Privacy Policy

BTRS Holdings, Inc. and its wholly owned subsidiaries (“Billtrust”, “we”, “us”, “our”) takes the protection of personal information (“Personal Data”) very seriously. We are a software company, specializing in order-to-cash solutions. In the normal course of our business activities, we act as processor or service provider on behalf of our clients. Such activities fall outside the scope of this “Privacy Notice”, “Privacy Policy”, or “Policy”. Please read this Policy carefully to understand the limited circumstances in which it may apply to your Personal Data and to learn more about how we protect your Personal Data and what privacy rights may be available to you under applicable data protection and privacy laws, such as the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”).

Billtrust is responsible for processing your Personal Data described in this Policy.

This Policy applies to Personal Data collected by us, or provided by you, through the delivery of our products, on the Billtrust websites, mobile applications, social media pages that link to this Privacy Notice; during your interactions with Billtrust regarding training, publications, meetings, and events, and in the context of other sales and marketing activities. This Policy explains Billtrust’s practices regarding the collection of Personal Data that is gathered through:

• our websites (the “Sites”)
• through the delivery of our Products (including Business Payments Network (“BPN”), Billtrust Business Directory (“BBD”), Cash Application (“Cash App”), Credit; eCommerce; Collections and Invoicing and Payments and the new Billtrust Platform (collectively “Products”) as well as customer portals (Vuebill and Client Connect) and
• through interactions via telephone, email and other communication channels and other sales and marketing activities.

By visiting the Sites or using our Products, you are accepting the practices described in this Policy.

If you provide us or our service providers with any personal data relating to other individuals, you represent that you have the authority to do so, and where required, have obtained the necessary consent, and acknowledge that any such personal data may be used in accordance with this Privacy Notice.

This Policy tells you, among other things:

• what Personal Data we collect about you and how we obtain it;
• the legal bases for processing your Personal Data;
• for what purposes we use that Personal Data;
• how long we keep your Personal Data;
• with whom we share your Personal Data;
• your rights about the Personal Data we collect about you and how you can exercise those rights;
• how we protect your Personal Data;
• how to contact us.

This Policy does not apply to Billtrust’s processing of the personal data of its personnel, such as employees and contractors.

This Policy does not apply to personal data we process in the role of a data processor or service provider on behalf of our clients or customers, including where we offer to our clients or customers various cloud products and services through which our clients or customers (or their affiliates) collect, use, share or process personal data using our cloud products and services.

We are not responsible for the privacy or data security practices of our clients or customers, which may differ from those detailed in this Policy.

We may alter this Policy as needed to abide by local laws or regulations around the world, such as by providing supplemental information in certain countries.

When we process the Personal Data on behalf of our Customers to provide our services, we act as a data processor or service provider. Where you give your data to one of our Customers or where we collect your Personal Data on their behalf, our Customer’s privacy policy, rather than this Privacy Policy, will apply to our processing of your Personal Data. If you have a direct relationship with one of our Customers, please contact them to exercise your privacy rights.

For the Personal Data of our Customers, business contacts and prospects, visitors of our Sites, and the data of sole proprietors that we may disclose in the context of the Business Payment Network (“BPN”), Credit and our Business Directory (“BBD”), we decide the purposes and means of processing, and consequently behave as a data controller. Please note that we offer a business-to-business service. We incidentally process personal data of sole proprietors, when our Customers provide them to us as part of a wider list of business contacts. It is not always possible for us to differentiate between sole proprietors and corporations, based on the data we receive from our Customers.

The table below describes the categories of Personal Data that we have collected when we act as a data controller: 

Personal data we collect, process, or store	How we obtain it
Data Category: Identifiers
General (This row applies to all Billtrust Products except data processed in Credit, BPN, BBD, and for marketing purposes): first and last name, email address, phone number, shipping address.	You provide us with this Personal Data during the order process, registration for, and use of our Products.
Credit: first and last name, business address, email address, Federal Tax ID (which can be a Social Security Number), shipping address, username (and password).	Publicly available websites and other Customers.
Business Payment Network (BPN): first and last name, email address, company address, Tax ID (which can be a Social Security Number), account name and name of account owner(s), and Merchant ID.	Our Customers (Payables providers and suppliers) and our Sponsors.
Billtrust Business Directory (BBD): company name (such as sole proprietor’s name), email address.	Our database for billing and payments, which contains data of our Customers and the customers of our Customers.
Marketing: first and last name, IP address, email address, mailing address.	Cookies placed in our Sites as described in our Cookie Policy; communications sent by you or other customers/prospects via our websites or by email; tradeshows/conferences/events; publicly available websites (for example, LinkedIn, Zoominfo, industry websites); and vendors that provide website analytics and account-based marketing platform services.
Special categories of Personal Data
General (This row applies to all Billtrust Products except data processed in Credit, BPN, BBD, and for marketing purposes): credit card company, credit card number and expiration date, credit card billing address, bank account information, invoicing information.	You provide us with this Personal Data during the order process, registration for, and use of our Products
Credit: financial statements.	Credit bureaus, publicly available websites (i.e. news websites) and other Customers.
Business Payment Network: telephone number; bank account information (to facilitate ACH and wire transactions).	Our Customers (Payables providers and suppliers) and our Sponsors.
Marketing: phone number.	Communications sent by you or other customers/prospects via our websites or by email; tradeshows/conferences/events; publicly available websites (for example, LinkedIn, Zoominfo, industry websites); and vendors that provide website analytics and account-based marketing platform services.
Data Category: Protected characteristics
Marketing: Gender	Marketing: communications sent by you or other customers/prospects via our websites or by email; tradeshows/conferences/events; publicly available websites (for example LinkedIn, Zoominfo, industry websites); and vendors that provide website analytics and account-based marketing platform services.
Data Category: Commercial information
General (This row applies to all Billtrust Products except data processed in Credit, BPN, BBD, and for marketing purposes) invoicing information.	General: You provide us with this Personal Data during the order process, registration for, and use of our Products.
Credit: Trade data, business operational, employment and financial characteristics; government compliance data; creditor exposure and payment experiences; industry opinions.	Credit: Credit bureaus, publicly available websites (i.e. news websites) and other customers.
Business Payment Network: monthly check data/volume, transaction value of payments flowing through the BPN (ultimately, this data is aggregated).	Business Payment Network: our Customers (Payables providers and suppliers), our ACH transaction facilitator, and our Sponsors.
Billtrust Business Directory: number of electronic payments, number of payments with paper checks, payment preferences (paper checks/electronic payment) (this is further aggregated).	Billtrust Business Directory: our database for billing and payments, which contains data of our Customers and the customers of our Customers.
Marketing: service and product purchase history.	Marketing: communications sent by you or other customers/prospects via our websites or by email; tradeshows/conferences/events; publicly available websites (for example, LinkedIn, Zoominfo, industry websites); and vendors that provide website analytics and account-based marketing platform services.
Data Category: Internet or other similar network activity
General (This row applies to all Billtrust Products except data processed in Credit, BPN, BBD, and for marketing purposes Marketing) your interaction with our website, applications and advertisements.	General and marketing: General: you provide us with this Personal Data when you visit our websites or interact with our Apps (with cookies).
Marketing: your interaction with our website, applications and advertisements, such as URLs visited.
Data Category: Geolocation data
Marketing: country information.	Marketing: you provide us with this Personal Data, when you visit our websites or interact with our Apps (for example, Google Analytics places a cookie in your device).
Data Category: Sensory data
Marketing: call recordings.	Marketing: you accept that we record the call when you phone us.
Data Category: Professional or employment-related information
Credit2B: job title.	Credit2B: Credit bureaus, publicly available websites (i.e. news websites) and other Customers.
Marketing: job level, job title, company name	Marketing: communications sent by you or other customers/prospects via our websites or by email; tradeshows/conferences/events; publicly available websites (for example LinkedIn, Zoominfo, industry websites); and vendors that provide website analytics and account-based marketing platform services.
Data Category: Inferences drawn from other Personal Data
Business Payments Network: supplier’s payment preferences.	Business Payments Network: database for billing and payments, which contains data of our Customers and the customers of our Customers, suppliers and sponsors.
Data Category: Biometric Data
General: fingerprint data	General: some mobile applications allow users to optionally provide a fingerprint instead of a password.
Data Category: Other
Credit: any content that you create or share, including any communications with Credit or other users, and other information related to your work or organization.	Credit: you create or share it in your communications with Credit or other users.

We don’t collect additional categories of Personal Data, without informing you.

When we process Personal Data based on the instructions of our customers, our Customers must determine the appropriate lawful basis for processing your Personal Data. To learn about their lawful bases for processing your Personal Data, please read the privacy policies of our Customers.

When we determine why and how your Personal Data will be processed, the legal bases for processing are described in the table below:

Processing Purpose*	Legal Basis
Providing our products and services	To perform a contract with you or to take steps that you request when signing up for the services.
Communicating with you regarding our products and services and general inquiries.	If you contact us by email, social media or other method, we process information about you to interact with you and to respond to your requests. It is in our legitimate interests to communicate with you and fulfill your requests.
Operating our websites.	We are obligated to perform our contract with you for the use of our websites and services and to fulfill our obligations under the applicable terms of use and service; to the extent we do not have a contract in place, we process your personal data based on our legitimate interest to operate and administer our websites and to provide you with information, offer an improved website user experience, and/or protect and maintain our websites.
Marketing our products, services, or events.	Our direct marketing is based on our legitimate interest or, if provided, your prior consent.
For research and development	Our legitimate interests, such as our interest in marketing our services; and the interests of third parties, for example the interest of Account Receivable providers in having a network connecting buyers with suppliers that improves the processing of payments. You have the right to ask us more about how we decided to choose this legal basis. To do so, please use the contact details provided in this Privacy Notice.
For compliance, security, and safety	Protecting our business and managing the security of our environments is based on our legitimate interest to protect our systems and rights, and the rights of others.
To comply with our legal obligations	Our compliance with the law.
With your consent	Your consent, which may be withdrawn at any time. However, this will not affect the lawfulness of our processing, before you withdraw your consent. It will also not affect the validity of our processing of personal data performed on other lawful grounds.

*Details regarding each processing purpose listed below are provided in the section below titled “How do we use your personal data?”.

The table below explains why we process your Personal Data, when we act as a data controller:

Category of Personal Data	Businesses and Commercial Purposes for Processing Personal Data
Identifiers	General (All Products except Credit, BPN, BBD, and marketing activity): To maintain or service accounts for our Customers, providing customer service to our Customers, to process or fulfill orders and transactions including ACH or wire transfers, to verify customer information, to process payments, and to provide our Products to our Customers; To detect security incidents, to protect our systems against malicious, deceptive, fraudulent, or illegal activities, and to prosecute those responsible for those activities; To identify errors in our systems, Sites, Products . To perform internal purposes such as auditing, creating an internal directory, data analysis, and research to improve Billtrust’s products, services, and customer communications.
	Credit: To create global business profiles, to enable portfolio monitoring and to send alerts on portfolio accounts of our Customers, and to create a portal that gathers credit application information, as part of the credit onboarding decisioning process of our Customers.
	Business Payment Network: to maintain or service accounts for our Customers, to provide customer service to our Customers, to process or fulfill order processing and transactions including ACH and wire transfers, to verify customer information, to process payments, and providing the Business Payment Network product to our Customers.
	Billtrust Business Directory: to identify opportunities within our customers’ customer bases to convert print invoices to electronic invoices and payments from paper checks to online payments.
	Marketing: to keep you informed about upgrades, products and services of Billtrust, its affiliates and other third parties that may be of interest to you.
Special categories of Personal Data	General: to process or fulfill orders and transactions, verify customer information, and provide our Products to our Customers.
	Business Payment Network: to contact our customers, when required; to process or full order processing and transactions including ACH and wire transfers.
	Marketing: to contact customers or prospects in order to market our Products.
Protected characteristics	Marketing: to address you in our marketing communications.
Commercial information	General: to process or fulfill orders and transactions, to verify customer information, payments, and to provide our Products to our Customers.
	Credit: to gather and analyze credit application information for our Customers.
	Business Payment Network: to create a two-sided platform in which payable providers can deliver digital payments directly to the suppliers’ acceptance platforms.
	Billtrust Business Directory: to allow our customers to identify opportunities within their customer base to convert print invoices to electronic invoices and payments from paper checks to online payments.
	Marketing: to send Customers relevant marketing communications in light of Products that they have already purchased.
Internet or other similar network activity	General: to detect security incidents, to protect our systems against malicious, deceptive, fraudulent, or illegal activities, and to prosecute those responsible for those activities.
	Marketing: to target the marketing of our products and services, to count ad impressions to unique visitors, and to verify positioning and quality of ad impressions.
Geolocation data	Marketing: to obtain aggregate demographic information about the entire Billtrust audience, to help us create, develop, operate, deliver, and improve our products, services, content and advertising.
Sensory data	General: to provide and improve the quality of our customer service.
	Marketing: to contact you about our Products.
Professional or employment-related information	General and marketing: to provide customer service; to verify customer information, to process payments; and to provide our Products to our Customers; to contact you about our Products.
Biometric Data	General: to enable login to some mobile applications.
Inferences drawn from other Personal Data	Billtrust Business Directory: to allow our customers to identify opportunities within their customer base to convert print invoices to electronic invoices and payments from paper checks to online payments.

With respect to the data processing operations where we act as a data controller, we will retain your Personal Data for the period necessary to fulfil the purposes outlined in this Policy unless a longer retention period is required or permitted by law, for legal, tax or regulatory reasons, or other lawful legitimate purposes. Where required by law, we will also delete your Personal Data upon a verifiable request to delete the personal data.

With respect to Personal Data that we process on behalf of our Customers, we retain Personal Data for as long as instructed by the respective Customer (who typically acts as a data controller) or as required by applicable law.

Where we process Personal Data for marketing purposes or with your consent, we process the information until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your Personal Data so that we can respect your request in future.

Your Personal Data may need to be retained in our backup systems and will only be deleted or overwritten at a later time, which is normally within two weeks. This may be the case, even when you or a Supervisory Authority has validly asked us to delete your Personal Data or when we no longer have a legal basis for processing such Personal Data.

We may disclose Personal Data to third party service providers who process information on our behalf, act as professional advisors, or who are involved in a corporate transaction. We may also disclose Personal Data to law enforcement agencies, government bodies or private parties as required by law. Disclosures of Personal Data may be necessary for the performance of our contract, our legitimate interests, or when we are required to do so by law. For any recipient categories not mentioned in this section, we may share your Personal Data where you have given us permission to do so.

We describe below the categories of Personal Data that we have disclosed for our own operational business purposes, what categories of Personal Data we have sold, and the types of recipients of your Personal Data. The information about our data sharing practices is structured as follows:

• Our disclosures of Personal Data processed in the context of most Billtrust Products (excluding Credit, BPN and BBD).
• Our disclosures of Personal Data processed in the context of Credit.
• Our disclosures of Personal Data processed in the context of the BPN.
• Our disclosures of Personal Data processed in the context of the BBD.
• Our disclosures of Personal Data processed for our marketing purposes.
• International data transfers.

What Categories of Personal Data Does Billtrust Share with Service Providers?

Identifiers, special categories of Personal Data, commercial Information, inferences drawn from other Personal Data, and biometric data

What Types of Service Providers May Receive These Categories of Personal Data?

Payment gateways; service providers who provide fax and printing services; hosting services; cloud data storage services and SaaS-based integration platforms; cloud-computing software; co-location and infrastructure services; electronic signature software; anti-money laundering screening solutions; payment infrastructure platforms; ACH wire transaction facilitators; business intelligence software; big data analytics platform; event logging platforms; security solutions; and interactive voice response systems.

What Categories of Personal Data May We Sell to Third Parties?

We don’t sell any Personal Data processed in the context of the use of any of the Billtrust Products, except as described in the data sharing sections related to other products, below.

What Categories of Personal Data from Credit Does Billtrust Share with Service Providers?

Identifiers, special categories of Personal Data, commercial information, inferences drawn from other Personal Data; and other Personal Data included in the content that you create or share, including any communications with Credit or other users, and other information related to your work or organization.

What Types of Service Providers May Receive These Categories of Personal Data?

Credit-reporting companies, payment gateways, and who provide fax and printing services; hosting services; cloud data storage services and SaaS-based integration platforms; cloud-computing software; co-location and infrastructure services; electronic signature software; anti-money laundering solutions; payment infrastructure platforms; ACH wire transaction facilitators; business intelligence software; big data analytics platform; event logging platforms; security solutions; and interactive voice response systems.

What Categories of Personal Data May We Sell to Third Parties?

In order to facilitate intelligent decision making by the customers of our Credit product, we may share information entered by our customers with credit agencies and other third parties, and receive information from them in turn. When that exchange of information involves the Personal Data of an individual or household, as in the case of a sole proprietorship, these types of data flows may be considered a “sale” under the CCPA.

Identifiers, special categories of Personal Data, commercial information, and inferences drawn from other Personal Data.

What Types of Third Parties May Receive These Categories of Sold Personal Data?

Credit bureaus, credit analysts, factoring organizations, and our Customers.

What Categories of Personal Data Does Billtrust Share with Service Providers?

Identifiers, special categories of Personal Data, commercial information, inferences drawn from other Personal Data.

What Types of Service Providers May Receive These Categories of Personal Data?

Payment gateways, and service providers who provide fax and printing services; hosting services; cloud data storage services and SaaS-based integration platforms; co-location and infrastructure services; payment infrastructure platforms; ACH wire transaction facilitators; business intelligence software; big data analytics platform; and event logging platforms.

What Categories of Personal Data May We Sell to Third Parties?

We don’t sell any Personal Data processed in the context of the use of the BPN.

What Categories of Personal Data Does Billtrust Share with Service Providers?

We don’t share any Personal Data processed in the context of the use of the BBD with our service providers.

What Categories of Personal Data May We Sell to Third Parties?

We don’t sell any Personal Data processed in the context of the use of the BBD to third parties as defined in the CCPA. We share commercial information in aggregated form with our customers.

What Categories of Personal Data Does Billtrust Share with Service Providers?

Identifiers, special categories of Personal Data, protected characteristics, commercial information, internet or other similar network activity information, geolocation information, sensory data, professional or employment-related information.

What Types of Service Providers May Receive These Categories of Personal Data?

Service providers that provide account-based marketing automation software, customer relationship management services, sales engagement platforms, enterprise electronic invoice presentment and payment solutions, analytics, and B2B intelligence tools.

What Categories of Personal Data May We Sell to Third Parties?

We don’t sell any Personal Data processed for our marketing purposes to third parties as defined in the CCPA. Where required by law, we will obtain your opt-in consent before we share your personal data with any company outside of Billtrust for marketing purposes.

Please note that marketing cookies are disabled by default for IP addresses from California and the European Economic Area. If you do not want us to use cookies for marketing purposes as described in our Cookie Policy, please change your cookie settings in our cookie banner.

Further, we take technical measures to restrict how our partners use the data of persons in California. For example, we enable Google Restricted Data Processing not to use California-based information for our remarketing efforts and to ensure that Google will only use data collected on behalf of us in Google Analytics to provide Google Analytics services.

Billtrust is headquartered in the United States, and it maintains offices in other countries, such as Belgium and the Netherlands. Sometimes we transfer your personal data within the Billtrust group, including outside of Europe to countries not deemed by the European Commission to provide an adequate level of protection for personal data, in which case the transfer will be based on appropriate standard contractual clauses and other safeguards as necessary under applicable law.

In general, when we transfer personal data outside of Europe, whether within the Billtrust group, or to third parties in countries not deemed by the European Commission to provide an adequate level of protection for personal data, the transfer will be made pursuant to:

• A contract with appropriate standard contractual clauses and other safeguards as necessary under applicable law;
• The recipient’s Binding Corporate Rules;
• The consent of the individual to whom the personal data relates; or
• Other mechanisms or legal grounds as may be permitted under applicable law

Billtrust also relies upon adherence to the Data Privacy Framework (DPF) Certification as a transfer mechanism for Personal Data, from the European Union, Switzerland, and the United Kingdom. To learn more about our Data Privacy Framework certification, read our Data Privacy Framework Notice.

In the event that all or a part of Billtrust is bought, sold, or otherwise transferred, or is in the process of a potential transaction, Personal Data that you have provided for use, will likely be shared for evaluation purposes and included among the transferred business assets.

We may also disclose Personal Data when required by law or in the good-faith belief that such action is necessary in order to conform to the edicts of the law or comply with a legal process served on Billtrust or our Site.

If you are subject to an applicable data protection or privacy law, such as the CCPA, the GDPR, and in some cases the Nevada Privacy Law, you have specific rights regarding your Personal Data that we collect and process. When we act as the data controller, you can contact us directly to exercise your privacy rights. When our role is limited to just a service provider, and we only process your personal data based on the instructions of our Customer, then you must contact that Customer to exercise your privacy rights, and that Customer will then inform Billtrust of the changes, corrections, etc. that must be made to your Personal Data (based on the request you have made).

We only act as the data controller when we decide what personal data of yours to process, and for what purpose.

In many circumstances, Billtrust may act as a service provider on behalf of our Customers. In those circumstances, our Customers decide what data to collect about you and for what purposes they want to use it, and therefore only our Customer can directly help you with your privacy requests.

In this section, we first describe those rights and then we explain how you can exercise those rights.

Right to Know What Happens to Your Personal Data

This is called the “right to be informed”. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Privacy Policy.

We will always try to inform you about how we process your Personal Data. However, if we do not collect the Personal Data directly from you, the GDPR exempts us from the obligation to inform you (i) when providing the information is either impossible or unreasonably expensive; (ii) the gathering and/or transmission is required by law, or if (iii) the Personal Data must remain confidential, due to professional secrecy or other statutory secrecy obligations.

Right to Know What Personal Data We Have About You

This is called the right of access. You may ask us for a copy of the personal data we hold about you, as well as know more about how we process your personal data.

Please take into account that the GDPR allows us not to satisfy your access request when:

• You already have the information;
• Providing such information proves impossible or would involve a disproportionate effort, or in so far as providing such information is likely to render impossible or seriously impair the achievement of the objectives of that processing; and
• That Personal Data must remain confidential, subject to an obligation of professional secrecy regulated by European Union or Member State law, including a statutory obligation of secrecy.

CCPA does not allow us to disclose Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers.

Right to Change Your Personal Data

This is called the right to rectification. It gives you the right to ask us to correct, without undue delay, anything that you think is wrong with the Personal Data we have on file about you and to complete any incomplete personal data.

If your account settings do not allow you to change it, please contact us and we will do our best to change the Personal Data for you.

Right to Delete Your Personal Data

This is called the right to erasure, right to deletion or the “right to be forgotten”. This means that you can ask us to delete your Personal Data.

Please contact our Customer Service by telephone at 1-888-580-2455 to exercise the right of erasure. Sometimes, we can delete your Personal Data. However, at other times, it is just not possible, such as when the law tells us we are not allowed to. If that is the case, we will consider if we can limit how we use your Personal Data, instead of deleting it.

Occasions Where We Cannot fulfill a Deletion Request Under the GDPR or the CCPA

The GDPR and the CCPA allow us to deny a request to erase your Personal Data, if we or our service providers need to retain the Personal Data to:

1. Complete the transaction for which we collected the Personal Data;
2. fulfill the terms of a written warranty or product recall conducted in accordance with federal law;
3. Provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
4. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
5. Debug products to identify and repair errors that impair existing intended functionality;
6. Exercise free speech, ensure the right of another consumer to exercise their free speech rights or exercise another right provided for by law;
7. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
8. Enable solely internal uses that are reasonably aligned with your expectations, based on your relationship with us;
9. Comply with a legal obligation, including (but not limited to) obligations from the California Electronic Communications Privacy Act; or
10. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Right to Ask Us to Change How We Process Your Personal Data

This is called the right to restrict processing. It is your right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain occasions, such as where you believe the data is inaccurate or the processing activity is unlawful. This right enables you to ask us to suspend the usage of Personal Data about you, such as when you want us to establish its accuracy or the reason for processing it.

Right to Ask Us to Stop Using Your Personal Data

This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right, where we rely on a legitimate interest of ours (or of a third party). You also have the right to object at any time to the processing of your Personal Data for direct marketing purposes.

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

If we have received your Personal Data in reliance on the Data Privacy Framework, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties. You may also have the right to opt out, if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized.

Right to Port or Move Your Personal Data

This is called the right to “data portability”. It is the right to ask for and download Personal Data about you that you have given us or that you have generated by virtue of the use of our services, so that you can:

• Move it;
• Copy it;
• Keep it for yourself; or
• Transfer it to another organization.

We will provide your Personal Data in a structured, commonly used and machine-readable format. When you request electronically to determine which data we have about you, we will provide you with a copy in electronic format.

Right Related to Automated Decision Making

We sometimes use computers to study your Personal Data. We might use this Personal Data, so we know how you use our services. For decisions that may seriously impact you, you have “the right not to be subject to automatic decision-making, including profiling”. However, in those cases, we will always explain to you when we might do this, why it is happening and its effect.

Right to Withdraw Your Consent

Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw your consent is still lawful.

If you have given consent for your details to be shared with a third party, and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences.

Right Not to be Discriminated Against for Exercising your Privacy Rights

We will not discriminate against you for exercising any of your privacy rights. Unless the applicable data protection laws permit it, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you with a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Right to Lodge a Complaint with a Supervisory Authority

If the GDPR applies to the processing of your Personal Data with us, the GDPR grants you the right to lodge a complaint with a supervisory authority, if you’re not satisfied with how we process your Personal Data.

In particular, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work or of an alleged violation of the GDPR.

Your Right to Opt Out of the Sale of Personal Data

You have the right to ask us to not sell your Personal Data at any time. This is called the “right to opt out”. To exercise the right to opt-out, you (or your authorized agent) may submit a request to us by completing this form.

Once you make an opt-out request, we will wait at least twelve months before asking you to reauthorize the sale of your Personal Data. However, if you change your mind, you may opt back into Personal Data sales at any time, by using the contact details below. We will only use Personal Data provided in an opt-out request to review and comply with the request. If you would like to opt out of cookies (except for the strictly necessary ones), click on the “Cookie Settings” button below:

Cookie Settings

Your Right to Opt In to the Sale of Personal Data

If you have directed us not to sell your Personal Data or if you want us to sell your Personal Data, you can opt-in to the sale of your Personal Data at any time.

In addition, we do not process nor sell the Personal Data of individuals that we know are less than 16 years old. We will not accept opt-in requests from parents or guardians on behalf of their children.

To exercise any of the rights described above, please submit a request by either:

• Calling us at 1-888-580-2455
• Contacting us by email at [email protected];
• or Filling out this online form.

Authorized Agents

You may appoint an authorized agent to exercise your rights on your behalf. You should appoint such an agent via written permission or a power of attorney pursuant to Probate Code sections 4000 to 4465 (if you reside in the State of California) or the applicable rules for authorizing somebody else to exercise your rights in your country of residence.

To verify that your authorized agent acts on your behalf, we will ask for this written permission from your agent or for the power of attorney. In case you provided your authorized agent with written permission, we will also require that you verify your identity.

Verification of Your Identity

Bear in mind that to evaluate your privacy rights requests (except the requests to stop the sale of your Personal Data), we need to be sure it was you who made the request. Consequently, we might need some identification to check that you are, who you say you are.

To verify your identity, we will ask you some questions concerning information we already hold about you or ask you to verify that you’re the owner of the email address or phone number you are using to contact us. For this verification, we may ask you information related to various identifiers such as, your first name, last name, email address, phone number, complete billing address, and complete mailing address.

We will only use the Personal Data you provide us in a request to verify the requestor’s identity or authority to make the request.

Please note that you may only make a consumer request to know or data portability twice within a twelve (12)-month period.

Response Timing and Format of Our Responses

We will confirm the receipt of your request in ten (10) days and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, except when we have already granted or denied the request.

Please allow up to thirty (30) days for us to reply to your requests (except requests to stop selling your Personal Data) from the day we received your request. If we need more time [up to ninety (90) days in total], we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to t

he contact details associated with that account. If you do not have an account with us, we will send our written response electronically, unless you ask us to send our response by mail.

We will only cover the twelve-month period preceding the moment we receive the request in any disclosures that we provide you with.

We will act upon your request to opt out from selling your Personal Data in fifteen (15) days. We will also notify the third parties to whom we sold your Personal Data of your request and instruct them not to further sell your Personal Data, if they do. We will inform you about this within ninety (90) days from the receipt of your request.

If we cannot satisfy a request, we will also provide the reason(s) in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.

We promise that we will not charge a fee for processing or responding to your requests. There may be exceptions when we may charge a fee, if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate, before completing your request.

Billtrust works to maintain your confidence and trust in us and has, therefore, implemented physical, technical, and administrative measures designed to protect information from accidental loss, unauthorized access, use, alteration, and disclosure. We store and process your information on our servers located within the United States.

Billtrust, including the Site, is not directed at children, and Billtrust does not knowingly solicit or collect Personal Data online from children under the age of thirteen (13). If Billtrust learns that a child under the age of thirteen (13) has submitted Personal Data online without prior verifiable parental consent, it will take all reasonable measures to delete such information from its databases and to not use such information for any purpose (except where necessary, to protect the safety of the child or others as required or allowed by law). If you become aware of any personally identifiable information we have collected from children under thirteen (13) years of age, please contact us at [email protected].

To the extent that the Site or Solutions involves the collection of personal data of our clients or their customers in the European Economic Area, Billtrust may transfer that personal data to the United States for processing and storage. Billtrust relies on the Standard Contractual Clauses and other contractual safeguards as the transfer mechanism for that personal data, but continues to adhere to the Data Privacy Framework Principles. Billtrust believes its commitment to the Data Privacy Framework Principles further demonstrates its commitment to data privacy and security. Billtrust certified compliance with the Data Privacy Framework Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity & Purpose Limitation, Access, Recourse, Enforcement and Liability. To access the Data Privacy Framework List and to find details of our certification, please see Data Privacy Framework. For more specific information, please review our Data Privacy Framework Notice.

This Privacy Policy may be updated and revised from time to time, and we will post the current version of this Privacy Policy on our webpage. When we revise it, we will also update the “Effective” date.

You agree that the Personal Data we gather now, will be subject to the Privacy Policy in effect at the time of use. We may contact you through email regarding material, retroactive changes to our Privacy Policy or practices, but you should check the Site periodically to review any changes. In order to receive communications from Billtrust regarding, among other things, our privacy practices, it is important that the email address you have on record with Billtrust is kept up to date.

We suggest that you review this Privacy Policy periodically, since it may be updated from time to time. In all cases, your continued use of our products or services after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.

Billtrust has appointed VeraSafe as its data protection representative in the UK. You can contact VeraSafe in addition to, or instead of Billtrust at the following details:

VeraSafe United Kingdom Ltd.
37 Albert Embankment, London SE1 7TL, United Kingdom
Phone: +44 (20) 4532 2003
Contact form

If you have questions or concerns about this Privacy Policy, please feel free to contact BIlltrust’s privacy officer at [email protected].

In case the user of the website is asked for personal information:

iController BV, located at Moutstraat 64 bus 501, 9000 Ghent, respects the Belgian law of 8 December 1992 concerning the protection of privacy in the processing of personal data and the revised legislation as imposed in accordance with the AVG regulation. (GDPR) 2016/679. The personal data you provide will be used for the following purposes: sending newsletters, announcements of activities, answering questions, customer management and relevant marketing purposes.

You have a legal right to inspect and correct your personal data. Subject to proof of identity (copy of identity card), you can obtain the written notification of your personal data free of charge via a written, dated and signed request to iController BV, Moutstraat 64 bus 501, 9000 Ghent or via an e-mail to [email protected]. If necessary, you can also ask to correct the data that would be incorrect, incomplete or non-pertinent.

Your personal data will not be passed on to third parties.

iController BV may collect anonymous or aggregated data of a non-personal nature, such as browser type or IP address, the operating system you use or the domain name of the website from where you came to the iController website, or through which you leave it. This allows us to permanently optimize the iController website for you and other users.

The use of cookies

During a visit to the site, so-called ‘cookies’ can be placed on the hard disk of your computer. A cookie is a text file that is placed by the server of a website in the browser of your computer or on your mobile device when you consult a website. Cookies can not be used to identify people, a cookie can only identify a machine.

This website contains the following type of cookies: ‘First party cookies’: technical cookies that are used by the visited site itself and that aim to make the site function optimally. Example: settings that the user made on previous visits to the site, or: a prefilled form with data that the user has done during previous visits.

You can set your internet browser so that cookies are not accepted, that you receive a warning when a cookie is installed or that the cookies are subsequently removed from your hard drive. You can do this via the settings of your browser (via the help function). Keep in mind that certain graphic elements cannot appear correctly, or that you will not be able to use certain applications.

By using our website, you agree to our use of cookies.

For questions about our privacy policy you can always contact us.