Data Privacy Framework

This Data Privacy Framework Notice (“DPF Notice” or “Notice”) describes the practices of BTRS Holdings Inc. with its covered entity, Factor Systems LLC d/b/a Billtrust (“Billtrust”) with respect to Personal Data that we receive from the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”).

1. Introduction

Billtrust complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have also certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”). To learn more about the DPF, and to view our certification, please visit Data Privacy Framework.

2. Scope

This Notice applies to all Billtrust U.S. operations, divisions and subsidiaries as far as Personal Data from the EEA, Switzerland, and UK is received in any format whatsoever, including electronic, paper or oral transmission. If there is any conflict between the terms in this DPF Notice and the DPF Principles, the DPF Principles shall govern.

3. Processing of Personal Data

Billtrust may from time to time process EEA, Swiss, and UK Personal Data about current or prospective clients, their customers, business partners, suppliers, vendors, independent contractors and consumers in order to provide information and services and to help Billtrust personnel better understand the needs and interests of these current and prospective clients and their customers. Specifically, Billtrust may process Personal Data to help complete a transaction or order, to facilitate communication, to deliver products/services, to bill for purchased products/services, to provide ongoing service and support, to communicate to individuals about products, services and related issues, to facilitate Billtrust’s internal administrative processes, to book travel, accommodation and event registration, for business continuity and/or disaster recovery, to select service and personnel, to access sales and order portals, for business planning, accounting and reporting, to organize and manage joint projects and joint ventures. Occasionally Billtrust personnel may use Personal Data to contact clients and business partners to complete surveys that are used for marketing and quality assurance purposes. The types of Personal Data we process, as well as the purposes for which we collect and use Personal Data, are set out in our Privacy Policy.

4. DPF Principles

A detailed description of the DPF Principles can be found on the website of the U.S. Department of Commerce.

4.1 Notice

We will inform individuals about the purposes for which we collect and use Personal Data about them, including the third parties to which Billtrust discloses their Personal Data and their right under the DPF. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Billtrust, or as soon as practicable thereafter, and in any event before Billtrust uses or discloses the information for a purpose other than that for which it was originally collected

4.2 Choice

As stated in our Privacy Policy, your Personal Data is kept strictly confidential and will not be shared or sold to third parties except as necessary to deliver our services. In the event Billtrust will need to share information outside of our normal services, we will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) disclosed to a third party acting as a controller, or (b) used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by you

4.3 Accountability for Onward Transfers

Billtrust may share Personal Data with our service providers and suppliers (“Agents”) for the purposes described above and to support our clients’ needs. Billtrust will obtain assurances from our Agents that they will safeguard Personal Data consistent with this DPF Notice and will use and transfer Personal Data only for limited and specific purposes. Billtrust maintains contracts with our Agents obligating the Agent to provide at least the same level of protection as is required by the relevant DPF Principles. Billtrust also recognizes its responsibility and potential liability for onward transfers to Agents. Where Billtrust has knowledge that an Agent is using or disclosing Personal Data in a manner contrary to this Notice and/or the level of protection as required by the DPF Principles, Billtrust will take reasonable and appropriate steps to prevent, remediate or stop such use or disclosure. If Billtrust transfers Personal Data to non-agent third parties acting as controllers, Billtrust will apply the Notice and Choice Principles, unless a specific exception applies under European data protection law applies, and will obtain assurance from such parties that they will provide the same level of protection as is required under the DPF Principles.

4.4 Security

Billtrust will take reasonable and appropriate precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

4.5 Data Integrity and Purpose Limitation

Billtrust will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Billtrust will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. Billtrust will keep Personal Data only as long as necessary for the purposes described above or for statistical analysis, research or other approved purposes

4.6 Access

Upon request, Billtrust will grant individuals access to Personal Data that it holds about them. In addition, Billtrust will take reasonable steps to permit individuals to correct, amend, or delete information that is inaccurate or incomplete or has been processed in violation of the DPF Principles. Billtrust may limit an individual’s access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.

4.7 Recourse, Enforcement and Liability

Billtrust encourages individuals to raise any concerns they have using the contact information below. Billtrust will investigate and attempt to resolve any complaints and disputes regarding our collection, use, and disclosure of Personal Data to the extent possible within 45 days and in accordance with the DPF Principles.

If a complaint or dispute cannot be resolved through Billtrust’s internal processes, Billtrust has agreed to participate in the VeraSafe DPF Dispute Resolution Procedure. Subject to the terms of the VeraSafe DPF Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the DPF Dispute Resolution Procedure, please submit the required information to VeraSafe here: Verasafe Privacy Services  Dispute Resolution Submit Dispute.

In the event that Billtrust or the independent dispute resolution mechanism determines that Billtrust failed to comply with the DPF Principles, Billtrust will take appropriate steps to address any adverse effects and to promote future compliance. Billtrust is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory body and enforcement authority under the DPF.

Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, you also have a right to invoke binding arbitration under certain circumstances. For further information, please refer to: Data Privacy Framework Annex I.

5. Required Disclosures

Under certain circumstances, Billtrust may be required to disclose your Personal Data in response to lawful requests by public authorities, including to meet national security, public interest, or law enforcement requirements. Billtrust’s adherence to the DPF Principles may therefore be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations; or (c) if any lawful exceptions or derogations are applicable.

6. Contact Information

EEA, Swiss, and UK individuals with inquiries, requests, or complaints regarding our DPF Notice should first contact Billtrust at:

ATTN: Client Support

Billtrust
Address: 1009 Lenox Drive , Suite 101, Lawrenceville, New Jersey 08648
Phone: 1 (888) 580-BILL
Fax: 1 (609) 235-1011
E-Mail: [email protected]

7. Billtrust’s Privacy Officer

Billtrust’s Privacy Officer can also be contacted regarding matters related to the processing of Personal Data under the DPF and to exercise any applicable rights. To make such an inquiry, please contact Billtrust at: [email protected]

9. Changes to this Policy

This Notice may be amended from time to time, consistent with the requirements of the DPF Principles. Appropriate notice will be provided concerning such amendments.

Effective Date: Sept 1, 2023