Privacy Policy

Billtrust Global Privacy Notice

BTRS Holdings Inc. and its affiliates and subsidiaries ("Billtrust", "we", "our", or "us") respect your privacy. This Privacy Notice ("Notice") explains how we collect, use, and share your personal data, as well as your privacy rights and choices. "Personal Data" means any information that, alone or in combination with other information, identifies or relates to an identifiable individual, and also includes information referred to as "personal information" or "personally identifiable information" under applicable data privacy laws.

Applicability of this Notice

This Notice applies to Personal Data that we collect and process as a data controller when you:

• Visit or interact with our websites (“Websites”)
• The use of Billtrust Payment Network whether as a customer or an individual end user or prospects of this product.
• • Interact with us regarding our events, trainings, publications, meetings, and other sales and marketing activities.

This Notice does not apply to the following:

• Where Billtrust processes Personal Data as a data processor or service provider on behalf of our customers. These products include: Billtrust Collections; BT invoicing (O2C I2D5); Cash Application; Credit Application, eCommerce; Invoicing and Payments. Such activities fall outside the scope of this Notice and are governed by our agreements with those customers.
• Any Personal Data Billtrust collects or processes in our capacity as an employer (which is governed by a separate Employee Privacy Notice).
• Third-party websites, including those that may be linked through our Websites or Products. Such third-party websites are governed by their own privacy policies. Please read the privacy policy of that third-party website for further information about their privacy practices.

If you have any questions about this Notice, then please contact us using the contact details provided in the "Contact Us" section at the end of this Notice.

We recommend that you read this Notice in full to ensure you are fully informed. However, if you only want to access a particular section of this Notice, then you can click on the relevant link in the Table of Contents below to jump to that section.

Table of Contents

1. Who We Are
2. What Personal Data does Billtrust collect and from which sources
3. How we use your Personal Data (our purposes)
4. Legal basis for processing Personal Data (EEA and UK only)
5. Who does Billtrust share your Personal Data with
6. International data transfers and Data Privacy Framework
7. Data Security
8. Data Retention
9. Cookies and similar tracking technologies
10. Your data protection rights (EEA and UK residents)
11. U.S State Data Privacy
12. Children’s Privacy
13. Updates to this Notice
14. Contact Us

1. Who We Are

Billtrust is a software company specializing in accounts receivable automation and order-to-cash solutions. We offer a suite of tools designed to automate various aspects of the accounts receivable process, including invoicing, payment processing, cash applications, credit decisions, and collections. Billtrust is headquartered in Trenton, New Jersey, USA.

2. What Personal Data does Billtrust collect and from which sources

The Personal Data that we collect about you depends on the context of your interactions with Billtrust, the choices you make, and the Products and features you use. Below we summarize the categories of Personal Data that we collect from you per Product and in the context of your interactions with us.

3. How we use your Personal Data (our purposes)

We use and process your Personal Data for the following purposes:

• To provide, maintain, and improve our Website, Products and services: To provide you with our Websites, Products and services. To maintain or service accounts for our customers and to provide and improve the quality of our customer service to our customers. To enable login to some mobile applications.
• Marketing and Advertising regarding our Products and services: To contact you about our Products by sending you newsletters, information, alerts, offers, and other marketing communications. To record and follow up on your participation to surveys, promotions, and contests as may be available on the website from time to time. To target the marketing of our products and services, to count ad impressions to unique visitors, and to verify positioning and quality of ad impressions. To enlist you, if so requested, for attendance at events or webinars. To keep you informed about upgrades, products and services of Billtrust, its affiliates and other third parties that may be of interest to you.
• Communicating with you regarding our Products and services and general inquiries: To interact with you and to respond to your requests regarding our Products and services. To contact our customers when required in response to a specific enquiry. To verify customer information.
• Transactional considerations: To process or fulfil orders, transactions, and payments including ACH or wire transfers.
• To promote the security of our Websites and Products: To detect security incidents, to protect our systems against unauthorized access, malicious, deceptive, fraudulent, or illegal activities, and prosecute those responsible for those activities. To identify errors in our systems, Websites, Products.
• For our internal business purposes: To obtain aggregate demographic information about the entire Billtrust audience to help us create, develop, operate, deliver, and improve our products, services, content and advertising. To assemble broad demographic information about visitors, customers, and partners in general. For our own internal records and to perform internal purposes such as auditing, creating an internal directory, data analysis, and research to improve Billtrust’s Products, services, and customer communications.
• To comply with our legal obligations: To fulfil various legal requirements imposed by laws, regulations, or other legal processes.

4. Legal basis for processing Personal Data (EEA and UK only)

If you are a resident of the EEA or the UK, we are required to explain the legal basis for processing your personal information. Our legal basis for collecting and using the categories of personal information described above will depend on the Personal Data concerned and the specific context in which we collect it. However, in general we collect your Personal Data only pursuant to the following legal bases, as applicable:

• To contract with you: We may use your Personal Data in order to perform a contract with you.
• Consent: We may use your Personal Data when we have your explicit consent to do so, where required or permitted under applicable law.
• Legitimate Interests: We may use your Personal Data when the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms.
• Compliance with legal obligations: We may use your Personal Data in order to comply with a legal obligation under applicable laws, or to protect your vital interests or those of another person.

5. Who does Billtrust share your Personal Data with?

We may disclose your Personal Data to the following categories of recipients:

1. to our group companies for purposes consistent with this Notice. We take precautions to allow access to Personal Data only to those staff members who have a legitimate business need for access and with a contractual prohibition of using the Personal Data for any other purpose.
2. to our third-party vendors, services providers and partners who provide data processing services to us, or who otherwise process Personal Data for purposes that are described in this Notice or notified to you when we collect your Personal Data. This may include disclosures to third party vendors and other service providers we use in connection with the services they provide to us, including to support us in areas such as IT platform management or support services, infrastructure and application services, marketing, and data analytics.
3. to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend our legal rights; (iii) in response to legal process or when we believe in good faith that the law requires it, for example, in response to a court order, subpoena or a law enforcement agency’s request; or (iv) to protect your vital interests or those of any other person.
4. to our auditors, professional advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under contractual prohibition of using the Personal Data for any other purpose.
5. to a potential buyer (and its agents and advisors) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purposes described in this Notice.
6. to any other person if you have provided your prior consent to the disclosure.
7. (g) Below, we outline the categories of third parties and the types of personal information we share, specifically in situations where Billtrust functions as a data controller:

6. International data transfers and Data Privacy Framework

Billtrust is headquartered in the United States, with offices located in Belgium, the Netherlands, and Poland. We also engage service providers who are located worldwide. This means that, if you are a resident of the European Economic Area (“EEA”) or the UK, in some instances we may transfer your Personal Data to countries outside of the EEA or UK, such as the United States, where we have servers or in which we engage service providers.

In general, when we transfer personal data outside of Europe, whether within the Billtrust group, or to third parties in countries not deemed by the European Commission to provide an adequate level of protection for personal data, the transfer will be made pursuant to:

• A contract with appropriate standard contractual clauses and other safeguards as necessary under applicable law;
• The recipient’s Binding Corporate Rules;
• The consent of the individual to whom the personal data relates; or
• Other mechanisms or legal grounds as may be permitted under applicable law.

Factor Systems LLC dba Billtrust also relies upon adherence to the Data Privacy Framework (DPF) Certification as a transfer mechanism for Personal Data, from the European Union, Switzerland, and the United Kingdom. To learn more about our Data Privacy Framework certification, read our Data Privacy Framework Notice.

7. Data Security

We use appropriate technical and organisational measures to protect the Personal Data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Data.

Please be advised, however, that while we deploy these security measures and strive to protect your Personal Data, the use of the internet is not 100% secure, and for this reason we cannot guarantee the security or integrity of any Personal Data that you transmit or disclose to us or to a third party or vendor who provides services to you online.

Please be advised, however, that while we deploy these security measures and strive to protect your Personal Data, the use of the internet is not 100% secure, and for this reason we cannot guarantee the security or integrity of any Personal Data that you transmit or disclose to us or to a third party or vendor who provides services to you online.

8. Data Retention

We retain your Personal Data for as long as necessary to fulfil the purposes set out in this Notice. We may retain your personal information for longer if it is required or permitted by law, for example, to comply with applicable legal, tax or accounting requirements.

We may anonymise your Personal Data so that it can no longer be associated with you. If we do that, we will continue to hold and use that (as, once anonymised, it will cease to constitute personal information).

9. Cookies and similar tracking technologies

Our Website uses cookies and similar tracking technologies to ensure our Website functions properly, to collect statistical information about how users use our Website which in turn helps us improve our Website, and to enable certain personalization features on our Website to display personalized advertising. Please note that if you choose to disable certain cookies, this could affect certain features or functionality of our Website. Please also note that marketing cookies are disabled by default for IP addresses from California and the European Economic Area. You can manage your cookie preferences in your cookie settings and in our itself.

For further information about the types of Cookies we use, how we use them, and how you can control and opt out from such Cookies, please see our Cookie Policy.

10. Your data protection rights – EEA and UK residents only

If you are an individual residing in the EEA or the UK, you may have the following data protection rights with regards to your Personal Data that we collect and process as a data controller, subject to applicable law:

• You may access, correct, update or request deletion of your Personal Data.
• In certain circumstances, you may object to processing of your Personal Data, ask us to restrict processing of your Personal Data or request portability of your Personal Data.
• If we have collected and processed your Personal Data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.
• You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as direct marketing or telemarketing), then please contact us by referring to the "Contact Us" section below.
• You have the right to complain to a relevant data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.

Please note that the rights described above are not absolute, and where an exception under applicable law applies, we may be entitled to refuse requests in whole or in part.

11. U.S. State Data Privacy

If you reside in a U.S. state which currently has a data privacy law in effect, then this section applies to you. Please refer to the state in which you reside to learn more about additional privacy disclosures and rights that may apply to you.

California

Additional Disclosures for California Residents

This section only applies to residents of California, USA. The California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), requires us to provide California consumers with some additional information regarding how we collect, use, and disclose your personal information, and the rights available to California consumers under the CCPA. The terms used in this section have the same meaning as in the CCPA.

As described in section 2 of this Notice, we may collect the following categories of information about you when you visit our Website or through our Products:

• Identifiers, such as your name, email address, mailing address, phone number,
• Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as your contact information.
• Commercial information, such as transaction data, and purchase history.
• Biometric information, such as your fingerprint data (but only to the extent you choose to provide a fingerprint instead of a password to access one of our mobile applications).
• Device identifiers, such as your IP address.
• Internet or other network activity information, such as your browsing history, app usage, and interactions with our Website.
• Internet or other network activity information, such as your browsing history, app usage, and interactions with our Website.
• Your account log-in information i.e. username and password to access your account (if you have an account with us).
• Audio, electronic, visual or similar information, such as content and communications you provide to us during call recordings or telemarketing calls.
• Professional or other employment related information, such as where you work and your job title. And
• Financial information, such as bank account information, invoicing information, credit card number and payment data, and other sensitive personal information such as social security number.

The sources from which we collect personal information are also described in section 2 of this Notice. The business and commercial purposes for which we collect this information are described in section 3. The categories of third parties to whom we disclose this information for a business purpose are described in section 5.

California Privacy Rights

If you are a California resident, you may have the following rights under the CCPA, subject to certain limitations and exceptions under applicable law:

• Know and Access: You may have the right to request to know and access the following information covering the 12 months preceding your request:
  • the categories of personal information we have collected about you;
  • the categories of sources from which your personal information was collected;
  • the business or commercial purposes for collecting, "selling" and/or "sharing" your personal information;
  • the categories of third parties to whom we may have disclosed, "sold" or "shared" personal information about you; and
  • the specific pieces of personal information we have collected about you.
  You have the right to receive your personal information in a portable and commonly used format.
• Correct: You may have the right to request that we correct any of your personal information that we have collected from you that is inaccurate.
• Delete: You may have the right to request that we delete certain personal information we have collected from you.
• Opt-Out of Sales and Sharing: You may have the right to request that a business not "sell" or "share" your personal information with a third party. However we do not "sell" or "share" personal information as those terms are defined by the CCPA.
• Opt out of the "Sale" and "Sharing" of your personal information: You have the right to request that a business not "sell" or "share" your personal information with a third party, as those terms are defined under the CCPA. As discussed above, we do not sell personal information as the term “sell” is traditionally understood (i.e. for money). However, we do process personal information through cookies and other similar technologies for the purpose of displaying targeted advertisements if you instruct us to do so, which could be deemed a "sale" or "sharing" of personal information under the CCPA. You have the right to opt out of such sharing of personal information. You can do this by adjusting your cookies choices at any time in our Cookie Policy or via our form Do Not Sell My Information: Protecting your data | Billtrust.
• Limit the Use and Disclosure of Your Sensitive Personal Information: We do not use or disclose "sensitive personal information,” as defined by the CCPA other than as described in section 3 above or as otherwise permitted under applicable data privacy law. As a result, we do not offer an ability to limit the use or disclosure of sensitive personal information.
• Non-Discrimination: You have the right to not be discriminated against for exercising any of your CCPA rights.

Please note that the rights described above are not absolute, and where an exception under applicable law applies, we may be entitled to refuse requests in whole or in part.

Please also note that in California an authorized agent may submit a rights request on your behalf. We may require an authorized agent to verify their authority to submit a request on your behalf, or we may require you to verify your own identity or confirm with us that you provided the agent with permission to submit the request. We will only use the information provided for verification to confirm the requestor’s identity or authority to make the request, and for our compliance records.

To exercise any of the above rights, please refer to our contact details in the "Contact us" section below. We endeavour to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period (up to a total of 90 days) in writing.

Additional U.S. States

This section applies to residents of certain U.S. states which also have an applicable data privacy law currently in effect, including but not limited to, Colorado, Connecticut, New Jersey, Utah, Virginia, Oregon, Texas, and Montana. Depending on your U.S. state of residency, you may have the following privacy rights (as and to the extent applicable):

• Know and Access: You may have the right to request to know and access the Personal Data that we have collected about you.
• Data Portability: You may have the right to obtain your Personal Data in a portable and readily usable format.
• Correction: You may have the right to request that we correct inaccuracies in your Personal Data.
• Deletion: You may have the right to request that we delete your Personal Data.
• Opt-out of Data Processing for purposes of Targeted Advertising; Sales to Third Parties; and Profiling: We do not sell Personal Data to third parties for money, targeted advertising, nor for the purpose of profiling in connection with decisions that produce legal or similarly significant effects.
• Appeal: You may have the right to appeal a refusal to take action on your request. You may ask us to reconsider our decision within 45 days after we send you our decision. We will endeavor to respond to your appeal within 45 days of such an appeal, including a written explanation of the reasons for the decision, and any action taken or not taken in response to the appeal.

Please note that the rights listed above only apply to residents of certain U.S. states which have an applicable data privacy law currently in effect who are acting in an individual or household context only, and do not include residents acting in a commercial or employment context. If you reside in a U.S. state which has an applicable data privacy law currently in effect, and wish to submit a rights request, please refer to the "Contact us" section below. We will respond to verifiable requests received as required by law.

12. Children’s Privacy

Billtrust's Website is not directed at children, and Billtrust does not knowingly solicit or collect Personal Data online from children under the age of thirteen (13). If Billtrust learns that a child under the age of thirteen (13) has submitted Personal Data online without prior verifiable parental consent, it will take all reasonable measures to delete such information from its databases and to not use such information for any purpose (except where necessary, to protect the safety of the child or others as required or allowed by law). If you become aware of any personal information we have collected from children under thirteen (13) years of age, please contact us at privacyrequests@billtrust.com.

13. Updates to this Notice

You can see when this Notice was last updated by checking the “last updated” date at the top of this Notice. We may update this Notice from time to time in response to changing legal, technical or business developments. When we update our Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Notice changes if and where this is required by applicable data protection laws.

14. Contact Us

If you have any questions about this Notice or wish to submit a privacy rights request, please contact us by using the following contact details:

• Emailing us at: privacyrequests@billtrust.com
• Calling us at: 1-888-580-2455. Or
• Filling out this online form.

Billtrust’s Representative in the UK

VeraSafe has been appointed as Billtrust’s representative in the United Kingdom for data protection matters, pursuant to Article 27 of the United Kingdom General Data Protection Regulation. If you are located within the United Kingdom, VeraSafe can be contacted in addition to or instead of privacyrequests@billtrust.com, only on matters related to the processing of personal data.

To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +44 (20) 4532 2003.

Alternatively, VeraSafe can be contacted at:

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom

Billtrust’s Data Protection Officer (DPO) in Belgium

Billtrust has appointed Aynur Tiftikci as its data protection representative in Belgium. You can contact the DPO at the following details:

Billtrust Ghent (Belgium) Office
Moutstraat 64 bus 501 Ghent, Belgium, 9000
Contact form: privacy@billtrust.com