance of the employment relationship or legitimate interest, not consent. Employees must be informed transparently.
For analytics cookies, the legal basis is consent. For the unified travel and expense data set, the controller (the corporate client) typically relies on performance of the employment contract under article 6(1)(b) GDPR, legitimate interest under article 6(1)(f) for cost control and fraud prevention, or legal obligation for tax and accounting.
Yes. Grasp Technologies is a US company and its default infrastructure is in the United States. Customer traveller and expense data, including data on EU based travellers, is transferred to US servers. Transfers must rely on Standard Contractual Clauses, the EU US Data Privacy Framework if Grasp is certified, and supplementary safeguards.
A DPIA is generally required because Grasp processes employee travel data at scale on infrastructure in a third country, with systematic monitoring of movement patterns. The DPIA should assess necessity, proportionality, retention, access controls, encryption, and the effectiveness of SCCs and any supplementary measures.
Sign a DPA with SCCs, document Grasp in records of processing activities, run a transfer impact assessment, complete a DPIA, restrict access via SSO and MFA, set retention periods aligned with tax and audit obligations, brief employees and update the privacy notice. Wire marketing analytics on the public Grasp pages through a Consent Management Platform.
EU oriented alternatives include SAP Concur with EU hosting, Mobilexpense, Cytric Travel by Amadeus, Egencia and Notilus. For pure analytics on travel data, in house data warehouses with Looker, Power BI or Tableau hosted in the EU can replicate the reporting layer while keeping data within the EEA.
Add a separate entry for Grasp marketing analytics cookies in the public cookie policy, with vendor name, purpose, lifetime and consent category. Document the internal Grasp deployment in the privacy notice for employees rather than in the public cookie policy. Review the policy whenever Grasp updates its sub processors or moves to new regions.