Privacy Policy
Effective date: Jan 1, 2020
Revised date: Feb 1, 2025
Billtrust Global Privacy Notice
BTRS Holdings Inc. and its affiliates and subsidiaries ("Billtrust", "we", "our", or "us") respect your privacy. This Privacy Notice ("Notice") explains how we collect, use, and share your personal data, as well as your privacy rights and choices. "Personal Data" means any information that, alone or in combination with other information, identifies or relates to an identifiable individual, and also includes information referred to as "personal information" or "personally identifiable information" under applicable data privacy laws.
Applicability of this Notice
This Notice applies to Personal Data that we collect and process as a data controller when you:
- Visit or interact with our websites (“Websites”)
- The use of Billtrust Payment Network whether as a customer or an individual end user or prospects of this product.
- Interact with us regarding our events, trainings, publications, meetings, and other sales and marketing activities.
This Notice does not apply to the following:
- Where Billtrust processes Personal Data as a data processor or service provider on behalf of our customers. These products include: Billtrust Collections; BT invoicing (O2C I2D5); Cash Application; Credit Application, eCommerce; Invoicing and Payments. Such activities fall outside the scope of this Notice and are governed by our agreements with those customers.
- Any Personal Data Billtrust collects or processes in our capacity as an employer (which is governed by a separate Employee Privacy Notice).
- Third-party websites, including those that may be linked through our Websites or Products. Such third-party websites are governed by their own privacy policies. Please read the privacy policy of that third-party website for further information about their privacy practices.
If you have any questions about this Notice, then please contact us using the contact details provided in the "Contact Us" section at the end of this Notice.
We recommend that you read this Notice in full to ensure you are fully informed. However, if you only want to access a particular section of this Notice, then you can click on the relevant link in the Table of Contents below to jump to that section.
Table of Contents
- Who We Are
- What Personal Data does Billtrust collect and from which sources
- How we use your Personal Data (our purposes)
- Legal basis for processing Personal Data (EEA and UK only)
- Who does Billtrust share your Personal Data with
- International data transfers and Data Privacy Framework
- Data Security
- Data Retention
- Cookies and similar tracking technologies
- Your data protection rights (EEA and UK residents)
- U.S State Data Privacy
- Children’s Privacy
- Updates to this Notice
- Contact Us
1. Who We Are
Billtrust is a software company specializing in accounts receivable automation and order-to-cash solutions. We offer a suite of tools designed to automate various aspects of the accounts receivable process, including invoicing, payment processing, cash applications, credit decisions, and collections. Billtrust is headquartered in Trenton, New Jersey, USA.
2. What Personal Data does Billtrust collect and from which sources
The Personal Data that we collect about you depends on the context of your interactions with Billtrust, the choices you make, and the Products and features you use. Below we summarize the categories of Personal Data that we collect from you per Product and in the context of your interactions with us.
Product | Types of Personal Data collected | Source of Personal Data / How We Obtain It |
---|---|---|
Billtrust's standard products (including its Website and applications, but excluding Business Payment Network and Marketing) |
Identification data: first and last name, email address, Federal Tax ID (which can be a Social Security Number), phone number, and shipping address. Business contact data: job title, business address, organization. Account log-in data: username and password. Sensitive personal data: fingerprint data for some of our mobile applications which allow users to optionally provide a fingerprint instead of a password. |
We obtain your Identification data, Business contact data, Account log-in data, and Sensitive personal data when you provide us with such data during the order process, registration for, use of our standard Products and our Customers (Payable providers and suppliers) and our sponsors. |
Financial and commercial data: transaction details, invoice number, payment account, financial statements, trade data, business operational, employment and financial characteristics, government compliance data, creditor exposure, payment experience, industry opinions, credit card number, expiration date, credit card billing address, bank account information, invoicing information. |
We obtain your Financial and commercial data from credit bureaus, publicly available websites (i.e. news websites), and from other Customers. |
|
Device data and other online identifiers: computer and device information including type of device, application, browser type and version, Internet Protocol (IP) address, device's operating system. Usage and interaction information: log data detailing your interactions with our Website, product telemetry data. |
We obtain your device data and other online identifiers, and usage and interaction information automatically when you visit our Websites or interact with our Apps (e.g. via cookies and other similar tracking technologies). |
|
Content and Communication data: any content that you create or share, including any communications with Credit or other users, and other information related to your work or organization. |
We obtain your Content and communications data when you share/provide such data with us via Credit or through other users. |
|
Business Payment Network (BPN) |
Identification data: first and last name, email address, telephone number, company address, Tax ID (which can be a Social Security Number), account name and name of account owner(s), Merchant ID. |
We obtain your Identification data through our Customers (Payables providers and suppliers) and our Sponsors. |
Financial and commercial data: bank account information (to facilitate ACH and wire transactions), monthly check data/volume, transaction value of payments flowing through the BPN (ultimately, this data is aggregated). |
We obtain your Financial and commercial data also through our Customers (Payables providers and suppliers), our Sponsors, and our ACH transaction facilitator. |
|
Inferences drawn from other Personal Data: supplier's payment preferences. |
We obtain inferences drawn from other Personal Data from our database for billing and payments, which contains data of our Customers and the customers of our Customers, suppliers and sponsors. |
|
Marketing |
Identification data: Name, email address, mailing address, phone number. Business contact data: company name, job title Biographical information: gender Commercial data: service and product purchase history Device data and other online identifiers: IP address Usage and interaction information: log data detailing your interactions with our Website, applications and advertisements, such as URLs visited. Geolocation data: approximate location Content and communications data: such as information you provide to us during call recordings or telemarketing calls. |
We obtain your Identification data, Business Contact data,
biographical information, commercial information, and Content and
communications data when you provide us with such data in
communications sent by you or with other customers We also obtain biographical information and commercial information through vendors that provide website analytics and account-based marketing platform services. We obtain your Device data and other online identifiers, Usage and interaction information, and Geolocation data when you visit our Websites or interact with our Apps. |
3. How we use your Personal Data (our purposes)
We use and process your Personal Data for the following purposes:
- To provide, maintain, and improve our Website, Products and services: To provide you with our Websites, Products and services. To maintain or service accounts for our customers and to provide and improve the quality of our customer service to our customers. To enable login to some mobile applications.
- Marketing and Advertising regarding our Products and services: To contact you about our Products by sending you newsletters, information, alerts, offers, and other marketing communications. To record and follow up on your participation to surveys, promotions, and contests as may be available on the website from time to time. To target the marketing of our products and services, to count ad impressions to unique visitors, and to verify positioning and quality of ad impressions. To enlist you, if so requested, for attendance at events or webinars. To keep you informed about upgrades, products and services of Billtrust, its affiliates and other third parties that may be of interest to you.
- Communicating with you regarding our Products and services and general inquiries: To interact with you and to respond to your requests regarding our Products and services. To contact our customers when required in response to a specific enquiry. To verify customer information.
- Transactional considerations: To process or fulfil orders, transactions, and payments including ACH or wire transfers.
- To promote the security of our Websites and Products: To detect security incidents, to protect our systems against unauthorized access, malicious, deceptive, fraudulent, or illegal activities, and prosecute those responsible for those activities. To identify errors in our systems, Websites, Products.
- For our internal business purposes: To obtain aggregate demographic information about the entire Billtrust audience to help us create, develop, operate, deliver, and improve our products, services, content and advertising. To assemble broad demographic information about visitors, customers, and partners in general. For our own internal records and to perform internal purposes such as auditing, creating an internal directory, data analysis, and research to improve Billtrust’s Products, services, and customer communications.
- To comply with our legal obligations: To fulfil various legal requirements imposed by laws, regulations, or other legal processes.
4. Legal basis for processing Personal Data (EEA and UK only)
If you are a resident of the EEA or the UK, we are required to explain the legal basis for processing your personal information. Our legal basis for collecting and using the categories of personal information described above will depend on the Personal Data concerned and the specific context in which we collect it. However, in general we collect your Personal Data only pursuant to the following legal bases, as applicable:
- To contract with you: We may use your Personal Data in order to perform a contract with you.
- Consent: We may use your Personal Data when we have your explicit consent to do so, where required or permitted under applicable law.
- Legitimate Interests: We may use your Personal Data when the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms.
- Compliance with legal obligations: We may use your Personal Data in order to comply with a legal obligation under applicable laws, or to protect your vital interests or those of another person.
5. Who does Billtrust share your Personal Data with?
We may disclose your Personal Data to the following categories of recipients:
- to our group companies for purposes consistent with this Notice. We take precautions to allow access to Personal Data only to those staff members who have a legitimate business need for access and with a contractual prohibition of using the Personal Data for any other purpose.
- to our third-party vendors, services providers and partners who provide data processing services to us, or who otherwise process Personal Data for purposes that are described in this Notice or notified to you when we collect your Personal Data. This may include disclosures to third party vendors and other service providers we use in connection with the services they provide to us, including to support us in areas such as IT platform management or support services, infrastructure and application services, marketing, and data analytics.
- to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend our legal rights; (iii) in response to legal process or when we believe in good faith that the law requires it, for example, in response to a court order, subpoena or a law enforcement agency’s request; or (iv) to protect your vital interests or those of any other person.
- to our auditors, professional advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under contractual prohibition of using the Personal Data for any other purpose.
- to a potential buyer (and its agents and advisors) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purposes described in this Notice.
- to any other person if you have provided your prior consent to the disclosure.
6. International data transfers and Data Privacy Framework
Billtrust is headquartered in the United States, with offices located in Belgium, the Netherlands, and Poland. We also engage service providers who are located worldwide. This means that, if you are a resident of the European Economic Area (“EEA”) or the UK, in some instances we may transfer your Personal Data to countries outside of the EEA or UK, such as the United States, where we have servers or in which we engage service providers.
In general, when we transfer personal data outside of Europe, whether within the Billtrust group, or to third parties in countries not deemed by the European Commission to provide an adequate level of protection for personal data, the transfer will be made pursuant to:
- A contract with appropriate standard contractual clauses and other safeguards as necessary under applicable law;
- The recipient’s Binding Corporate Rules;
- The consent of the individual to whom the personal data relates; or
- Other mechanisms or legal grounds as may be permitted under applicable law.
Factor Systems LLC dba Billtrust also relies upon adherence to the Data Privacy Framework (DPF) Certification as a transfer mechanism for Personal Data, from the European Union, Switzerland, and the United Kingdom. To learn more about our Data Privacy Framework certification, read our Data Privacy Framework Notice.
7. Data Security
We use appropriate technical and organisational measures to protect the Personal Data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Data.
Please be advised, however, that while we deploy these security measures and strive to protect your Personal Data, the use of the internet is not 100% secure, and for this reason we cannot guarantee the security or integrity of any Personal Data that you transmit or disclose to us or to a third party or vendor who provides services to you online.
Whenever we engage a third party to process Personal Data on our behalf, we will implement appropriate measures to ensure that the information is used in a manner consistent with this Notice, and that the security and confidentiality of the information is maintained.
8. Data Retention
We retain your Personal Data for as long as necessary to fulfil the purposes set out in this Notice. We may retain your personal information for longer if it is required or permitted by law, for example, to comply with applicable legal, tax or accounting requirements.
We may anonymise your Personal Data so that it can no longer be associated with you. If we do that, we will continue to hold and use that (as, once anonymised, it will cease to constitute personal information).
9. Cookies and similar tracking technologies
Our Website uses cookies and similar tracking technologies to ensure our Website functions properly, to collect statistical information about how users use our Website which in turn helps us improve our Website, and to enable certain personalization features on our Website to display personalized advertising. Please note that if you choose to disable certain cookies, this could affect certain features or functionality of our Website. Please also note that marketing cookies are disabled by default for IP addresses from California and the European Economic Area. You can manage your cookie preferences in your cookie settings and in our itself.
For further information about the types of Cookies we use, how we use them, and how you can control and opt out from such Cookies, please see our Cookie Policy.
10. Your data protection rights – EEA and UK residents only
If you are an individual residing in the EEA or the UK, you may have the following data protection rights with regards to your Personal Data that we collect and process as a data controller, subject to applicable law:
- You may access, correct, update or request deletion of your Personal Data.
- In certain circumstances, you may object to processing of your Personal Data, ask us to restrict processing of your Personal Data or request portability of your Personal Data.
- If we have collected and processed your Personal Data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as direct marketing or telemarketing), then please contact us by referring to the "Contact Us" section below.
- You have the right to complain to a relevant data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.
Please note that the rights described above are not absolute, and where an exception under applicable law applies, we may be entitled to refuse requests in whole or in part.
11. U.S. State Data Privacy
If you reside in a U.S. state which currently has a data privacy law in effect, then this section applies to you. Please refer to the state in which you reside to learn more about additional privacy disclosures and rights that may apply to you.
California
Additional Disclosures for California Residents
This section only applies to residents of California, USA. The California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), requires us to provide California consumers with some additional information regarding how we collect, use, and disclose your personal information, and the rights available to California consumers under the CCPA. The terms used in this section have the same meaning as in the CCPA.
As described in section 2 of this Notice, we may collect the following categories of information about you when you visit our Website or through our Products:
- Identifiers, such as your name, email address, mailing address, phone number.
- Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as your contact information.
- Commercial information, such as transaction data, and purchase history.
- Biometric information, such as your fingerprint data (but only to the extent you choose to provide a fingerprint instead of a password to access one of our mobile applications).
- Device identifiers, such as your IP address.
- Internet or other network activity information, such as your browsing history, app usage, and interactions with our Website.
- Geolocation data, such as your approximate location based on your IP address and other information that identifies or can be reasonably associated with your device.
- Your account log-in information i.e. username and password to access your account (if you have an account with us).
- Audio, electronic, visual or similar information, such as content and communications you provide to us during call recordings or telemarketing calls.
- Professional or other employment related information, such as where you work and your job title. And
- Financial information, such as bank account information, invoicing information, credit card number and payment data, and other sensitive personal information such as social security number.
The sources from which we collect personal information are also described in section 2 of this Notice. The business and commercial purposes for which we collect this information are described in section 3. The categories of third parties to whom we disclose this information for a business purpose are described in section 5.
California Privacy Rights
If you are a California resident, you may have the following rights under the CCPA, subject to certain limitations and exceptions under applicable law:
-
Know and Access: You may have the right to request to know
and access the following information covering the 12 months preceding your
request:
- the categories of personal information we have collected about you;
- the categories of sources from which your personal information was collected;
- the business or commercial purposes for collecting, "selling" and/or "sharing" your personal information;
- the categories of third parties to whom we may have disclosed, "sold" or "shared" personal information about you; and
- the specific pieces of personal information we have collected about you.
- Correct: You may have the right to request that we correct any of your personal information that we have collected from you that is inaccurate.
- Delete: You may have the right to request that we delete certain personal information we have collected from you.
- Opt-Out of Sales and Sharing: You may have the right to request that a business not "sell" or "share" your personal information with a third party. However we do not "sell" or "share" personal information as those terms are defined by the CCPA.
- Opt out of the "Sale" and "Sharing" of your personal information: You have the right to request that a business not "sell" or "share" your personal information with a third party, as those terms are defined under the CCPA. As discussed above, we do not sell personal information as the term “sell” is traditionally understood (i.e. for money). However, we do process personal information through cookies and other similar technologies for the purpose of displaying targeted advertisements if you instruct us to do so, which could be deemed a "sale" or "sharing" of personal information under the CCPA. You have the right to opt out of such sharing of personal information. You can do this by adjusting your cookies choices at any time in our Cookie Policy or via our form Do Not Sell My Information: Protecting your data | Billtrust.
- Limit the Use and Disclosure of Your Sensitive Personal Information: We do not use or disclose "sensitive personal information,” as defined by the CCPA other than as described in section 3 above or as otherwise permitted under applicable data privacy law. As a result, we do not offer an ability to limit the use or disclosure of sensitive personal information.
- Non-Discrimination: You have the right to not be discriminated against for exercising any of your CCPA rights.
Please note that the rights described above are not absolute, and where an exception under applicable law applies, we may be entitled to refuse requests in whole or in part.
Please also note that in California an authorized agent may submit a rights request on your behalf. We may require an authorized agent to verify their authority to submit a request on your behalf, or we may require you to verify your own identity or confirm with us that you provided the agent with permission to submit the request. We will only use the information provided for verification to confirm the requestor’s identity or authority to make the request, and for our compliance records.
To exercise any of the above rights, please refer to our contact details in the "Contact us" section below. We endeavour to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period (up to a total of 90 days) in writing.
Additional U.S. States
This section applies to residents of certain U.S. states which also have an applicable data privacy law currently in effect, including but not limited to, Colorado, Connecticut, Utah, Virginia, Oregon, Texas, and Montana. Depending on your U.S. state of residency, you may have the following privacy rights (as and to the extent applicable):
- Know and Access: You may have the right to request to know and access the Personal Data that we have collected about you.
- Data Portability: You may have the right to obtain your Personal Data in a portable and readily usable format.
- Correction: You may have the right to request that we correct inaccuracies in your Personal Data.
- Deletion: You may have the right to request that we delete your Personal Data.
- Opt-out of Data Processing for purposes of Targeted Advertising; Sales to Third Parties; and Profiling: We do not sell Personal Data to third parties for money, targeted advertising, nor for the purpose of profiling in connection with decisions that produce legal or similarly significant effects.
- Appeal: You may have the right to appeal a refusal to take action on your request. You may ask us to reconsider our decision within 45 days after we send you our decision. We will endeavor to respond to your appeal within 60 days of such an appeal, including a written explanation of the reasons for the decision, and any action taken or not taken in response to the appeal.
Please note that the rights listed above only apply to residents of certain U.S. states which have an applicable data privacy law currently in effect who are acting in an individual or household context only, and do not include residents acting in a commercial or employment context. If you reside in a U.S. state which has an applicable data privacy law currently in effect, and wish to submit a rights request, please refer to the "Contact us" section below. We will respond to verifiable requests received as required by law.
12. Children’s Privacy
Billtrust's Website is not directed at children, and Billtrust does not knowingly solicit or collect Personal Data online from children under the age of thirteen (13). If Billtrust learns that a child under the age of thirteen (13) has submitted Personal Data online without prior verifiable parental consent, it will take all reasonable measures to delete such information from its databases and to not use such information for any purpose (except where necessary, to protect the safety of the child or others as required or allowed by law). If you become aware of any personal information we have collected from children under thirteen (13) years of age, please contact us at privacyrequests@billtrust.com.
13. Updates to this Notice
You can see when this Notice was last updated by checking the “last updated” date at the top of this Notice. We may update this Notice from time to time in response to changing legal, technical or business developments. When we update our Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Notice changes if and where this is required by applicable data protection laws.
14. Contact Us
If you have any questions about this Notice or wish to submit a privacy rights request, please contact us by using the following contact details:
- Emailing us at: privacyrequests@billtrust.com
- Calling us at: 1-888-580-2455. Or
- Filling out this online form.
Billtrust’s Representative in the UK
VeraSafe has been appointed as Billtrust’s representative in the United Kingdom for data protection matters, pursuant to Article 27 of the United Kingdom General Data Protection Regulation. If you are located within the United Kingdom, VeraSafe can be contacted in addition to or instead of privacyrequests@billtrust.com, only on matters related to the processing of personal data.
To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +44 (20) 4532 2003.
Alternatively, VeraSafe can be contacted at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom
Billtrust’s Data Protection Officer (DPO) in Belgium
Billtrust has appointed Aynur Tiftikci as its data protection representative in Belgium. You can contact the DPO at the following details:
Billtrust Ghent (Belgium) Office
Moutstraat 64 bus 501 Ghent, Belgium, 9000
Contact form: privacy@billtrust.com