Privacy Shield: Protecting your personal data

This Privacy Shield Policy describes the practices of BTRS Holdings Inc with its covered entity, BTRS Holdings, Inc. and its wholly owned subsidiaries d/b/a Billtrust (“Billtrust”) to protect the personal data it receives from the European Economic Area (“EEA”) and Switzerland. Billtrust relies upon the Standard Contractual Clauses as the transfer mechanism for this personal data, but continues to adhere to the Privacy Shield Program. Billtrust is headquartered in the United States, and it maintains offices in other countries, such as Belgium and the Netherlands.

1. Introduction

This Policy outlines the general practices for implementing the requirements of the EU-U.S. Privacy Shield and the Swiss- U.S. Privacy Shield in connection with personal data that is transferred from the EEA and Switzerland to the U.S.: including the types of information that is collected and transferred; how it is used; and, the choices individuals located in the EEA and Switzerland have regarding the use of, and their ability to correct, that information

2. Scope

This Policy applies to all Billtrust U.S. operations, divisions and subsidiaries as far as personal information from the EEA and Switzerland is received in any format whatsoever, including electronic, paper or oral transmission. This Policy also applies to Agents (defined below) that handle and process EEA and Switzerland personal data on behalf of Billtrust. If there is any conflict between the terms in this notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

¹ Information about the U.S. Department of Commerce EU-U.S. Privacy Shield certification and the Swiss-U.S. Privacy Shield certification can be found at https://www.privacyshield.gov/.

3. Definitions

For purpose of this Policy, the following definitions shall apply: “Agent” means any third party processor that collects and/or uses personal information provided by Billtrust to perform tasks on behalf of and under the instructions of Billtrust. “Personal Data” and “Personal Information” are data about an identified or identifiable individual that are within the scope of the Directive 95/46/EC, received by an organization in the United States from the European Union and Switzerland, and recorded in any form. Personal information does not include information that is anonymous (e.g. statistical information not relating to an identifiable person). “Sensitive Personal Information” means personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual or personal information received from a third party that is identified and treated as sensitive by the third party. “Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction. “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

4. Processing of EEA Personal Data

Billtrust may from time to time process certain EEA and Switzerland Personal Data about current or prospective clients, their customers, business partners, suppliers, vendors, independent contractors and consumers, including information recorded on various media as well as electronic data. Billtrust will process these data in conformity with the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles and will continue to apply the Principles to personal data received under the application of the Privacy Shield.

Billtrust will use Personal Information to provide information and services and to help Billtrust personnel better understand the needs and interests of these business partners and/or current and prospective clients and their customers. Specifically, Billtrust uses information to help complete a transaction or order, to facilitate communication, to deliver products/services, to bill for purchased products/services, to provide ongoing service and support, to communicate to individuals about products, services and related issues, to facilitate Billtrust’s internal administrative processes, to book travel, accommodation and event registration, for business continuity and/or disaster recovery, to select service and personnel, to access sales and order portals, for business planning, accounting and reporting, to organize and manage joint projects and joint ventures. Occasionally Billtrust personnel may use Personal Information to contact clients and business partners to complete surveys that are used for marketing and quality assurance purposes.

Billtrust may also share Personal Information with its service providers and suppliers (Agents) for the sole purpose and only to the extent needed to support the clients’ business needs. Service providers and suppliers are required to keep confidential Personal Information received from Billtrust and may not use it for any purpose other than originally intended. In case of data transfers to third parties acting as controllers the affected individuals will be informed about the transfer and the underlying purposes respectively.

5. Privacy Principles

A detailed description of the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles can be found on the website of the U.S. Department of Commerce.

5.1 Notice

Where Billtrust collects Personal Information directly from our clients’ customers in the EEA and Switzerland, it will inform those individuals about the purposes for which it collects and uses Personal Information about them; the types or identity of third parties acting as controllers to which Billtrust discloses that information, the purposes for which it does so; and the choices and means, Billtrust offers individuals for limiting the use and disclosure of their Personal Information, and about the right of individuals to access their personal data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to Billtrust, or as soon as practicable thereafter, and in any event before Billtrust uses the information for a purpose other than that for which it was originally collected or discloses it for the first time to a third party.

5.2 Choice

As stated in our Privacy Policy, your personal information is kept strictly confidential and will not be shared or sold to third parties except as necessary to deliver our services. In the event Billtrust will need to share information outside of our normal services, we will offer individuals the opportunity to choose (opt-out) whether their Personal Information is (a) to be disclosed to a third party acting as a controller, or (b) to be used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive personal information, Billtrust will give individuals the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of their Sensitive Personal Information to (a) a third party acting as a controller or (b) the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Billtrust will provide individuals with reasonable (especially clear and conspicuous, readily available) mechanisms to exercise their choices.

5.3 Accountability for Onward Transfer

Billtrust will obtain assurances from its Agents that they will safeguard Personal Information consistent with this Policy and will transfer personal data only for limited and specific purposes. Examples of appropriate assurances that may be provided by Agents include: a contract obligating the Agent to provide at least the same level of protection as is required by the relevant EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles, being subject to EU Data Protection Directive 95/46/EC or GDPR, EU-U.S. Privacy Shield certification and Swiss - U.S. Privacy Shield certification by the Agent, or being subject to another European Commission adequacy finding. Billtrust recognizes its responsibility and potential liability for onward transfers to Agents. Where Billtrust has knowledge that an Agent is using or disclosing Personal Information in a manner contrary to this Policy and/or the level of protection as required by the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles, Billtrust will take reasonable and appropriate steps to prevent, remediate or stop the use or disclosure.

If Billtrust transfers personal information to non-agent third parties acting as a controller, Billtrust will apply the Notice and Choice Principles unless a derogation for specific situations under European data protection law applies and will obtain assurance from these parties that they will provide the same level of protection as is required under the Principles.

5.4 Security

Billtrust will take reasonable and appropriate precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.

5.5 Data Integrity and Purpose Limitation

Billtrust will use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual (see 5.2.). Billtrust will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current. Billtrust will adhere to the Principles as long as it retains personal information received under its EU-U.S. Privacy Shield certification and Swiss- U.S. Privacy Shield certification. Billtrust will keep Personal Information only as long as necessary for the purpose of processing or for statistical analysis, research or another approved purpose.

5.6 Access

Upon request, Billtrust will grant individuals reasonable access to Personal Information that it holds about them. In addition, Billtrust will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete or has been processed in violation of the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles. Billtrust may limit an individual’s access to Personal Information where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.

5.7 Recourse, Enforcement and Liability

Billtrust utilizes the self-assessment approach to assure its compliance with this Policy. Billtrust periodically verifies that this Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles. Billtrust encourages interested persons to raise any concerns with it using the contact information below. Billtrust will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in this Policy. If Billtrust determines that any person in its employ is in violation of this Privacy Policy such person will be subject to disciplinary action.

Any questions or concerns regarding the use or disclosure of personal information should be directed to Billtrust Client Support using the contact information provided below in Section 7. Billtrust will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy.

Within the scope of this Privacy Shield Policy, if a privacy complaint or dispute cannot be resolved through Billtrust’s internal processes, Billtrust has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/.

In the event that Billtrust or the independent dispute resolution mechanism determines that Billtrust did not comply with this Policy, Billtrust will take appropriate steps to address any adverse effects and to promote future compliance. Billtrust is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory body and enforcement authority under the Privacy Shield.

Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, individuals have a right to invoke binding arbitration under the Privacy Shield Panel as recourse mechanism of ’last resort’.

6. Limitations

Billtrust’s adherence to the EU-U.S. Privacy Shield Principles and Swiss- U.S. Privacy Shield Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements, e.g. in the course of lawful requests by public authorities (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.

7. Contact Information

In compliance with the Privacy Shield Principles, Billtrust commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Billtrust at:

ATTN: Client Support

Billtrust
Address: 1009 Lenox Drive , Suite 101, Lawrenceville, New Jersey 08648
Phone: 1 (888) 580-BILL
Fax: 1 (609) 235-1011
E-Mail: [email protected]

Billtrust has further committed to refer unresolved Privacy Shield complaints to VeraSafe, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit www.verasafe.com/public-resources/dispute-resolution/submit-dispute/ or www.verasafe.com/about-verasafe/contact-us/ to contact VeraSafe for more information or to file a complaint. The services of Verasafe are provided at no cost to you.

VeraSafe
100 M Street S.E., Suite 600
Washington, D.C. 20003
USA
+1-617-398-7067
Email: [email protected]

8. Billtrust’s Privacy Officer

Billtrust’s Privacy Officer can be contacted regarding matters related to the processing of personal data and to exercise any applicable data subject rights. To make such an inquiry, please contact Billtrust at: [email protected]

9. Changes to this Policy

This Policy may be amended from time to time, consistent with the requirements of the EU-U.S. Privacy Shield principles. Appropriate public notice will be given concerning such amendments.

Effective Date: April 30, 2022