Data Privacy Framework
This Data Privacy Framework Notice (“DPF Notice” or “Notice”) describes the practices of BTRS Holdings Inc. with its covered entity, Factor Systems LLC d/b/a Billtrust (“Billtrust”) with respect to Personal Data that we receive from the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”).
Billtrust complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have also certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”). To learn more about the DPF, and to view our certification, please visit Data Privacy Framework.
This Notice applies to all Billtrust U.S. operations, divisions and subsidiaries as far as Personal Data from the EEA, Switzerland, and UK is received in any format whatsoever, including electronic, paper or oral transmission. If there is any conflict between the terms in this DPF Notice and the DPF Principles, the DPF Principles shall govern.
3. Processing of Personal Data
4. DPF Principles
A detailed description of the DPF Principles can be found on the website of the U.S. Department of Commerce.
We will inform individuals about the purposes for which we collect and use Personal Data about them, including the third parties to which Billtrust discloses their Personal Data and their right under the DPF. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Billtrust, or as soon as practicable thereafter, and in any event before Billtrust uses or discloses the information for a purpose other than that for which it was originally collected
4.3 Accountability for Onward Transfers
Billtrust may share Personal Data with our service providers and suppliers (“Agents”) for the purposes described above and to support our clients’ needs. Billtrust will obtain assurances from our Agents that they will safeguard Personal Data consistent with this DPF Notice and will use and transfer Personal Data only for limited and specific purposes. Billtrust maintains contracts with our Agents obligating the Agent to provide at least the same level of protection as is required by the relevant DPF Principles. Billtrust also recognizes its responsibility and potential liability for onward transfers to Agents. Where Billtrust has knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Notice and/or the level of protection as required by the DPF Principles, Billtrust will take reasonable and appropriate steps to prevent, remediate or stop such use or disclosure. If Billtrust transfers Personal Data to non-agent third parties acting as controllers, Billtrust will apply the Notice and Choice Principles, unless a specific exception applies under European data protection law applies, and will obtain assurance from such parties that they will provide the same level of protection as is required under the DPF Principles.
Billtrust will take reasonable and appropriate precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.
4.5 Data Integrity and Purpose Limitation
Billtrust will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Billtrust will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. Billtrust will keep Personal Data only as long as necessary for the purposes described above or for statistical analysis, research or other approved purposes
Upon request, Billtrust will grant individuals access to Personal Data that it holds about them. In addition, Billtrust will take reasonable steps to permit individuals to correct, amend, or delete information that is inaccurate or incomplete or has been processed in violation of the DPF Principles. Billtrust may limit an individual’s access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.
4.7 Recourse, Enforcement and Liability
Billtrust encourages individuals to raise any concerns they have using the contact information below. Billtrust will investigate and attempt to resolve any complaints and disputes regarding our collection, use, and disclosure of Personal Data to the extent possible within 45 days and in accordance with the DPF Principles.
If a complaint or dispute cannot be resolved through Billtrust’s internal processes, Billtrust has agreed to participate in the VeraSafe DPF Dispute Resolution Procedure. Subject to the terms of the VeraSafe DPF Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the DPF Dispute Resolution Procedure, please submit the required information to VeraSafe here: Verasafe Privacy Services Dispute Resolution Submit Dispute.
In the event that Billtrust or the independent dispute resolution mechanism determines that Billtrust failed to comply with the DPF Principles, Billtrust will take appropriate steps to address any adverse effects and to promote future compliance. Billtrust is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory body and enforcement authority under the DPF.
Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, you also have a right to invoke binding arbitration under certain circumstances. For further information, please refer to: Data Privacy Framework Annex I.
5. Required Disclosures
Under certain circumstances, Billtrust may be required to disclose your Personal Data in response to lawful requests by public authorities, including to meet national security, public interest, or law enforcement requirements. Billtrust’s adherence to the DPF Principles may therefore be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations; or (c) if any lawful exceptions or derogations are applicable.
6. Contact Information
EEA, Swiss, and UK individuals with inquiries, requests, or complaints regarding our DPF Notice should first contact Billtrust at:
ATTN: Client Support
Address: 1009 Lenox Drive , Suite 101, Lawrenceville, New Jersey 08648
Phone: 1 (888) 580-BILL
Fax: 1 (609) 235-1011
E-Mail: [email protected]
7. Billtrust’s Privacy Officer
Billtrust’s Privacy Officer can also be contacted regarding matters related to the processing of Personal Data under the DPF and to exercise any applicable rights. To make such an inquiry, please contact Billtrust at: [email protected]
9. Changes to this Policy
This Notice may be amended from time to time, consistent with the requirements of the DPF Principles. Appropriate notice will be provided concerning such amendments.
Effective Date: Sept 1, 2023