This Policy tells you, among other things:
- what Personal Data we collect about you and how we obtain it;
- the legal bases for processing your Personal Data;
- for what purposes we use that Personal Data;
- how long we keep your Personal Data;
- with whom we share your Personal Data;
- your rights about the Personal Data we collect about you and how you can exercise those rights;
- how we protect your Personal Data;
- how to contact us.
Our Role with Respect to Your Personal Data
Within the scope of this Policy, Billtrust acts as a data controller or “business” for the Personal Data we process. This means that we decide how and why Personal Data is collected and further processed.
We are also a data processor, processing Personal Data as directed by our Customers, when they use our Solutions. In these cases, we do not decide why and how that Personal Data will be processed.
- For the Personal Data of our Customers, business contacts and prospects, visitors of our Sites, and the data of sole proprietors that we may disclose in the context of the Business Payment Network, Credit2B and our Business Directory, we decide the purposes and means of processing, and consequently behave as a “business” or a data controller. Please note that we offer a business-to-business service. We incidentally process personal data of sole proprietors, when our Customers provide them to us as part of a wider list of business contacts. It is not always possible for us to differentiate between sole proprietors and corporations, based on the data we receive from our Customers.
What Personal Data We Process and How We Obtain It
The table below describes the categories of Personal Data that we have collected when we act as a data controller or “business”. The CCPA requires us to categorize the Personal Data we collect into a few groups, contained below:
|Personal Data We Collect, Process, or Store||How We Obtain It|
Data Category: Identifiers
|General (All products except Credit2B, BPN. BBD,Marketing): first and last name, email address, phone number, shipping address.||General: You provide us with this Personal Data during the order process, registration for our Solutions and use of our Solutions.|
|Credit2B: first and last name, business address, email address, Federal Tax ID (which can be a Social Security Number), shipping address, username (and password).||Credit2B: publicly available websites and other Customers.|
|Business Payment Network (BPN): first and last name, email address, company address, Tax ID (which can be a Social Security Number), account name and name of account owner(s), and Merchant ID.||Business Payment Network: our Customers (Payables providers and suppliers) our ACH transaction facilitator, and our Sponsors.|
|Billtrust Business Directory (BBD): company name (such as sole proprietor’s name), email address.||Billtrust Business Directory: our database for billing and payments, which contains data of our Customers and the customers of our Customers.|
Special categories of Personal Data
|General (All products except Credit2B, BPN. BBD,Marketing): credit card company, credit card number and expiration date, credit card billing address, bank account information, invoicing information.|
General: You provide us with this Personal Data during the order process, registration for our Solutions and use of our Solutions.
|Credit2B: financial statements.||Credit2B: Credit bureaus, publicly available websites (i.e. news websites) and other Customers.|
|Business Payment Network: telephone number, bank account information (to facilitate ACH and wire transactions)||Business Payment Network: our Customers (Payables providers and suppliers), our ACH transaction facilitator, and our Sponsors.|
|Marketing: phone number.||Marketing: communications sent by you or other customers/prospects via our websites or by email; tradeshows/conferences; publicly available websites (for example, LinkedIn, Zoominfo, industry websites); and vendors that provide website analytics and account-based marketing platform services.|
Data Category: Protected characteristics
|Marketing: gender.||Marketing: communications sent by you or other customers/prospects via our websites or by email; tradeshows/conferences; publicly available websites (for example LinkedIn, Zoominfo, industry websites); and vendors that provide website analytics and account-based marketing platform services.|
Data Category: Commercial information
|General(All products except Credit2B, BPN. BBD,Marketing): invoicing information.||General: You provide us with this Personal Data during the order process, registration for our Solutions and use of our Solutions.|
|Credit2B: Trade data, business operational, employment and financial characteristics; government compliance data; creditor exposure and payment experiences; industry opinions.||Credit2B: Credit bureaus, publicly available websites (i.e. news websites) and other customers.|
|Business Payment Network: monthly check data/volume, transaction value of payments flowing through the BPN (ultimately, this data is aggregated).||Business Payment Network: our Customers (Payables providers and suppliers), our ACH transaction facilitator, and our Sponsors.|
|Billtrust Business Directory: number of electronic payments, number of payments with paper checks, payment preferences (paper checks/electronic payment) (this is further aggregated).||Billtrust Business Directory: our database for billing and payments, which contains data of our Customers and the customers of our Customers.|
|Marketing: service and product purchase history.||Marketing: communications sent by you or other customers/prospects via our websites or by email; tradeshows/conferences; publicly available websites (for example, LinkedIn, Zoominfo, industry websites); and vendors that provide website analytics and account-based marketing platform services.|
Data Category: Internet or other similar network activity
|General(All products except Credit2B, BPN. BBD,Marketing): your interaction with our website, applications and advertisements.|
Marketing: your interaction with our website, applications and advertisements.
|General and marketing: General: you provide us with this Personal Data when you visit our websites or interact with our Apps (with cookies).|
Data Category: Geolocation data
|Marketing: country information.||Marketing: you provide us with this Personal Data, when you visit our websites or interact with our Apps (for example, Google Analytics places a cookie in your device).|
Data Category: Sensory data
|Marketing: call recordings.||Marketing: you accept that we record the call when you phone us.|
Data Category: Professional or employment-related information
|Credit2B: job title.|
Credit2B: Credit bureaus, publicly available websites (i.e. news websites) and other Customers.
|Marketing: job title.||Marketing: communications sent by you or other customers/prospects via our websites or by email; tradeshows/conferences; publicly available websites (for example LinkedIn, Zoominfo, industry websites); and vendors that provide website analytics and account-based marketing platform services.|
Data Category: Inferences drawn from other Personal Dat
|Business Payment Network: supplier’s payment preferences.||Business Payment Network: database for billing and payments, which contains data of our Customers and the customers of our Customers, suppliers and sponsors.|
Data Category: Other
|Credit2B: any content that you create or share, including any communications with Credit2B or other users, and other information related to your work or organization.||Credit2B: you create or share it in your communications with Credit2B or other users.|
We don’t collect additional categories of Personal Data, without informing you.
According to the CCPA, Personal Data does not include:
- de-identified or aggregated information; and
- information excluded from the CCPA’s scope, such as:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
- the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
Lawful Bases for Processing
We must have a valid reason to use your Personal Data. It’s called the “lawful basis for processing”.
When we process Personal Data based on the instructions of our customers, our Customers must determine the appropriate lawful basis for processing your Personal Data. To learn about their lawful bases for processing your Personal Data, please read the privacy policies of our Customers.
When we determine why and how your Personal Data will be processed, we may process your Personal Data on the basis of:
- your consent;
- the need to perform a contract with you;
- our legitimate interests, such as our interest in marketing our Services; and the interests of third parties, such as the interest of Account Receivable providers in having a network connecting buyers with suppliers that improves the processing of payments;
- the need to comply with the law; or
- any other reason, as required or permitted by law.
Where we process your Personal Data based on your consent, it may be withdrawn at any time. However, this will not affect the lawfulness of our processing, before you withdrew your consent. It will also not affect the validity of our processing of personal data performed on other lawful grounds.
How Do We Use Your Personal Data?
The table below explains why we process your Personal Data, when we act as a data controller:
|Category of Personal Data||Businesses and Commercial Purposes for Processing Personal Data|
|Identifiers||General (All products except Credit2B, BPN. BBD,Marketing):|
– To maintain or service accounts for our Customers, providing customer service to our Customers, to process or fulfill orders and transactions including ACH or wire transfers, to verify customer information, to process payments, and to provide our Products and Solutions to our Customers;
– To detect security incidents, to protect our systems against malicious, deceptive, fraudulent, or illegal activities, and to prosecute those responsible for those activities;
– To identify errors in our systems, Sites, Products and Solutions.
– To perform internal purposes such as auditing, creating an internal directory, data analysis, and research to improve Billtrust’s products, services, and customer communications.
Credit2B: To create global business profiles, to enable portfolio monitoring and to send alerts on portfolio accounts of our Customers, and to create a portal that gathers credit application information, as part of the credit onboarding decisioning process of our Customers.
Business Payment Network: to maintain or service accounts for our Customers, to provide customer service to our Customers, to process or fulfill order processing and transactions including ACH and wire transfers, to verify customer information, to process payments, and providing the Business Payment Network product to our Customers.
Billtrust Business Directory: to identify opportunities within our customers’ customer bases to convert print invoices to electronic invoices and payments from paper checks to online payments.
Marketing: to keep you informed about upgrades, products and services of Billtrust, its affiliates and other third parties that may be of interest to you.
|Special categories of Personal Data||General: to process or fulfill orders and transactions, verify customer information, and provide our Products and Solutions to our Customers.|
Business Payment Network: to contact our customers, when required; to process or full order processing and transactions including ACH and wire transfers.
Marketing: to contact customers or prospects in order to market our Products and Solutions.
|Protected characteristics||Marketing: to address you in our marketing communications.|
|Commercial information||General: to process or fulfill orders and transactions, to verify customer information, payments, and to provide our Products and Solutions to our Customers.|
Credit2B: to gather and analyze credit application information for our Customers.
Business Payment Network: to create a two-sided platform in which payable providers can deliver digital payments directly to the suppliers’ acceptance platforms.
Billtrust Business Directory: to allow our customers to identify opportunities within their customer base to convert print invoices to electronic invoices and payments from paper checks to online payments.
Marketing: to send Customers relevant marketing communications in light of Products and Solutions that they have already purchased.
|Internet or other similar network activity||General: to detect security incidents, to protect our systems against malicious, deceptive, fraudulent, or illegal activities, and to prosecute those responsible for those activities.|
Marketing: to target the marketing of our products and services, to count ad impressions to unique visitors, and to verify positioning and quality of ad impressions.
|Geolocation data||Marketing: to obtain aggregate demographic information about the entire Billtrust audience, to help us create, develop, operate, deliver, and improve our products, services, content and advertising.|
|Sensory data||General: to provide and improve the quality of our customer service.|
Marketing: to contact you about our Products and Solutions.
|Professional or employment-related information||General and marketing: to provide customer service; to verify customer information, to process payments; and to provide our Products and Solutions to our Customers; to contact you about our Products and Solutions.|
|Inferences drawn from other Personal Data||Billtrust Business Directory: to allow our customers to identify opportunities within their customer base to convert print invoices to electronic invoices and payments from paper checks to online payments.|
How Long We Keep Your Personal Data
With respect to the data processing operations where we act as a data controller, we will retain your Personal Data for the period necessary to fulfil the purposes outlined in this Policy unless a longer retention period is required or permitted by law, for legal, tax or regulatory reasons, or other lawful legitimate purposes. We will also delete your Personal Data upon a verifiable request to delete the personal data.
Where we process Personal Data for marketing purposes or with your consent, we process the information until you ask us to stop and for a short period after this (to allow us to implement your requests).
We also keep a permanent record of the fact that you have asked us not to send you direct marketing or to process your Personal Data so that we can respect your request in future.
With respect to Personal Data that we process on behalf of our Customers, we retain Personal Data for as long as instructed by the respective Customer (who typically acts as a data controller) or as required by applicable law. Where a Customer requests the erasure of Personal Data, we will comply with such request within sixty days of our receipt of the request.
Your Personal Data may need to be retained in our backup systems and will only be deleted or overwritten at a later time, which is normally within two weeks. This may be the case, even when you or a Supervisory Authority has validly asked us to delete your Personal Data or when we not no longer have a legal basis for processing such Personal Data.
Sharing Data with Third Parties
The table below describes the categories of Personal Data that we have disclosed for our own operational business purposes, what categories of Personal Data we have sold, and the types of recipients of your Personal Data.
|Category of Personal Data||Categories of Third Parties to Which We Disclosed Personal Data for Business Purposes|
Categories of Third Parties to Which We Sold Data
|Identifiers||General, Credit2B, Business Payment Network and Business Directory: |
– Credit-reporting companies (only in the case of Credit2B) – Payment gateways
– Service providers that may provide:
– fax and printing services;
– hosting services;
– cloud data storage services and SaaS-based integration platforms;
– cloud-computing software;
– colocation and infrastructure services;
– electronic signature software;
– anti-money laundering solutions;
– payment infrastructure platforms;
– ACH and wire transaction facilitators;
– business intelligence software;
– big data analytics platform;
– event logging platforms;
– security solutions;
– and interactive voice response systems.
Marketing: providers of account-based marketing automation software, customer relationship management, sales engagement platforms, enterprise electronic invoice presentment & payment solutions, analytics, and B2B intelligence tools.
|Credit2B: credit bureaus, credit analysts, factor organizations, and Customers.|
|Special categories of Personal Data||Same as above.||Credit2B: credit bureaus, credit analysts, factor organizations, and Customers.|
|Protected characteristics||Same as above.||None.|
|Commercial information||Same as above.||Credit2B: credit bureaus, credit analysts, factor organizations, and Customers.|
Business Directory: our Customers.
|Internet or other similar network activity||Same as above.||None.|
|Geolocation data||Same as above.||None.|
|Sensory data||Same as above.||None.|
|Professional or employment-related information||Same as above.||None.|
|Inferences drawn from other Personal Data||Same as above.||Credit2B: same as above.|
Business Directory: (in aggregate) our Customers.
Some of these third parties may be located outside of the European Union or the European Economic Area. In some cases, the European Commission may have determined that in some countries, the applicable data protection laws provide a level of protection equivalent to European Union law. The following list shown here includes the countries that the European Commission has recognized as providing an adequate level of protection to personal data. When the GDPR applies to the processing of your Personal Data, we will only transfer your Personal Data to third parties in countries not recognized as providing an adequate level of protection to personal data, when there are appropriate safeguards in place. These may include the European-Commission-approved standard contractual data protection clauses under Article 46.2 of the GDPR, or transfers on the basis of the Privacy Shield Framework. To learn more about our Privacy Shield certification, read our Privacy Shield notice.
In the event that all or a part of Billtrust is bought, sold, or otherwise transferred, or is in the process of a potential transaction, Personal Data that you have provided for use, will likely be shared for evaluation purposes and included among the transferred business assets.
We may also disclose Personal Data when required by law or in the good-faith belief that such action is necessary in order to conform to the edicts of the law or comply with a legal process served on Billtrust or our Site.
What Privacy Rights Do You Have?
You have specific rights regarding your Personal Data that we collect and process. When we act as the data controller (i.e., the “business” under the CCPA) you can contact us directly to exercise your privacy rights. When our role is limited to just a service provider, and we only process your personal data based on the instructions of our Customer, then you must contact that Customer to exercise your privacy rights, and that Customer will then inform Billtrust of the changes, corrections, etc. that must be made to your Personal Data (based on the request you have made).
We only act as the data controller when we decide what personal data of yours to process, and for what purpose. However, Billtrust is usually just a service provider acting on behalf of our Customers. In that case, our Customers decide what data to collect about you and for what purposes they want to use it, and therefore only our Customer can directly help you with your privacy requests.
In this section, we first describe those rights and then we explain how you can exercise those rights.
Right to Know What Happens to Your Personal Data
This is called the “right to be informed”. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it and who it will be shared with, among other things.
We will always try to inform you about how we process your Personal Data. However, if we do not collect the Personal Data directly from you, the GDPR exempts us from the obligation to inform you (i) when providing the information is either impossible or unreasonably expensive; (ii) the gathering and/or transmission is required by law, or if (iii) the Personal Data must remain confidential, due to professional secrecy or other statutory secrecy obligations.
Right to Know What Personal Data We Have About You
This is called the right of access. This right allows you to ask for the full details of the Personal Data we hold on you.
You have the right to obtain confirmation from us, as to whether or not we process Personal Data concerning you and, where that is the case, a copy or access to the Personal Data and certain related information.
- The categories of Personal Data we collected about you;
- The categories of sources for the Personal Data we collected about you;
- Our purposes for the processing of that Personal Data;
- Where possible, the anticipated period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
- The categories of third parties with whom we share that Personal Data;
- If we carry out automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;
- The specific pieces of Personal Data we collected about you; and
- If we sold or disclosed your Personal Data for a business purpose, two separate lists disclosing:
- sales, identifying the Personal Data categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the Personal Data categories that each category of recipient obtained; and
- If we rely on legitimate interests as a lawful basis to process your Personal Data, the legitimate interests pursued by us or by a third party;
- The appropriate safeguards for transferring data from the EU to a third country, if applicable.
Please take into account that the GDPR allows us not to satisfy your access request when:
- You already have the information;
- Providing such information proves impossible or would involve a disproportionate effort, or in so far as providing such information is likely to render impossible or seriously impair the achievement of the objectives of that processing; and
- That Personal Data must remain confidential, subject to an obligation of professional secrecy regulated by European Union or Member State law, including a statutory obligation of secrecy.
Please note that the CCPA does not allow us to disclose Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers.
Right to Change Your Personal Data
This is called the right to rectification. It gives you the right to ask us to correct, without undue delay, anything that you think is wrong with the Personal Data we have on file about you and to complete any incomplete personal data.
If your account settings do not allow you change it, please contact us and we will do our best to change the Personal Data for you.
Right to Delete Your Personal Data
This is called the right to erasure, right to deletion or the “right to be forgotten”. This means that you can ask us to delete your Personal Data.
Please contact our Customer Service by telephone at 1-888-580-2455 to exercise the right of erasure.
Sometimes, we can delete your Personal Data. However, at other times, it is just not possible, such as when the law tells us we are not allowed to. If that is the case, we will consider if we can limit how we use your Personal Data, instead of deleting it.
Occasions Where We Cannot fulfill a Deletion Request Under the GDPR or the CCPA
The GDPR and the CCPA allow us to deny a request to erase your Personal Data, if we or our service providers need to retain the Personal Data to:
- Complete the transaction for which we collected the Personal Data;
- fulfill the terms of a written warranty or product recall conducted in accordance with federal law;
- Provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- Debug products to identify and repair errors that impair existing intended functionality;
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights or exercise another right provided for by law;
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
- Enable solely internal uses that are reasonably aligned with your expectations, based on your relationship with us;
- Comply with a legal obligation, including (but not limited to) obligations from the California Electronic Communications Privacy Act; or
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Right to Ask Us to Change How We Process Your Personal Data
This is called the right to restrict processing. It is your right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain occasions, such as where you believe the data is inaccurate or the processing activity is unlawful. This right enables you to ask us to suspend the usage of Personal Data about you, such as when you want us to establish its accuracy or the reason for processing it.
Right to Ask Us to Stop Using Your Personal Data
This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right, where we rely on a legitimate interest of ours (or of a third party). You also have the right to object at any time to the processing of your Personal Data for direct marketing purposes.
We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.
If we have received your Personal Data in reliance on the Privacy Shield, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties. You may also have the right to opt out, if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized.
Right to Port or Move Your Personal Data
This is called the right to “data portability”. It is the right to ask for and download Personal Data about you that you have given us or that you have generated by virtue of the use of our services, so that you can:
- Move it;
- Copy it;
- Keep it for yourself; or
- Transfer it to another organization.
We will provide your Personal Data in a structured, commonly used and machine-readable format. When you request electronically to determine which data we have about you, we will provide you with a copy in electronic format.
Right Related to Automated Decision Making
We sometimes use computers to study your Personal Data. We might use this Personal Data, so we know how you use our services. For decisions that may seriously impact you, you have “the right not to be subject to automatic decision-making, including profiling”. However, in those cases, we will always explain to you when we might do this, why it is happening and its effect.
Right to Withdraw Your Consent
Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw your consent is still lawful.
If you have given consent for your details to be shared with a third party, and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences.
Right Not to be Discriminated Against for Exercising your Privacy Rights
We will not discriminate against you for exercising any of your privacy rights. Unless the applicable data protection laws permit it, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you with a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Right to Lodge a Complaint with a Supervisory Authority
If the GDPR applies to the processing of your Personal Data with us, the GDPR grants you the right to lodge a complaint with a supervisory authority, if you’re not satisfied with how we process your Personal Data.
In particular, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work or of an alleged violation of the GDPR.
Your Right to Opt Out of the Sale of Personal Data
You have the right to ask us to not sell your Personal Data at any time. This is called the “right to opt out”. To exercise the right to opt-out, you (or your authorized agent) you may submit a request to us by completing this form.
Once you make an opt-out request, we will wait at least twelve months before asking you to reauthorize the sale of your Personal Data. However, if you change your mind, you may opt back into Personal Data sales at any time, by using the contact details below. We will only use Personal Data provided in an opt-out request to review and comply with the request.If you would like to opt out of cookies (except for the strictly necessary ones), click on the “Cookie Settings” button below: Cookie Settings
Your Right to Opt In to the Sale of Personal Data
If you have directed us not to sell your Personal Data or if you want us to sell your Personal Data, you can opt-in to the sale of your Personal Data at any time.
In addition, we do not process nor sell the Personal Data of individuals that we know are less than 16 years old. We will not accept opt-in requests from parents or guardians on behalf of their children.
How Can You Exercise Your Privacy Rights?
To exercise any of the rights described above, please submit a request by either:Calling us at 1-888-580-2455
Contacting us by email at [email protected]; or
Filling out this online form.
You may appoint an authorized agent to exercise your rights on your behalf. You should appoint such agent via written permission or a power of attorney pursuant to Probate Code sections 4000 to 4465 (if you reside in the State of California) or the applicable rules for authorizing somebody else to exercise your rights in your country of residence.
To verify that your authorized agent acts on your behalf, we will ask for this written permission from your agent or for the power of attorney. In case you provided your authorized agent with written permission, we will also require that you verify your identity.
Verification of Your Identity
Bear in mind that to evaluate your privacy rights requests (except the requests to stop the sale of your Personal Data), we need to be sure it was you who made the request. Consequently, we might need some identification to check that you are, who you say you are.
To verify your identity, we will ask you some questions concerning information we already hold about you or ask you to verify that you’re the owner of the email address or phone number you are using to contact us. For this verification, we may ask you information related to various identifiers such as, your first name, last name, email address, phone number, complete billing address, and complete mailing address.
We will only use the Personal Data you provide us in a request to verify the requestor’s identity or authority to make the request.
Please note that you may only make a consumer request to know or data portability twice within a twelve (12)-month period.
Response Timing and Format of Our Responses
We will confirm the receipt of your request in ten (10) days and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, except when we have already granted or denied the request.
Please allow up to thirty (30) days for us to reply to your requests (except requests to stop selling your Personal Data) from the day we received your request. If we need more time [up to ninety (90) days in total], we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to the contact details associated with that account. If you do not have an account with us, we will send our written response electronically, unless you ask us to send our response by mail.
We will only cover the twelve-month period preceding the moment we receive the request in any disclosures that we provide you with.
We will act upon your request to opt out from selling your Personal Data in fifteen (15) days. We will also notify the third parties to whom we sold your Personal Data of your request and instruct them not to further sell your Personal Data, if they do. We will inform you about this within ninety (90) days from the receipt of your request.
If we cannot satisfy a request, we will also provide the reason(s) in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.
We promise that we will not charge a fee for processing or responding to your requests. There may be exceptions when we may charge a fee, if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate, before completing your request.
How Does Billtrust Protect your Information?
Billtrust works to maintain your confidence and trust in us and has, therefore, implemented physical, technical, and administrative measures designed to protect information from accidental loss, unauthorized access, use, alteration, and disclosure. We store and process your information on our servers located within the United States.
Billtrust, including the Site and Solutions, is not directed at children, and Billtrust does not knowingly solicit or collect Personal Data online from children under the age of thirteen (13). If Billtrust learns that a child under the age of thirteen (13) has submitted Personal Data online without prior verifiable parental consent, it will take all reasonable measures to delete such information from its databases and to not use such information for any purpose (except where necessary, to protect the safety of the child or others as required or allowed by law). If you become aware of any personally identifiable information we have collected from children under thirteen (13) years of age, please contact us at [email protected].
EU-US Privacy Shield
To the extent that the Site or Solutions involves the collection of personal data of our clients or their customers in the European Economic Area, Billtrust may transfer that personal data to the United States for processing and storage. Billtrust handles any such personal data in adherence with the EU-US Privacy Shield and has certified compliance with the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity & Purpose Limitation, Access, Recourse, Enforcement and Liability. To access the Privacy Shield List and to find details of our certification, please see https://www.privacyshield.gov/. For more specific information, please review our Privacy Shield notice.
Data Protection Officer Contact Details
VeraSafe has been appointed as Billtrust’s Data Protection Officer (“DPO”) in accordance with Article 38 of the General Data Protection Regulation (“GDPR”). All comments, queries and requests relating to Billtrust’s use of Personal Data are welcomed. Please contact:
Data Protection Officer
22 Essex Way #8203 Essex, VT 05451 USA
+1 (617) 398-7067
Email: [email protected]