📣 New IDC report on AP automation! Get your free copy >

Platform Agreement

Brex Privacy Policy

Revised April 12, 2024

Overview

Brex respects your privacy. While Brex’s Services are designed for use by business customers, we may process information about you when providing our services and operating our business. This Privacy Policy (the "Policy") provides a comprehensive description of how Brex collects, uses, and discloses information about you, as well as your rights and choices. For purposes of this Policy, "Brex", "we", "our", and "us" refers to Brex, Inc. and its affiliates, and "you" or "your" refers to the individual interacting with us.

When you access or use our Services, you acknowledge that you have read this Privacy Policy and understand its contents. Please read this Policy carefully, as it applies when you use our Services or Products, visit our Website, or use the Brex mobile app. Capitalized terms that are not defined in this Policy have the definitions provided in the Platform Agreement.

In connection with the provision of specific Services, we may provide additional "just-in-time" disclosures or additional information about our data processing practices. These notices may supplement this Privacy Policy, clarify Brex’s privacy practices in the circumstances described or may provide you with additional choices about how Brex processes your personal information.

1. Applicability of this Privacy Policy

This Privacy Policy applies to the personal information we collect and process, when you:

  • visit, interact with, or use any Brex website, and/or Brex Services;
  • create or administer your Brex account;
  • receive communications from, or otherwise interact or communicate with us, including via email, phone or mail, or using our branded social media pages;
  • register or take part in our marketing, learning, or training events; and/or
  • offer or integrate your application, content, product, or services on or through Brex Services.

This Privacy Policy does not apply to the following:

  • Company Data. Company Data includes any personal information that you submit to us for processing to provide the Brex Services, such as when you provide your bank account information for payroll processing, or demographic information for benefits enrollment purposes. Company Data does not include the account information about you that you provide to us in connection with the creation or administration of your Brex account. For more information on how Brex handles Company Data, please see our Data Processing Addendum.
  • Brex as an employer. Any personal information we collect or process in our capacity as an employer, co-employer, or employer of record. For information we collect as part of the applicant process, please see our Applicant Privacy Policy.
  • Third Party Service Partners and Providers (“Service Providers”). Any products, services, websites or content that are offered by third parties through integrations with Brex Services, which are governed by their own respective privacy policies.

2. Personal Information We Collect

The personal information we collect depends on the context of your interactions with Brex and the choices you make, the Services and features you use, your location, and applicable laws. If you provide us with information about another individual, you represent you have the authority to do so and have delivered any required notices and obtained all necessary rights and consents to provide such information to us for processing in accordance with this Privacy Policy.

A. Information Provided to Brex

Brex Services are intended for use by business customers and their administrators, employees and other authorized users ("Authorized Users"). When applying for a Brex Account, we may receive information about you, your Company, and individuals associated with your Company. Such information includes, but is not limited to:

  • Business Contact Information, such as your name, address, phone number, email address, employer, and job title.
  • Account information, such as usernames, credit card and bank account information, VAT numbers and other tax identifiers, and other authentication and security credential information.
  • Identification Information, such as social security number and driver's license, passport or other government-issued identification documents to comply with our verification process, global anti-money laundering (AML) and know your customer (KYC) obligations.
  • Communications, including when contacting sales, implementation, or support, asking a question, providing product feedback or corresponding with our business teams.
  • Content, including any documentation, files or information you provide, which may include information about you or your business.
  • Third-Party Information, including information you provide about any co-workers, contractors, vendors or potential referrals, such as their Business Contact Information.
  • Other information, such as when you fill in a form on our website, respond to surveys, provide feedback, make a support inquiry, participate in promotions, or otherwise communicate with us.

Providing your personal information is optional, but it may be necessary for certain Services, such as account registration. In such cases, if you do not provide your personal information, we may not be able to provide you with the requested Services.

In connection with providing Services, we receive additional information submitted by, on behalf of and relating to a Company and its Authorized Users, such as:

  • Authorized User Data, including your Business Contact Information, login credentials, and other information used by your company to invite and manage Authorized Users.
  • Transaction Data, including information associated with your payments and card transactions made through your company's Brex Account, whether online or in store, such as the purchase details, payment mechanism, amount, location, and any annotations or coding you provide. Transactions can be made through a variety of domestic and international payment mechanisms, such as sending or receiving funds via ACH, wire, or check, or making charges through a payment card.
  • Linked Data, including information and documentation relating to you and your company made available by Third-Party Services connected to the Services. Linked Data may be made available to Brex during the application process and after a Brex Account is opened for your company. For example, if you link business bank accounts during or after the application process, or link your bank account to receive or provide expense reimbursements, we will receive Bank Account Information about the linked account, like the bank routing and account numbers and account balance. In addition, some Third-Party Services (e.g. accounting systems and business bank accounts) will provide us with information about activities outside of the Services, like your business expenses and your company's external transactions, finances and revenue. Other third party services, like your company's HRIS, may disclose your Authorized User Data, and if your company connects its email service, we may receive your email communications and attachments for processing. We may continue to access and receive Linked Data from a Third-Party Service until it is disconnected by you or your company.
  • Spend and Workflow Data, including your company's spend limits and policies, approval hierarchies, and finance workflows.
  • Travel Data, including your business travel booking and itinerary. This may include imprecise location information, such as when your travel itinerary indicates you have booked a flight to or hotel in a location.
  • Receipt and Invoice Data, including information you submit to us to pay company invoices and process your receipts, such as photos, PDFs, e-mails and SMS messages if you opt-in to text messages, along with associated metadata.
  • Vendor Data, including the identity of your Company's vendors and their Business Contact Information, payment details, contracts and purchase orders, and information to complete tax documentation (e.g., the vendor's tax identification number).

B. Information We Collect Automatically

We automatically collect certain types of information when you interact with our Services, such as when you visit our website or log into your account. We use common information gathering tools, such as tools for collecting usage data, cookies, web beacons and similar technologies to automatically collect information that may contain personal information from your computer or mobile device as you navigate our Services or interact with emails we have sent you. This information includes:

  • Usage and interaction information. The full Uniform Resource Locators (URL) clickstream to, through, and from our website (including date and time) and Services, content you viewed or searched for, page response times, download errors, length of visits to certain pages, and page interaction information (such as scrolling, clicks, and mouse-overs).
  • Log data and device Information, such as IP address, information about your Internet service provider, computer and device information including device, application, or browser type and version, browser plug-in type and version, operating system, or time zone setting, authentication and security credential information, access dates and times, occurrences of technical errors, diagnostic reports, your settings preferences, backup information, API calls, and other logs.
  • Inferred location information. We may look up your IP address to determine your general location.
  • Other identifiers and information contained in cookies and similar tracking technologies as described in our Cookie Notice regarding the cookies we use, why we use them, and how you can control and in some cases, disable cookies and other tracking technology in connection with our Website and Services. If you have access to a Brex Dashboard, this information is also available in the Cookie Preferences section of your Settings.

C. Information We Collect from Other Sources

We collect information about you from other sources, including partners and service providers from whom we receive demographic and business contact information, or who provide us with publicly available information which may contain personal information, as well as customers from whom we receive vendor information. We may combine this information with personal information that you provide. We treat the information obtained from other sources in accordance with any laws or contractual obligations applicable to us. Other sources of information include:

  • Financial Institution Partners such as banks (e.g. the bank issuing your Company's card or originating loans to finance Company expenses), card networks, payment processors, money transmitters, or other entities that provide or support delivery of financial services.
  • Identity Verification, Fraud and Compliance Monitoring, and Financial and Business Information Providers, which may help us supplement our understanding of your business and its personnel, maintain security, prevent fraud and comply with regulation and contractual obligations.
  • Vendors transacting with or supporting our business customers (e.g., merchants and accounting firms). For example, a merchant might supply us with their payment details and tax identification number so our business customers can make bill payments and report on their tax obligations.
  • Service Providers, which help us operate our business.
  • Social Networks and Advertising Providers, including to help us identify or enrich our understanding of prospective customers, and to serve and measure advertising.
  • Joint Marketing, Business Partnership, Referrals, and Rewards Partners that we engage for joint marketing activities and our referrals and rewards programs.
  • Other Data Suppliers that provide information about industries, business trends, organizations and other matters related to our business.
  • Publicly Available Sources, including information in the public domain that helps us identify potential customers and partners or conduct due diligence and risk management for potential and existing customers.

3. How We Use Your Personal Information

We use information for business and commercial purposes in accordance with the practices described in this Policy. Purposes for using personal information include:

  • Providing and Maintaining Our Services. To provide and deliver, operate, and manage our Services, perform customer validation and enable you to use Brex cards and other payment tools, verify financial information to establish spend limits, process transactions related to our Services, including registrations, purchases, and payments.
  • Communicating with you. To communicate with you about our Services via different channels (e.g., by phone or email), send you notices, updates, security alerts, information regarding changes to our policies and terms, and to respond to your requests.
  • Measuring, Troubleshooting, and Improving our Services. To provide, maintain, improve and develop our Services, including by measuring their use, analyzing their performance, and preventing or addressing technical issues and disruptions. Improving and expanding our products and operations. For example, we may develop or improve Services by analyzing how you use features, the documentation you submit or information associated with your transactions.
  • Preventing and investigating security and fraud issues. To prevent, detect, mitigate, and investigate potential risk, security issues, suspicious activity, as well as fraudulent or unauthorized transactions and breaches of policies and terms, and threats of harm, including in an automated fashion.
  • Recommendations and Personalization. To recommend Brex Services that might be of interest to you, identify your preferences, and personalize your experience with Brex Services.
  • Rewards. If your Company chooses to participate in our rewards program, to determine eligibility and to facilitate the rewards program effectively.
  • Advertising and marketing. To develop, send, and measure advertising, marketing, communications about our products, offers, promotions, rewards, events, Services, and other information based on your preferences. We may also use personal information to administer referral programs, rewards, surveys, sweepstakes, contests, or other promotional activities or events sponsored or managed by Brex or its third-party partners, and to invite you to events and relevant opportunities. For more information about your choices relating to our marketing activities, see “Your Rights and Choices” section below.
  • Complying with Legal Obligations. In certain cases, we may have a legal obligation to collect, use, or retain your personal information to fulfill legal, regulatory and contractual obligations, including when cooperating with government authorities, courts and regulators in accordance with applicable law, maintaining records to demonstrate compliance with applicable law and regulation, protecting our legal rights and pursuing remedies available to us.
  • Generating Aggregate or De-identified Information. To develop de-identified information by removing or masking information that could be used to identify you and by aggregating or combining information with other information.
  • At Your Direction. To fulfill any other purpose at your direction, including as expressed through your or your Company's use of Services functionality. For example, if you direct us to connect your Brex Account to a Third-Party Service, such as Slack or Uber, we will process that request accordingly.
  • With Notice to You and Your Consent. We may otherwise use the information we collect after providing notice to you and obtaining your consent for specific purposes communicated to you.

Notwithstanding the above, we may use information that does not identify you for purposes permitted by law or contractual obligation applicable to us. For information on your rights and choices regarding how we use your Personal Information, please see the "Your Rights and Choices" section below.

4. How We Share Your Personal Information

Maintaining your trust over your personal information is a vital part of our relationship with you. We share information we collect in accordance with the practices described in this Privacy Policy. The categories of parties to whom we disclose information are:

  • Service Providers. We engage third party companies and individuals to perform certain functions on our behalf, for example cloud infrastructure, website hosting, analytics, collaboration and technical support. Depending on the service, we provide information on a continuous basis (e.g., fraud services) or on an as-needed basis. We contractually prohibit our service providers from retaining, using, or disclosing information about you for any purpose other than performing services for us, although we may permit them to use information that does not identify you (including information that has been aggregated or de-identified) for any purpose except as prohibited by applicable law or contractual obligation. Additional information about the subprocessors we use to support delivery of our Services is made available in our Trust Center.
  • Affiliates. We may share your personal information with our affiliates within the Brex corporate group, as well as companies we may acquire in the future when they become part of the Brex corporate group, in accordance with this Privacy Policy.
  • Business Customers. We disclose information to our business customers to provide Services on their behalf. For example, we may disclose information to your Company to process your payment transactions, provide Services, report on your use of your Company's Brex Account, respond to your and their questions, comply with your and their requests, and otherwise comply with the law. In addition, your Company can assign different roles to Authorized Users, which will have different associated capabilities and permissions. We will disclose information about your use of the Services to other Authorized Users who may include members of your Company's finance department, your manager, a Company service provider or other Company personnel. Business customers are independent entities and their processing of information is subject to their own policies and terms.
  • Third Party Services. We make available services and integrations to Third-Party Services and their providers if you or your Company use Third-Party Services in connection with the Services. For example, your Company Authorized User may request integration with third-party applications for payments. You can tell when a third party is involved in your transactions, and we share information related to those transactions with that third party.
  • Identity Verification and Validation Services. We disclose information as necessary to verify your identity and perform other compliance functions.
  • Security, Fraud Detection and Compelled Disclosure. We disclose information to comply with the law, regulations, payment network rules, or legal process, investigate suspicious or potentially fraudulent activity, and where required in response to lawful requests by regulators, law enforcement, Financial Institution Partners and public authorities, including to meet national security, anti-money laundering or law enforcement requirements. We will also disclose information to protect the rights, property, life, health, security and safety of us, the Services, our Business, or anyone else.
  • Financial Institution Partners. We disclose information to Financial Institution Partners to support their customer identification, risk and compliance programs, and so they can determine eligibility for, and provide, products and services to our business customers, either directly or through us. For example, we may disclose your Contact Information, Identifying Data and other Company information and documentation so a Financial Institution Partner can validate your Company's eligibility to receive, and deliver, card, payments, and international transfer capabilities through our Services.
  • Brex Rewards. We may share personal information about you and your Company's Brex Account as necessary to determine your Company's eligibility for rewards and to facilitate the rewards program effectively.
  • Marketing and Advertising. We disclose information to vendors, platforms, analytics providers and other parties for marketing and advertising related purposes. For more information on our online advertising practices, see the "Analytics and Advertising" section below. If you connect your bank account to your Company's Brex Account, we will not disclose your bank account Information to market our Business on advertising platforms.
  • Mergers and Acquisition. If Brex goes through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its businesses, services, or assets, your personal information may be among the assets transferred. In accordance with applicable laws, we will use reasonable efforts to notify you of any transfer of personal information to an unaffiliated third party.
  • Referrals and Joint Marketing. We may share information about you and your Company's Brex Account to our partners in connection with facilitating referral partnerships or engaging in joint marketing activities. For example, if you or your Company were referred to us through a referral partner, we may disclose information with our referral partner to confirm the status of your application and to calculate the referral fee.
  • At Your Request. We may share personal information at your request or direction.
  • With Notice to You and Your Consent. We may otherwise disclose information after providing notice to you and obtaining your consent.

Notwithstanding the above, we may disclose information that does not identify you (including information that has been aggregated or de-identified) for any purpose except as prohibited by law or contractual obligation applicable to us. For information on your rights and choices regarding how we share information about you, please see the "Your Rights and Choices" section below.

5. How Long We Keep Personal Information

We keep your personal information for as long as it is required in order to fulfill the relevant purposes described in this Privacy Policy, or for other essential purposes such as complying with our legal obligations, resolving disputes and enforcing our agreements.

Because these needs can vary for different data types in the context of different Services, actual retention periods can vary significantly. We determine the appropriate retention period for personal information based on the amount, nature and sensitivity of your personal information processed, the potential risk of harm from unauthorized use or disclosure of your personal information and whether we can achieve the purposes of the processing through other means, as well as applicable legal requirements (such as applicable statutes of limitation).

Please note that our retention obligations may require us to retain your Personal Information after you are no longer an Authorized User or your Company’s Brex Account has closed. These retention obligations may also prohibit us in some cases from deleting Personal Information after you have asked us to delete your Personal Information. When the applicable retention period elapses, we will delete or de-identify your Personal Information in accordance with our policies and procedures.

6. Analytics and Interest-Based Advertising

Where permitted under laws applicable to our Business, we use analytics services, such as Google Analytics, to help us understand how users access and use the Website and other aspects of our business. In addition, we work with agencies, advertisers, ad networks, and other technology services to place advertisements on our behalf on other websites and services. For example, we may place ads through Google, LinkedIn and Facebook that you may view on their platforms as well as on other websites and services.

As part of this process, we may use tracking technologies (including incorporating them into our Website and emails), as well as incorporating into our ads displayed on other websites and services. Some of these tracking technologies may track your activities across time and services for purposes of associating the different devices you use, and delivering relevant ads and/or other content to you ("Interest-based Advertising").

For further information on the types of tracking technologies we use and your rights and choices regarding analytics and Interest-based Advertising, please see the "Your Rights and Choices" section below. You will continue to see advertising, including potentially from us, even if you opt out of personalized advertising.

7. International Data Transfers

Personal information we collect may be stored and processed in your region, in the United States or in any other country where we or our affiliates or service providers maintain facilities, operate, or provide services. We maintain primary data centers in the United States. We take steps designed to ensure that the personal information we collect under this Privacy Policy is processed as described in this Privacy Policy and according to any applicable laws.

For personal information transferred from the European Economic Area, Switzerland or the United Kingdom, we will provide appropriate safeguards, such as through the use of the relevant standard contractual clauses. For further information on these transfers and the relevant appropriate safeguards, please see the "Additional Disclosures for Data Subjects in the European Economic Area, Switzerland and the United Kingdom" section below.

8. Cookies

We use cookies and similar technologies to enable our systems to recognize your browser or device, to provide our Services, and to improve your experience. For more information about cookies and how we use them, please read our Cookie Notice. This notice also describes how you may opt out of the use of personal information stored in cookies, such as browser cookies, for targeted or cross-contextual behavioral advertising.

9. Security

We design our systems with your security and privacy in mind.

  • We maintain a wide variety of trust programs that validate our security controls. Click here to learn more.
  • We protect the security of your information during transmission to or from Brex by using encryption protocols and software.
  • We maintain technical, physical, and organizational safeguards in connection with the collection, storage, and disclosure of personal information. Our security procedures mean that we may request proof of identity before we disclose personal information to you.

However, no security measure or modality of data transmission over the Internet is 100% secure. Although we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. You are solely responsible for protecting your password, limiting access to your devices, and signing out of websites after your sessions.

10. Your Rights and Choices

Region-Specific Rights. Depending on your location and subject to applicable law, you may have certain rights regarding your personal information. For region-specific terms, please see the bottom of this Privacy Policy. In addition, irrespective of your location, you have choices about the collection and use of your personal information. You can choose not to provide certain information, but then you might not be able to take advantage of certain Brex Services.

Company Brex Account. Brex Services are intended for use by business customers, and you may only use a Brex Account if you are an Authorized User of a Company that has opened a Brex Account. The information in a Company's Brex Account is governed by our Agreement with the business customer. You should direct questions about Personal Information we are processing on behalf of a Company to that Company's administrators. If you are an Authorized User, you may also be able to access, update, or delete certain information within your Company's Brex Account through the Services, provided that the Company and its administrators are responsible for determining how that data is processed.

Marketing Communications. You can opt out of receiving promotional emails from us at any time by following the instructions as provided in emails to click on the unsubscribe link. Please note that you cannot opt-out of non-promotional emails, such as those about your Company's Brex Account, transactions, servicing, or our ongoing business relations. If you have opted in to receiving text or SMS messages related to your use of the Services, you can opt-out at any time by texting "STOP" to the short code. After you send the SMS message "STOP" to us, we will send you an SMS message to confirm that you have been unsubscribed. After this, you will no longer receive SMS messages from us. Text messaging originator opt-in data and consent will not be shared, sold, rented or otherwise disclosed by us for marketing purposes.

Analytics and Interest-Based Advertising. You may opt out of online behavioral advertising on the Internet by visiting the Network Advertising Initiative, or the Digital Advertising Alliance opt-out pages. You may also opt out of online behavioral (sometimes called “interest-based” or "cross-contextual") advertising on your mobile device by some mobile advertising companies and other similar entities by downloading the App Choices App. Google provides tools to allow you to opt out of the use of certain information collected by Google Analytics at https://tools.google.com/dlpage/gaoptout and by Google Analytics for Display Advertising or the Google Display Network at https://www.google.com/settings/ads/onweb.

Opting out only means that the selected participants should no longer deliver certain targeted ads to you, but does not mean you will no longer receive any targeted content and/or ads (e.g., in connection with the participants' other customers or from other technology services). Any such targeted advertising will only be carried out to the extent that it is permitted by applicable law. Please note that if you opt out using any of these methods, the opt out will only apply to the specific browser or device from which you opt out. Except as required by applicable law, we are not responsible for the effectiveness of, or compliance with, any opt-out options or programs, or the accuracy of any other entities' statements regarding their opt-out options or programs.

Browser and devices. The Help feature on most browsers and devices will tell you how to prevent your browser or device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. For more information about Brex’s use of cookies and other identifiers, see our Cookie Notice.

Your browser settings may allow you to automatically transmit a "Do Not Track" signal to online services you visit. Note, however, there is no industry consensus as to what site and app operators should do with regard to these signals. Accordingly, unless and until the law is interpreted to require us to do so, we do not monitor or take action with respect to "Do Not Track" signals. For more information on "Do Not Track," visit http://www.allaboutdnt.com. Note that if you are a California resident, you may exercise your right to opt-out of sales or sharing through preference signals. Please visit the "Additional Disclosures for California Residents" section below for details.

Please be aware that if you disable or remove tracking technologies some parts of our Services, Website and Business may not function correctly.

11. Children's Personal Information

We do not provide our Services to children. We do not knowingly collect personal information (as defined by the U.S. Children's Privacy Protection Act, or "COPPA") from children under 13. We also do not knowingly "share" or "sell," as those terms are defined under the California Privacy Rights Act, the personal information of minors under 16 who are California residents. If you are a parent or guardian and believe we have violated this provision, please contact us at the address stated under the "How to Contact Us" section below.

12. Changes to this Privacy Notice

The Services and our business may change from time to time. As a result, it may be necessary for Brex to make changes to this Privacy Policy. Brex reserves the right to update or modify this Privacy Policy at any time. If we have an existing relationship with you, you represent a Company, or if you are an Authorized User, we may provide you notice through our Website or your Company's Brex Account or directly using the Contact Information provided to us. If we do not have an existing relationship with you---for instance, if you only visit our Website---any notice we provide will be posted to our Website. Any privacy notice is effective upon posting or when it is provided to you. Please review this page periodically, and especially before you provide any personal information to us. This Privacy Policy was last updated to be effective as of the “Last Updated” date indicated at the top. Unless stated otherwise, our current Privacy Policy applies to all personal information we collect, how we use and otherwise process it and under what circumstances we will disclose it to third parties

13. Contact Us

If you have any questions about our Privacy Policy or privacy practices, or if you wish to lodge a complaint about our privacy practices, please contact us:

Online: Brex Privacy Center

By mail: Brex Privacy, 650 S 500 W, Suite 300, Salt Lake City, UT 84101

If you experience any difficulties accessing the information in this Privacy Policy, please contact us at privacy@brex.com.

If you have any questions about the Customer Data handled by your Company, please contact your Company’s Administrator.

14. Additional Disclosures for California Residents

These additional disclosures apply only to California residents and only to the extent applicable.

Notice of Collection

The California Consumer Privacy Act as amended by the California Privacy Rights Act ("CPRA") provides additional rights and requires businesses collecting or disclosing personal information to provide notices and means to exercise rights. In the past 12 months, we have collected the following categories of personal information enumerated in the CPRA:

  • Identifiers, including name, postal address, email address, and online identifiers (such as IP address).
  • Customer records, including phone number, billing address, bank account and credit or debit card information.
  • Characteristics of protected classifications under California or federal law, including gender.
  • Commercial or transaction information, including records of products or services purchased, obtained, or considered.
  • Internet activity, including browsing history, search history, and interactions with a website, email, application, or advertisement.
  • Non-Precise Geolocation data.
  • Employment and education information.
  • Inferences drawn from the above information about your predicted characteristics and preferences.

For further details on personal information we collect, including the sources from which we receive information, review the "Information that Brex Collects" section above. We collect and use these categories of personal information for the business purposes described in the "How We Use Information" section above. We disclose the personal information to the categories of persons set out in the "Disclosure of Information" section above. Please visit those sections for further details.

Right to Know, Correct and Delete

You have the right to know certain details about our data practices. In particular, you may request the following from us:

  • The categories of personal information we have collected about you;
  • The categories of sources from which the personal information was collected;
  • The categories of personal information about you we disclosed for a business purpose or sold or shared;
  • The categories of persons to whom the personal information was disclosed for a business purpose or sold or shared;
  • The business or commercial purpose for collecting or selling or sharing the personal information; and
  • The specific pieces of personal information we have collected about you.

In addition, subject to exceptions, you have the right to correct or delete the personal information we have collected from you.

To exercise any of your rights, please submit a request through our Privacy Center. We will confirm receipt of your request and respond to your request within the time limits prescribed by law. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests.

If personal information about you has been processed by us as a service provider on behalf of a business customer, please inquire with the business customer directly to exercise your rights. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we processed your personal information. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

Retention

We retain each category of personal information for the length of time that is reasonably necessary for the purpose for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

Authorized Agent

You can designate an authorized agent to submit requests on your behalf. However, we may require signed proof of the agent's permission to do so and verify your identity directly. Requests must be submitted through the designated methods listed above.

Right to Non-Discrimination

You have the right not to receive discriminatory treatment by us for the exercise of any of your rights.

Additional Notice and Opt-Out

Under the California Privacy Rights Act ("CPRA"), some marketing activities may be considered a "share" or "sale" even if no money is received for sharing the data. We may share categories of information such as identifiers, characteristics, internet activity, non-precise geolocation data, and inferences with third parties for business purposes, but we do not receive any monetary compensation from those third parties for doing so. The third parties we share with include vendors engaged in cross-context targeted advertising. To the extent that our marketing activities constitute a "share" or "sale" of your personal information, you can opt out. To opt out, you can modify your cookie choices as described in our Cookie Notice or activate Global Privacy Control on all applicable devices.

Shine the Light

Customers who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties' own direct marketing purposes; and (ii) a list of the categories of third parties to whom we disclose such information. To exercise a request, please write to us at privacy@brex.com or the postal address set out in "Contact Us'' above and specify that you are making a "California Shine the Light Request." We may require additional information from you to allow us to verify your identity and are only required to respond to requests once during any calendar year.

15. Additional Disclosures for Nevada Residents

Nevada law (NRS 603A.340) requires each business to establish a designated request address where Nevada consumers may submit requests directing the business not to sell certain kinds of personal information that the business has collected or will collect about the consumer. A sale under Nevada law is the exchange of personal information for monetary consideration by the business to a third party for the third party to license or sell the personal information to other third parties. If you are a Nevada consumer and wish to submit a request relating to our compliance with Nevada law, please refer to the "Contact Us" section above.

16. Additional Disclosures for Virginia Residents

Virginia provides additional rights to Virginia residents through the Virginia Consumer Data Protection Act ("VCDPA"). This section addresses those rights and applies only to Virginia residents acting in an individual or household context.

You have the following rights under the VCDPA:

  • To confirm whether or not we are processing your personal information
  • To access your personal information
  • To correct inaccuracies in your personal information
  • To delete your personal information
  • To obtain a copy of your personal information that you previously provided to us in a portable and readily usable format
  • To opt out of the processing of personal information for purposes of targeted advertising, the sale of personal information, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you

To exercise any of these rights, please submit a request through our Privacy Center. We will respond to your request within the time limits prescribed by law. We may require specific information from you to help us confirm your identity and process your request. If personal information about you has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal information, please inquire with the business customer directly. If you wish to make your request directly to us, please provide the name of the business customer on whose behalf we processed your personal information. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

17. Additional Disclosures for Data Subjects in the European Economic Area, Switzerland and the United Kingdom

Roles

Brex may process personal information in accordance with the instructions of or on behalf of a business customer, including when providing Services to a Company under an agreement. In this context, Brex acts as a processor and the business customer acts as a controller. Brex may also act as a controller when directly determining the processing of personal information in other Business contexts set out in this Policy, like complying with regulatory obligations applicable to our Business.

Lawful Basis for Processing

Data protection laws in Europe require a "lawful basis" for processing personal information. Our lawful bases include where: (a) you have given consent to the processing for one or more specific purposes, either to us or to our service providers, partners, or business customers; (b) processing is necessary for the performance of a contract; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests.

International Transfers

We may transfer your personal information to our operations in the United States or to our service providers or other third parties in the United States or in other countries - this may involve the transfer of your personal information to countries which have different data protection standards to those which apply in the European Economic Area, Switzerland or the United Kingdom.

Some of these countries are subject to a European Commission and/or UK government adequacy decision. For other countries, Brex has put in place the relevant European Commission or UK government-approved standard contractual clauses with the relevant third parties to ensure that your personal information is protected with appropriate safeguards. We may also rely on other permitted data transfer mechanisms.

Your Data Subject Rights

You may have certain statutory rights relating to your personal information. Subject to applicable law, you may have the right to access and rectify your personal information, to require us to erase your personal information or to transfer it to other organizations, and to object to the processing of your personal information. Where we process your personal information because we have a legitimate interest in doing so (as explained above), you may have a right to object to this. You may also have the right to restrict processing of your personal information in certain circumstances. These rights may be limited in some situations, for example, where we can demonstrate that we have legitimate grounds to process your personal information. In addition, you have the right to ask us not to process your personal information (or provide it to third parties to process) for marketing purposes or purposes materially different from those for which it was originally collected or subsequently authorized by you. You may withdraw your consent at any time for any processing of your personal information which we do based on consent you have provided to us.

To exercise any of these rights, please submit a request through our Privacy Center. We will respond to your request within the time limits prescribed by law. We may require specific information from you to help us confirm your identity and process your request. If your personal information has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal information, please inquire with our business customer directly. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we processed your personal information. We will refer your request to that business customer, and will support them to the extent required by applicable law in responding to your request.

Retention of your personal information

Please note that we retain personal information for as long as necessary to fulfill the purposes for which it was collected from you and/or our business customers, and may continue to retain and use your personal information for purposes of our legitimate interests and/or as necessary to comply (or demonstrate compliance with) with our legal/regulatory obligations, resolve disputes, prevent fraud, and enforce our rights.

We hope that we can satisfy any queries that you may have about the way we process your personal information. However, if you have any issues with our compliance, you may contact us at privacy@brex.com. You also have the right to lodge a complaint with the data protection regulator in your jurisdiction if you have any unresolved concerns. You can lodge the complaint in the country where you reside, where you work or where any alleged infringement of data protection law occurred.

18. Additional Disclosures for Individuals Located in Brazil

Controller of Personal Information. Brex, Inc., 650 S 500 W, Suite 300, Salt Lake City, UT 84101 is the data controller for the personal information covered by this Privacy Policy.

Processing.The Brazilian General Data Protection Law (“LGPD”) requires a legal basis for our use of personal information. Our basis varies depending on the specific purpose for which we use personal information. We use personal information for the following legal bases:

  • Performance of a contract, such as when we provide you with our Services, or communicate with you about them. This includes when we use your personal information to process your order, administer your account, provide you with support, and process payments.
  • Our legitimate business interests and the interests of our customers, such as when we operate, develop, or improve our Services, when we analyze your behavior in the course of your interaction with our Services, when we detect and prevent fraud and abuse in order to protect the security of our customers, ourselves, or others, and when we advertise or market to you through direct marketing.
  • Your consent, when we ask for your consent to process your personal information for a specific purpose that we communicate to you. When you consent to our processing your personal information for a specified purpose, you may withdraw your consent at any time and we will stop processing your data for that purpose.
  • Compliance with a legal obligation, when we use your personal information to comply with laws.
  • These and other legal bases, depending on the purpose for which we use personal information.

Your Rights. Subject to applicable law, you have the right to:

  • ask whether we hold personal information about you and request copies of such personal information and information about how it is processed;
  • request that inaccurate personal information is corrected;
  • request deletion of personal information;
  • request us to restrict the processing of personal information where the processing is inappropriate;
  • object to the processing of personal information;
  • request portability of personal information that you have provided to us (which does not include information derived from the collected information), where the processing of such personal information is based on consent or a contract with you and is carried out by automated means;
  • if we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

If you wish to do any of these things, please contact us at the address stated under "Contact Us" above, stating the country in which you are located.

Transfers outside of Brazil. We may transfer personal information from Brazil to other countries that may not have the same level of data protection that applies in your jurisdiction. In these cases, we use a variety of legal mechanisms to ensure that the recipient of your personal information offers an adequate level of protection, or where required, we will ask you for your prior consent.

19. Additional Disclosures for Individuals Located in Canada

Your Rights and Choices

Subject to limited exceptions under applicable Canadian law, you may have the right to access, update, correct inaccuracies in, and withdraw consent (subject to reasonable prior notice and applicable legal and contractual restrictions) to the collection, use and disclosure of your personal information. If you withdraw your consent, we may not be able to provide our Website, Services or other aspects of our Business. To exercise any of these or other rights applicable to you under Canadian privacy laws, please contact us as set out in the "Contact Information" section below. We may require specific information from you to help us confirm your identity and process your request.

If personal information about you has been processed by us on behalf of a business customer and you wish to exercise any rights you have with respect to such personal information, we encourage you to inquire with our business customer directly. If you are a resident of the province of Quebec, please note that we transfer and store personal information outside of the province. If you wish to make your request directly to us, please provide the name of our business customer on whose behalf we process your personal information, and we may refer your request to that business customer. We will assist our business customers in responding to your request.

Governance Policies and Practices

We are committed to protecting personal information and have implemented policies and practices that govern our treatment of personal information, including:

  • policies and procedures regarding the protection, retention and disposition of personal information, including with respect to the implementation of security safeguards designed to protect personal information against loss or theft and unauthorized access, disclosure, copying, use, and modification;
  • a framework that sets out roles and responsibilities of our personnel in connection with the handling of information in our possession and control;
  • a Trust Center with information about the security and privacy of our Business, including our compliance with relevant audit standards and security frameworks;
  • processes for responding to data subject requests and complaints in a timely and effective manner; and
  • employee data protection training and awareness.

Contact Information

If you have any questions or comments about this Privacy Policy or the manner in which we or our service providers (including our service providers outside Canada) treat your personal information, to withdraw your consent, or to request access to or correction of your personal information, please submit a request through our Privacy Center.