Data Privacy Framework

This Data Privacy Framework Notice (“DPF Notice” or “Notice”) describes the practices of BTRS Holdings Inc. with its covered entity, Factor Systems LLC d/b/a Billtrust (“Billtrust”) with respect to Personal Data that we receive from the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”).

1. Introduction

Billtrust complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have also certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF (collectively, the “DPF Principles”). To learn more about the DPF, and to view our certification in the Data Privacy Framework List, please visit The Data Privacy Framework (DPF) Program.

2. Scope

This Notice applies to all Billtrust U.S. operations, divisions and subsidiaries as far as Personal Data from the EEA, Switzerland, and UK is received in any format whatsoever, including electronic, paper or oral transmission. If there is any conflict between the terms in this DPF Notice and the DPF Principles, the DPF Principles shall govern.

Billtrust commits to applying the DPF’s Principles to all Personal Data that Billtrust receives in the U.S. from the European Economic Area member countries, the United Kingdom, and Switzerland in reliance on the respective DPF.

3. Processing of Personal Data

Billtrust may from time to time process EEA, Swiss, and UK Personal Data about current or prospective clients, their customers, business partners, suppliers, vendors, independent contractors and consumers in order to provide information and services and to help Billtrust personnel better understand the needs and interests of these current and prospective clients and their customers. Specifically, Billtrust may process Personal Data to help complete a transaction or order, to facilitate communication, to deliver products/services, to bill for purchased products/services, to provide ongoing service and support, to communicate to individuals about products, services and related issues, to facilitate Billtrust’s internal administrative processes, to book travel, accommodation and event registration, for business continuity and/or disaster recovery, to select service and personnel, to access sales and order portals, for business planning, accounting and reporting, to organize and manage joint projects and joint ventures. Occasionally Billtrust personnel may use Personal Data to contact clients and business partners to complete surveys that are used for marketing and quality assurance purposes. The types of Personal Data we process, as well as the purposes for which we collect and use Personal Data, the categories of third parties with whom we share Personal Data and the purposes for sharing with those third parties are all set out in our Privacy Policy.

4. DPF Principles

A detailed description of the DPF Principles can be found on the website of the U.S. Department of Commerce.

4.1 Notice

We will inform individuals about the purposes for which we collect and use Personal Data about them, including the third parties to which Billtrust discloses their Personal Data and their right under the DPF. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to Billtrust, or as soon as practicable thereafter, and in any event before Billtrust uses or discloses the information for a purpose other than that for which it was originally collected.

4.2 Choice

As stated in our Privacy Policy, your Personal Data is kept strictly confidential and will not be shared or sold to third parties except as necessary to deliver our services. In the event Billtrust will need to share information outside of our normal services, for example, when a third party is not acting as our agent, we will offer individuals the opportunity to choose (opt-out) whether their Personal Data is (a) disclosed to a third party acting as a controller, or (b) used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by you, except as required by law. To do this, you may send your request to our privacy office.

4.3 Accountability for Onward Transfers

Billtrust may share Personal Data with our service providers and suppliers (“Agents”) for the purposes described above and to support our clients’ needs. Please see our Privacy Notice for more information about these Agents and what types of Personal Data we share with them. Billtrust will obtain assurances from our Agents that they will safeguard Personal Data consistent with this DPF Notice and will use and transfer Personal Data only for limited and specific purposes. Billtrust maintains contracts with our Agents obligating the Agent to provide at least the same level of protection as is required by the relevant DPF Principles. Billtrust remains liable for the protection of your Personal Data that we transfer to our agents, except to the extent that we are not responsible for the event giving rise to any unauthorized or inappropriate processing.

4.4 Security

Billtrust will take reasonable and appropriate precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

4.5 Data Integrity and Purpose Limitation

Billtrust will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Billtrust will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. Billtrust will keep Personal Data only as long as necessary for the purposes described above or for statistical analysis, research or other approved purposes.

4.6 Access

Upon request, Billtrust will grant individuals access to Personal Data that it holds about them. In addition, Billtrust will take reasonable steps to permit individuals to correct, amend, or delete information that is inaccurate or incomplete or has been processed in violation of the DPF Principles. Billtrust may limit an individual’s access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated. Please email our privacy office to make an access request.

4.7 Recourse, Enforcement and Liability

Billtrust encourages individuals to raise any concerns they have using the contact information below. Billtrust will investigate and attempt to resolve any complaints and disputes regarding our collection, use, and disclosure of Personal Data to the extent possible within 45 days and in accordance with the DPF Principles.

If a complaint or dispute cannot be resolved through Billtrust’s internal processes, Billtrust has agreed to participate in the VeraSafe DPF Dispute Resolution Procedure. Subject to the terms of the VeraSafe DPF Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the DPF Dispute Resolution Procedure, please submit the required information to VeraSafe.

In the event that Billtrust or the independent dispute resolution mechanism determines that Billtrust failed to comply with the DPF Principles, Billtrust will take appropriate steps to address any adverse effects and to promote future compliance. Billtrust is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory body and enforcement authority under the DPF.

Where a complaint cannot be resolved by any of the before mentioned recourse mechanisms, you also have a right to invoke binding arbitration under certain circumstances. For further information, please refer to Data Privacy Framework.

5. Required Disclosures

Under certain circumstances, Billtrust may be required to disclose your Personal Data in response to lawful requests by public authorities, including to meet national security, public interest, or law enforcement requirements. Billtrust’s adherence to the DPF Principles may therefore be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations; or (c) if any lawful exceptions or derogations are applicable.

6. Contact Information

EEA, Swiss, and UK individuals with inquiries, requests, or complaints regarding our DPF Notice should first contact Billtrust at:

ATTN: Client Support

Billtrust
Address: 1009 Lenox Drive, Suite 101, Lawrenceville, New Jersey 08648
Phone: 1 (888) 580-BILL
Fax: 1 (609) 235-1011
E-Mail: clientservices@billtrust.com

7. Billtrust’s Privacy Officer

Billtrust’s Privacy Officer can also be contacted regarding matters related to the processing of Personal Data under the DPF and to exercise any applicable rights. To make such an inquiry, please contact our privacy office

9. Changes to this Notice

This Notice may be amended from time to time, consistent with the requirements of the DPF Principles. Appropriate notice will be provided concerning such amendments.

Effective Date: Sept 27, 2024