Revised June 28, 2023
If you have any questions about this Policy or privacy at Brex, please reach out to us at firstname.lastname@example.org or via any of the other methods identified in the “How to Contact Us” section below. Brex’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including any limited use requirements.
I. Who We Are and Some Other Definitions
- Brex. This Policy applies to Brex Inc. and its affiliates, including, without limitation, Brex Treasury LLC and Brex Payments LLC (collectively, “Brex”, “we”, “our”, and “us”). Brex Treasury LLC and Brex Payments LLC are involved in providing the Brex Cash product.
- Personal Information. “Personal Information” is any information that identifies, relates to, or reasonably could be linked to or associated with a particular person.
- Services. “Services” means the financial products, technology, expense management, cash management, payment services, integrations with Third-Party Services, and all other services provided by Brex, including those available through your Brex Account.
- App. “App” means the Brex Google Workspace Add-on application provided on Google Play.
II. How the Application Works
The App is designed to further automate attaching receipts to business expenses when using Brex Services. It works by running a Google Apps script in your Gmail that takes the following steps:
- It creates filters that identify emails that meet specific criteria, including appropriate keywords such as receipt, invoice, mastercard, purchase, and order; identifying that the email’s sender is not email@example.com; and that the email’s sender does not belong to the domain you use for your email. The App confirms the current list of filters regularly. The current list of filters applied is available here. They are labeled as “Receipt to be sent to Brex.” You will be able to view this label to identify which emails will be sent to Brex.
- The script identifies emails to be sent to Brex and forwards them to our receipt collection endpoint.
- After the emails are sent to Brex, they are labeled as “Receipt sent to Brex.” You will be able to view this label to identify which of your emails have been forwarded to Brex and they will not be sent to Brex automatically again.
Once Brex receives the forwarded emails, it will match the receipt information against your Brex transactions and automatically attach matching messages and receipts with the respective transaction.
Your IT or account administrator can install this App for your use with Gmail, but all of the App capabilities are set to off until you, the user, turn them on via the on/off toggles in the application settings. If you would like to uninstall the App, you can at any time. However, to ensure that the label, filters, and searches in your inbox stop, you should toggle off the relevant settings prior to uninstalling the App. Please see our Help Center Article for more information about turning on and off these settings.
III. What Personal Information We Collect About You and Where It Comes From
A. Information Brex Collects via the App
Brex collects and processes information from your Gmail inbox to automate the receipt-matching process for transactions you make using your Brex card.
Brex may collect the following categories of Personal Information from you through the App:
- Contact Data, such as your name, business email, phone number and address from your email signature.
- Professional Data, including your title or role on your team from your email signature.
- Transaction Data, that is included on your receipts, including the location of the transaction, amount, dates, and the products or services provided, along with information about the merchant you engaged with.
- Communications, including content of messages with receipts attached or embedded.
- Travel Data, such as airline and hotel booking information and itinerary information in connection with any travel arrangements included in receipts and confirmation messages. This potentially includes imprecise location data, such as when your itinerary indicates you are scheduled to be in a location.
IV. How Brex Processes and Stores Personal Information
A. How Brex Processes Personal Information
Brex processes the Personal Information collected through the App to provide you and your employer with Brex Services, in particular with automated receipt collection and matching. The Personal Information Brex collects through the App will be processed for the following purposes:
- Providing Brex Services. We use Personal Information to provide your employer with automated receipt matching.
- Improving and developing the Services. We use the Personal Information Brex collects to understand how your employer uses our Services, and how we can improve them. We also use the information to analyze trends and performance to identify future opportunities for the development, promotion, and improvement of our Services.
- Securing the Services and Fraud Detection. We process and analyze the Personal Information Brex collects to maintain the safety and security of our systems and Services, including identifying and troubleshooting any problem with Brex Services, investigating suspicious activity, detecting potentially fraudulent or unauthorized transactions, enforcing our terms and policies, and in protecting the rights of Brex, our customers, and those we do business with.
- Providing Customer Support. We process the Personal Information Brex collects to troubleshoot and diagnose problems with our Services, and to provide other customer care and support services, including to help us support, improve, and secure the quality of our Services, to investigate security incidents, and to provide appropriate training to Brex staff.
- Complying with legal obligations, defending legal claims, and preventing and detecting crime and misuse of Brex Services. We may process the Personal Information Brex collects to fulfill Brex’s legal and regulatory rights and obligations, including in the following situations:
- when cooperating with public and government authorities, courts or regulators in accordance with applicable laws;
- to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity;
- to protect Brex’s legal rights, pursue remedies available to us, and limit our damages;
- to protect against misuse or abuse of our Services;
- to protect personal or public property or safety;
- to comply with judicial proceedings, court orders or legal processes; or
- to respond to lawful requests.
When complying with court orders and other similar legal processes, Brex strives for transparency. We will make reasonable efforts to notify our customers and users of any disclosure of their Personal Information, unless we are prohibited by law or court order, or exigent circumstances prevent us from doing so.
- With Notice to You and Your Consent. We may otherwise process Personal Information after providing notice to you and obtaining your consent. You may opt out of or refuse your consent for this processing; please see the “Your Rights and Choices” section below for how to do so.
B. Anonymized and aggregated data.
To improve and market our Services, better target advertisements, and for other promotional purposes, Brex may transform Personal Information into de-identified information removing or masking information that could be used to identify you and by aggregating or combining de-identified data with other information.
C. For EEA and UK residents: Legal basis for processing
The General Data Protection Regulation (GDPR) in Europe requires a "lawful basis" for processing personal data. Our lawful basis includes where: (a) you have given consent to the processing for one or more specific purposes, either to us or to our Service Providers, partners, or business customers; (b) processing is necessary for the performance of a contract with our customers; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests.
The legal basis for Brex’s different Personal Information processes is as follows:
- Process: Providing Brex Services
- Legal Basis:
- Brex’s legitimate business interest in providing our business customers with Services; and
- Brex’s customer’s legitimate interests in managing their business expenses, providing appropriate business spending capabilities, and overseeing how corporate funds are used by employees.
- Legal Basis:
- Process: Improving and developing the Services
- Legal Basis:
- Brex’s legitimate business interests in developing, promoting and improving our Services and identifying future business opportunities; and
- In some cases, your consent to providing Brex with feedback and data.
- Legal Basis:
- Process: Securing the Services and Fraud Detection
- Legal Basis:
- Brex’s legitimate interest in ensuring the safety and security of our Services and our interest in protecting Brex’s rights and the rights of our customers, including avoiding being the victims of or involved in crime.
- Legal Basis:
- Process: Providing Customer Support
- Legal Basis:
- Brex’s legitimate interest in providing our users and business customers’ authorized representatives with customer care and assistance, identifying and investigating security and technical incidents, and providing, improving, and securing our Services, as well as our staff’s knowledge and training.
- Legal Basis:
- Process: Complying with legal obligations, defending legal claims, and preventing and detecting crime and misuse of Brex Services
- Legal Basis:
- Compliance with Brex’s legal and regulatory obligations; and
- In furtherance of Brex’s legitimate interests in protecting against the misuse or abuse of our Services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or to respond to lawful requests.
- Legal Basis:
- Process: With Notice to You and Your Consent
- Legal Basis:
- In reliance on your consent
- Legal Basis:
V. How Brex Discloses Personal Information to Other Parties
A. Brex’s Disclosures of Personal Information to Third Parties
Brex discloses Personal Information for several business purposes. Brex discloses data collected via the App for the following purposes:
- Business Purpose: Providing contracted Services to Business Customers
- Category of Recipient: The Brex account holder that has made you an authorized user or otherwise provided your personal information in connection to a Brex Account.
- Business Purpose: Providing and securing Brex Services, complying with our regulatory obligations, data analytics, data hosting, and technical support.
- Category of Recipient: Service Providers operating and providing services and staff augmentation on Brex’s behalf.
- Business Purpose: Accounting and expense integrations
- Category of Recipient: Third party accounting and expense management services.
B. Restrictions on Service Provider’s Use of Your Personal Information
Brex may transfer your Personal Information to our Service Providers. Brex contractually prohibits our Service Providers from retaining, using, or disclosing information about you for any purpose other than performing the services for us and fulfilling their own regulatory and legal obligations, although we may permit them to use information that does not identify you (including information that has been aggregated or de-identified) for other purposes except as prohibited by applicable law or contractual obligation.
C. Transfers authorized by you, by the Brex Account holder, or authorized representatives
D. Data transfers in corporate transactions
In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Information and data we process from you may become part of the assets we transfer or share in preparation for any such transaction. Any acquirer or successor of Brex may continue to process Personal Information consistent with this Policy.
E. Compliance and compelled disclosures
We may disclose or transfer Personal Information in the following circumstances:
- To comply with applicable law, regulation or payment network rules;
- To enforce our contractual rights or comply with contractual obligations;
- To protect the rights, privacy, safety and property of Brex, you, our customers, our business partners, or others; or
- To respond to requests from auditors, courts, law enforcement agencies, regulators, and other public and government authorities, which may include authorities outside your country of residence. When complying with court orders and other similar legal processes, Brex strives for transparency. We will make reasonable efforts to notify our customers and users of any disclosure of their Personal Information, unless we are prohibited by law, court order, or exigent circumstances prevent us from doing so.
F. For California residents: No sale or sharing of Personal Information
Brex does not sell or allow our Service Providers to process your Personal Information for their own use without your consent, unless the processing of that information is either required by law or we determine that disclosure is reasonably necessary to enforce our rights, protect our property or operations, or enforce the rights and protect the property or operations of our business partners and customers. As part of our arrangements with Service Providers, Brex may receive your Personal Information from and transfer your Personal Information to our Service Providers as part of providing our Services and Products, but these transfers are conducted under contracts that protect your data from additional uses and are not considered a sale pursuant to California law. Brex also does not share Personal Information for cross-contextual behavioral advertising as defined in the California Privacy Rights Act.
Brex has not sold or shared Personal Information for cross-context behavioral advertising for the last 12 months.
VI. How Brex stores and protects Personal Information
A. How long Brex retains Personal Information and when we delete it
Brex collects and retains Personal Information to provide our Services. We retain that information for as long as we have a business or operational reason to retain that information, or where we have a legal or regulatory obligation to continue to retain that Personal Information after it has served its business or operational purpose. Brex deletes or de-identifies Personal Information when we no longer are required to or have a reasonable business purpose to retain it.
Brex’s legal retention obligations may require us to retain your Personal Information after you are no longer an authorized user of a Brex account or after your Brex account has closed. These retention obligations also prohibit us in some cases from deleting certain Personal Information after you have asked us to delete your data under the data privacy and data rights laws in different jurisdictions. Brex retains data where it is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements or where deleting it prevents us from billing for our Services, calculating taxes, conducting required audits, or carrying out other legitimate business functions.
Please see the “Your Rights and Choices” section and the sections detailing the rights you may have under the laws of your location below for more information.
B. Where Brex stores Personal Information and international data transfers
As we strive to serve our customers everywhere in the world they operate, Brex may process and store Personal Information for the purposes described in this Policy in the United States or any other country in which Brex, its subsidiaries, affiliates, or Service Providers operate. These countries may have data privacy or protection laws that are different to the laws of your country and may not be as protective. Brex takes measures to comply with applicable data privacy laws when we transfer Personal Information internationally.
For Personal Information transferred from Europe or the United Kingdom, we will provide appropriate safeguards, such as use of the Standard Contractual Clauses approved by the European Commission, to protect your Personal Information.
C. Brex’s data security
Brex uses organizational, technical, and administrative measures to protect Personal Information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Information. The specific measures we use include encrypting your Personal Information in transit and at rest, device and identity verification processes, and idle lockouts. For more information about our security measures, please see https://www.brex.com/security.
Where you have created a username and unique password to enable you to access your Brex Account, or use our Services, it is your responsibility to keep this password secure and confidential.
Please contact us as set out in the "How to Contact Us" section below immediately if you believe that your Personal Information or any other confidential information that you have provided to us is no longer secure or has been lost or stolen.
VII. Additional Important Information About Your Personal Information
A. Brex Account users and administrators’ access and authorities
Brex Services are intended for use only by companies, and you may only use a Brex Account or Card if you are an employee or other authorized representative of a company that has opened a Brex Account. The information in your Brex Account is governed by our agreements with the applicable business customer. You may access, update, or delete certain information within your Brex Account through the Platform, provided that the business customer’s administrator is responsible for determining how that data is processed. The business customer's administrator is responsible for your Brex Account and any Brex Cards associated with the business customer. The administrator can also access information about you via their own access to Brex’s Services, access and retain information we have stored on its behalf, and limit your ability to edit, modify, delete, or use information associated with your use of the Services.
However, losing authorized access to a company’s Brex Account does not deprive you of rights you may have under the data privacy or other data rights laws in your jurisdiction. Please see the “Your Rights and Choices” section and the sections detailing the rights you may have under the laws of your location below for more information.
B. Closure of a Brex Account
Closure or deletion of your company’s Brex Account will mean that the business customer will permanently lose access to the Personal Information and data associated with the Brex Account. Personal information or de-identified information associated with your company’s Brex Account may nonetheless remain on systems owned or maintained by Brex where required to comply with the law, our contractual obligations, or carrying out legitimate business functions.
Where Brex retains Personal Information after an account has closed, individuals may have the right to access, delete, or assert other rights under the laws of their jurisdiction.
VIII. Your Rights and Choices
A. California Resident Rights and Choices
If you are a California resident, you have certain rights over the information that we have about you. You can:
- Delete any Personal Information we have collected from you when we do not have legal or contractual obligations to keep the information or a need for the information to carry out a legitimate business function.
- Opt out of the sale of your Personal Information and opt out of having your personal data shared for the purpose of cross-context behavioral advertising. As discussed above, Brex does not sell your Personal Information nor share it for these purposes.
- To request that Brex corrects any inaccurate Personal Information Brex holds about you.
- To request that Brex limit the use and disclosure of your sensitive Personal Information to uses that are necessary to provide our Services and to the uses defined in California law or regulation (defined in the California Civil Code, Section 1798.121).
- Request that Brex provide you with any or all of the following regarding Brex’s data processing for the 12 months preceding the request:
- The categories of information Brex has collected about you;
- The categories of sources from which the Personal Information is collected;
- The business or commercial purpose for collecting Personal Information;
- The categories of third parties to whom Brex discloses Personal Information; and/or
- A copy of the specific pieces of information Brex has collected about you.
- Appoint an authorized agent to act on your rights on your behalf. Brex will require appropriate proof of the agent’s authority to make these requests and will need to verify your identity directly.
Brex will not discriminate against you for any use of your privacy rights.
To exercise any of these rights, you may make a request on Brex’s Privacy Request Portal or by emailing us at firstname.lastname@example.org. You can also reach out to our Customer Experience team by phone at +1 833 228 2044. Brex will confirm receipt of your request and provide you with information about our processes for acting on your request, including when you can expect a response, within 10 business days. We will need to verify your identity to ensure the security of your Personal Information before providing you with any Personal Information.
If you are currently a Brex user, you may correct any Personal Information we have about you either in your settings, by contacting your Brex Account administrator, or by using the contact details above in addition to requesting correction through our Privacy Request Portal.
B. European and United Kingdom Rights
You have the following rights regarding the Personal Information we collect and use about you:
- You may access, correct, update or request deletion of your Personal Information.
- You can object to processing of your Personal Information, ask us to restrict processing of your Personal Information, and request we transfer your Personal Information to a third party.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us via the Privacy Portal or at email@example.com.
- If we have collected and processed your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a supervisory authority about our collection and use of your Personal Information. For more information, please contact your local data protection authority.
To exercise any of these rights, please contact us either through Brex’s Privacy Request Portal or at firstname.lastname@example.org. We will respond to your request within 30 days. We may require specific information from you to help us confirm your identity and process your request.
If Personal Information about you has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal data, please inquire with our customer directly. If you wish to make your request directly to us, please provide the name of the customer on whose behalf we processed your personal data. We will refer your request to that third party, and will support them to the extent required by applicable law in responding to your request. Read more about how Brex operates as both a controller and processor in the section "Brex’s role as a data controller and processor" above.
Please note that we retain information as necessary to fulfill the purposes for which it was collected, and may continue to retain and use your Personal Information, even after a data subject request, for purposes of our legitimate interests and to comply with our legal obligations, including where needed to resolve disputes, prevent fraud and financial crime, and enforce our agreements as well as to comply with statutory retention obligations.
C. Residents of other locations
If you reside in a US state or territory other than California or anywhere else in the world other than the European Economic Area or United Kingdom and would like more information about how Brex processes your Personal Information or have questions about your rights under this Policy, please submit your request on Brex’s Privacy Portal or to email@example.com.
IX. Updates to This Policy
We may update this Policy from time to time in response to changing legal, regulatory, technical or business developments. When we update this Policy, we will notify you of material changes, changes that limit any of the rights you have related to the manner in which we process your Personal Information, or that we are required to disclose by law, via a prominent notice on our website, login screen, your mobile app, or via email at least 30 days prior to the changes taking effect. We will obtain your consent to any material changes to this Policy if, and where, required by applicable data protection laws.
You can see when this Policy was last updated by checking the “Revised” date displayed at the top of this Privacy Notice.
X. How to Contact Us
If you have concerns, questions, or would like to better understand our privacy practices at Brex, please contact us using the following details:
By email: firstname.lastname@example.org
50 W Broadway Ste 333
Salt Lake City, Utah 84101-2027 USA
By phone to our Customer Experience team: +1 833 228 2044