đź“Ł New IDC report on AP automation! Get your free copy >

Platform Agreement

Brex Privacy Policy

Revised May 8, 2023

Brex respects your privacy. While Brex’s Services are designed for use by business customers, we process some personal data when you use our Services, including when you apply to open a Brex Account. This Privacy Policy ("Policy") is meant to help you understand the types of Personal Information that we collect about you, how we use it, how we share it, your rights and choices, and how you can contact us about our privacy practices and your privacy rights. Please read this Policy carefully, as it applies when you use our Services or Products, visit our Website, or use the Brex mobile app. Capitalized terms that are not defined in this Policy have the definitions provided in the Platform Agreement.

Brex partners with a number of Service Partners and Third-Party Service Providers (collectively “Service Providers”) to provide you and your business with the best integrated spend management solution. Some of these Service Providers have their own privacy statements or policies; this Policy does not apply when you are linked to a service providing a different privacy policy or when the website, product, or service involved is operated by a company other than Brex.

As part of our services to our business customers and in receiving referrals for new potential customers, you or your business may provide Brex with information about individual employees or contacts at other businesses. Where you provide information about individuals, you agree that you have all rights and permissions necessary to provide such information to us. Where you provide us with information about your employees or other individuals connected with your business (such as owners or founders), please ensure that they are referred to this Policy for information about Brex’s collection and processing of their Personal Information.

If you have any questions about this policy or privacy at Brex, please reach out to us at privacy@brex.com or via any of the other methods identified in the “How to Contact Us” section below.

I. Who We Are and Some Other Definitions

A. Brex. This Policy applies to Brex Inc. and its affiliates, including, without limitation, Brex Treasury LLC and Brex Payments LLC (collectively, “Brex”, “we”, “our”, and “us”). Brex Treasury LLC and Brex Payments LLC are involved in providing the Brex Cash product.

B. Personal Information. “Personal Information” is any information that identifies, relates to, or reasonably could be linked to or associated with a particular person.

C. Services. “Services” means the financial products, technology, expense management, cash management, payment services, integrations with Third-Party Services, and all other services provided by Brex, including those available through your Brex Account).

II. What Personal Information We Collect About You and Where It Comes From

A. Information Brex Collects from You

We collect and process Personal Information through our Services when you interact with Brex. The data we collect from you varies depending on what specific Services you and your company use. In some cases you actively provide us with the information and in others, Brex collects the information automatically. Brex collects personal information from you when you directly interact with Brex in the following ways:

  • Filling out an application and creating a Brex Account
  • Making a purchase using a physical or virtual Brex Card
  • Using Brex business accounts (investing in securities)
  • Making or receiving payments (such as sending or receiving funds via ACH, wire, or check)
  • Uploading a receipt or making a memo for a Brex Card transaction
  • Signing in to access your Brex Account
  • Browsing the platform or our website
  • Using our iOS or Android mobile apps
  • Using or redeeming cash back rewards, such as cash back applied toward future statement balances
  • Using or redeeming partner rewards, such as discounts on partner products and services
  • Using integrations to connect your Brex Account to third party services
  • Connecting accounts to your Brex Account
  • Using Brex Travel or Brex Rewards
  • Calling, chatting, contacting, or interacting with Brex (such as with our Customer Experience or Sales, or texting us a copy of a receipt, or clicking through our advertising)
  • Reading emails from Brex
  • Attending a Brex event (offline or online) or webinar
  • Engaging in our affiliate referral program
  • Entering a Brex sweepstakes, contest, or promotion

Brex may collect the following categories of Personal Information from you when you interact with or use our Services.

  • Contact Data, such as your name, business email, phone number and address.
  • Professional Data, including your title or role on your team.
  • Account Credentials, including your password (hashed) and information for authentication and account access.
  • Identity Data, such as your date of birth, Tax Identification Number (TIN) or your Social Security Number (SSN) and copies of your passport, driver’s license, or other national ID and any information captured on such ID (such as facial images/ photographs) or through our ID verification process (including the ID verification results).
  • Financial Data, including your bank account information, routing and account numbers for reimbursements, transaction history, and related information, and your Brex account data.
  • Transaction Data, including information associated with use of your Brex Card and transactions such as wire transfers and ACH payments made via a Brex business account. This also includes information to process your receipts, such as photos and text messages with associated metadata.
  • Company Data, any Personal Information submitted to us related to a company when that company applied for or maintained a Brex Account. This could include information about the individuals involved in that company's leadership and ownership.
  • Communications and Online Content, including content within any messages you send to us (such as when contacting support or asking a question). We also collect content within any messages you exchange with other users through the Products (such as when you submit a request through the Platform to the Brex Account administrator to make a transaction or to increase a spending limit on a Brex Card).
  • Travel Data, such as airline and hotel booking information and itinerary information in connection with any travel arrangements you make via Brex travel and any information we receive if you book travel using a Brex card. This potentially includes imprecise location data, such as when your itinerary indicates you are scheduled to be in a location. When you make a booking using Brex Travel your information is processed by a Service Provider and that information is also shared by that Service Provider with Brex. Please refer to our Service Provider’s privacy policy for information about their privacy practices.
  • Marketing Data, such as your contact preferences and webinar /event registration, attendance and participation information.
  • Referral Data, including information you provide about any potential referrals as part of our affiliate referral program, such as their name, email address, and phone number.
  • Service Use Data, Device Data and Location Data via Tracking Technologies. When you access or interact with our Platform or use any of our mobile apps, Brex uses several types of activity tracking tools to collect data about how and when you interact with our web pages and mobile application; the type of device, browser, and operating software you use; your IP address and other device event information; and imprecise location data that can be derived from this information (such as location that can be identified from your IP address). Unless these technologies have been disabled by a user, Brex automatically collects this data through the following types of tracking technologies:
  • Log Files record events that occur in connection with your use of the Services.
  • Cookies are small data files stored on your device that allow us to uniquely identify your browser. We use two types of cookies: session cookies and persistent cookies.
    • Session cookies support website navigation and expire when you close your browser
    • Persistent cookies allow us to identify your unique device across different sessions. Persistent cookies may remain on your device for extended periods of time, and generally may be controlled through your browser settings.
  • Pixels (also known as web beacons) are code embedded in a website, email, or advertisement that sends information about your usage to a server. Pixels are used in combination with cookies to allow Brex to track a particular browser’s online activity, like what communications or pages you viewed.
  • Device Fingerprinting is the process of combining and analyzing data elements from your device's browser to uniquely identify your browser and device.

For further information about the cookies we use, why we use them, and how you can control and in some cases, disable, cookies and other tracking technology in connection with our Website, please see our Cookie Preferences setting under Resources and our Brex Cookie Notice. If you have access to a Brex Dashboard, this information is also available in the Cookie Preferences section of your Settings.

B. Information Brex Collects from Other Sources

1. Personal Information Collected from Third Parties

Brex may also collect information about you from other sources. The paragraphs below describe the categories of third parties Brex collects Personal Information from and what categories of data we collect from them. The information categories referenced in the paragraphs below have the same description as provided in Section II.A of this Policy.

  • Category of Third Party: Brex Account Holders
    • Personal Information Category Collected: Contact, Identity, Professional, Company
    • When Data is Collected:
      • When a business applies for or adds you as an authorized user, administrator, manager, controlling officer, or beneficial owner of a Brex Account
      • When a referral partner provides us with information about you as a representative of a potential customer
  • Category of Third Party: Financial Institutions (including banks and money transmitters), Card Network Providers, Payment Processors, Card Issuers
    • Personal Information Category Collected: Contact, Financial, Transaction
    • When Data is Collected: These entities are Brex’s partners in processing your Brex Card and providing you and your business with Brex Account services such as reimbursement
  • Category of Third Party: Merchants and Receipt Information Aggregating Services
    • Personal Information Category Collected: Contact, Financial, Transaction, Location Information
    • When Data is Collected: Brex collects information about your financial transactions, including information regarding the location of and other details purchases and receipt information for transactions
  • Category of Third Party: Identity Verification Services;  Financial Information Providers; Fraud and Financial Crime Monitoring, Prevention, and Detection Service Providers
    • Personal Information Category Collected: Contact, Identity, Professional, Financial, Transaction, Service Use Data, Device Data, Location Data, Company, Travel
    • When Data is Collected: When Brex is confirming your identity; onboarding or maintaining information for an account you are an administrator, authorized user, or other responsible part for; or managing fraud, financial crime, or other legal risks
  • Category of Third Party: Third Party Integrations and Service Providers: Banks and other depository institutions
    • Personal Information Category Collected: Contact, Account Credentials, Identity, Financial, Transaction, Company
    • When Data is Collected: When you link your Brex Account with your personal bank account. Brex does not store non-Brex financial account credentials on Brex systems
  • Category of Third Party: Third Party Integrations and Service Providers: Accounting and Expense Providers
    • Personal Information Category Collected: Contact, Professional, Company, Financial, Transaction
    • When Data is Collected: When you or your company connect your Brex Account to a third party accounting or expense provider
  • Category of Third Party: Third Party Integrations and Service Providers: Travel Services
    • Personal Information Category Collected: Contact, Identifiers, Financial, Transaction, Travel, Rewards
    • When Data is Collected: When we create your Brex user account and when you book travel through Brex Travel, we process information from our travel partners about your travel plans and any rewards balances or redemptions involved
  • Category of Third Party: Other Service Providers
    • Personal Information Category Collected: Contact, Identity, Financial, Transaction, Travel, Rewards, Company, Professional
    • When Data is Collected: When Brex receives information back from other categories of Service Providers while providing you with our Services
  • Category of Third Party: Social Networks and Online Advertising
    • Personal Information Category Collected: Contact, Professional, Marketing
    • When Data is Collected: When Brex uses these providers to serve or assist in serving our advertisements
  • Category of Third Party: Joint Marketing, Business Partnership, Referrals, and Rewards Partners
    • Personal Information Category Collected: Contact, Professional, Marketing, Referrals, Rewards, and data regarding your relationship with these partners
    • When Data is Collected: When Brex engages in joint marketing activities and our referral and rewards programs with these partners, as well as when we acquire information about your and your relationship to these partners
  • Category of Third Party: Publicly-available sources (including the media and public domain)
    • Personal Information Category Collected: Contact, Professional, Company, Online Content
    • When Data is Collected: When Brex is identifying potential customers and partners or conducting due diligence or other risk management activities for existing and potential customers

2. Personal information related to administrators, employees, company owners, and authorized persons or representatives

In some circumstances, Brex requires our business customers and their representatives to provide us with Personal Information relating to another person (such as providing us with Personal Information about the owners of your business during the application process or providing us with Personal Information about employees). If you are providing Brex with information about other individuals, do not provide us with any Personal Information unless you have informed these individuals that their information is being transferred to a third party for card and spend management purposes or a similarly appropriate category of third party or you are sure the disclosure of the Personal Information is otherwise permitted by law or contract. You must inform all other persons whose information you share with us how we collect and process Personal Information and all other terms of this Policy.

III. How Brex Processes and Stores Personal Information

A. How Brex Processes Personal Information

Brex processes Personal Information to provide its customers with a reliable, secure, and loved solution for spend management and corporate cards. That requires us to process Personal Information for a number of purposes, as described below:

  • Providing Brex Services. We use all of the categories of Personal Information we collect to provide Brex’s Services. Personal information may be used as part of the data analytics processes that enable our Services.
  • Improving and developing the Services. We use all of the categories of Personal Information Brex collects other than identity data to understand how you use our Services, and to improve them. We also use the information to analyze trends and performance to identify future opportunities for the development, promotion, and improvement of our Services. We use analytics services, such as Google Analytics, to help us understand how users access and use our Services.
  • Securing the Services and Fraud Detection. We process and analyze all categories of Personal Information Brex collects for the purposes of maintaining the safety and security of our systems, websites, Services, including identifying and troubleshooting any problem with the Brex Products or Services, investigating suspicious activity, detecting potentially fraudulent or unauthorized transactions, enforcing our terms and policies, and in protecting the rights of Brex, our customers, and those we all do business with.
  • Providing Customer Support. We process all categories of Personal Information Brex collects to troubleshoot and diagnose problems with our Services, and provide other customer care and support services, including to help us support, improve, and secure the quality of our Services, to investigate security incidents, and provide appropriate training to Brex staff. We use automated chat capabilities where you may be interacting with a bot rather than a person for appropriate questions.
  • Sending administrative communications. We may use your Contact, Professional, Travel, and Transaction information to send you information related to our Product and Services such as confirmations, invoices, technical notices, service updates and security feeds, security alerts, and support, onboarding, and administrative messages.
  • Sending marketing communications and placing advertising, including marketing analytics. We use your Contact, Professional, Travel, Transaction, and Marketing information we collect to advertise and promote Brex Services by phone, text, email, or chat, and additional products and services from our partner companies, according to your marketing preferences. We also use Service Use Data, Device Data and Location Data to place and deliver advertisements to you.

In addition, we may work with agencies, advertisers, ad networks and other technology services to place advertisements on our behalf on other websites and services. For example, we may place ads through advertising and social media firms that you may view on their platforms as well as on other websites and services. As part of this process, we (or these third parties) may incorporate tracking technologies into our own Website and emails or other communications as well as into our ads displayed on other websites and services. Some of these tracking technologies may track your activities across time and services for purposes of associating the different devices you use, and delivering relevant ads and/or other content to you ("Interest-based Advertising").

While you may disable some tracking technologies in your browser settings by blocking cookies in your browser, using global privacy controls, or using other privacy settings on your device or browser, you may still receive non-targeted advertisements we send as part of a general marketing campaign. For further information on the types of tracking technologies we use on the Services and your rights and choices regarding analytics and Interest-based Advertising, please see the "Information Brex Collects from You" and "Your Rights and Choices" sections.

  • Complying with legal obligations, defending legal claims, and preventing and detecting crime and misuse of Brex Services. We may process all categories of Personal Information Brex collects to fulfill Brex’s legal and regulatory rights and obligations, including in the following situations:
    • when cooperating with public and government authorities, courts or regulators in accordance with applicable laws;
    • to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity;
    • to protect Brex’s legal rights, pursue remedies available to us, and limit our damages;
    • to protect against misuse or abuse of our Services;
    • to protect personal or public property or safety;
    • to comply with judicial proceedings, court orders or legal processes; or
    • to respond to lawful requests.

When complying with court orders and other similar legal processes, Brex strives for transparency. We will make reasonable efforts to notify our customers and users of any disclosure of their Personal Information, unless we are prohibited by law or court order, or exigent circumstances prevent us from doing so.

  • For our business purposes. We may use information for other legitimate business purposes, such as developing new Services; enhancing, improving or modifying our Services; mitigating financial loss, claims, liability, and other harms to our users, Brex, our partners, or third parties.
  • With Notice to You and Your Consent. We may otherwise process Personal Information after providing notice to you and obtaining your consent. You may opt out of or refuse your consent for this processing; please see the “Your Rights and Choices” section below for how to do so.

B. Anonymized and aggregated data. To improve and market our Services, better target advertisements, and for other promotional purposes, Brex may transform Personal Information into de-identified information removing or masking information that could be used to identify you and by aggregating or combining de-identified data with other information.

C. Transfers of your Personal Information between Brex affiliates

When you sign up for Brex business accounts, information related to and collected as a result of your use of that product will be collected by Brex Treasury LLC. Information directly related to your use of Brex business accounts, as highlighted above, is controlled by Brex Treasury LLC, and may be shared with Brex Inc and Brex Payments LLC to provide you with Brex Services including managing your Brex business account. All other Personal Information, including information related to your Brex Account, is controlled by Brex Inc.

To provide you with a seamless experience, Brex Inc. Brex Treasury LLC, and Brex Payments LLC share information to support all of Brex’s processing purposes.

D. For EEA and UK residents: Legal basis for processing

The General Data Protection Regulation (GDPR) in Europe requires a "lawful basis" for processing personal data. Our lawful basis includes where: (a) you have given consent to the processing for one or more specific purposes, either to us or to our Service Providers, partners, or business customers; (b) processing is necessary for the performance of a contract with our customers; (c) processing is necessary for compliance with a legal obligation; or (d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party, and your interests and fundamental rights and freedoms do not override those interests.

The legal basis for Brex’s different Personal Information processes is as follows:

  • Process: Providing Brex Services
    • Legal Basis:
      • Brex’s legitimate business interest in providing our business customers with Services; and
      • Brex’s customer’s legitimate interests in managing their business expenses, providing appropriate business spending capabilities, and overseeing how corporate funds are used by employees.
  • Process: Improving and developing the Services
    • Legal Basis:
      • Brex’s legitimate business interests in developing, promoting and improving our Services and identifying future business opportunities; and
      • In some cases, your consent to providing Brex with feedback and data.
  • Process: Securing the Services and Fraud Detection
    • Legal Basis:
      • Brex’s legitimate interest in ensuring the safety and security of our Services and our interest in protecting Brex’s rights and the rights of our customers, including avoiding being the victims of or involved in crime.
  • Process: Providing Customer Support
    • Legal Basis:
      • Brex’s legitimate interest in providing our users and business customers’ authorized representatives with customer care and assistance, identifying and investigating security and technical incidents, and providing, improving, and securing our Services, as well as our staff’s knowledge and training.
  • Process: Sending administrative communications
    • Legal Basis:
      • Brex’s legitimate interests in administering and securing our Services; and
      • In some cases, compliance with Brex’s regulatory obligations.
  • Process: Sending marketing communications and placing advertising, including marketing analytics
    • Legal Basis:
      • Brex’s legitimate interest in marketing its Services to appropriate groups; and
      • In some cases, in reliance on your consent to receive marketing materials or have your information used in analyses.
  • Process: Complying with legal obligations, defending legal claims, and preventing and detecting crime and misuse of Brex Services
    • Legal Basis:
      • Compliance with Brex’s legal and regulatory obligations; and
      • In furtherance of Brex’s legitimate interests in protecting against the misuse or abuse of our Services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or to respond to lawful requests.
  • Process: For Brex’s business purposes
    • Legal Basis:
      • In reliance on Brex’s legitimate interests for pursuing legitimate business purposes.
  • Process: With Notice to You and Your Consent
    • Legal Basis:
      • In reliance on your consent.

IV. How Brex Discloses Personal Information to Other Parties

A. Brex’s Disclosures of Personal Information to Third Parties

Brex discloses Personal Information for several business purposes. Brex discloses the following data categories for the following purposes:

  • Business Purpose: Making a payment
    • Data Categories Disclosed: Contact, Financial
    • Category of Recipient: Person or merchant being paid
  • Business Purpose: Providing contracted Services to Business Customer
    • Data Categories Disclosed: Contact, Financial, Transaction, Travel, and Communications
    • Category of Recipient: The Brex account holder that has made you an authorized user, administrator, or otherwise provided your personal information in connection to a Brex Account
  • Business Purpose: Providing Brex Services and determining eligibility or interest in additional Services
    • Data Categories Disclosed: All categories collected
    • Category of Recipient: Other Brex affiliates
  • Business Purpose: Providing and securing Brex Services, complying with our regulatory obligations, data analytics, data hosting, and technical support
    • Data Categories Disclosed: All categories collected
    • Category of Recipient: Service Providers operating and providing services and staff augmentation on Brex’s behalf
  • Business Purpose: Advertising and Marketing Analytics
    • Data Categories Disclosed: Contact, Marketing, Service Use, Device, Location
    • Category of Recipient: Advertising agencies, advertisers, ad networks, technology Service Providers
  • Business Purpose: Issuing cards
    • Data Categories Disclosed: Contact, Financial, Transaction, Identity
    • Category of Recipient: Credit card issuing banks
  • Business Purpose: Providing credit card networks
  • Business Purpose: Processing Brex Cash transactions and managing Brex Cash funds
    • Data Categories Disclosed: Contact, Financial, Transaction, Identity
    • Category of Recipient: Financial institutions, financial services providers
  • Business Purpose: Credit reporting
    • Data Categories Disclosed: Contact, Financial, Transaction
    • Category of Recipient: Credit reporting agencies
  • Business Purpose: Managing referral partnerships
    • Data Categories Disclosed: Contact, Financial, Transaction, Company
    • Category of Recipient: Referral partners
  • Business Purpose: Accounting and expense integrations
    • Data Categories Disclosed: Contact, Financial, Transaction, Company, Travel
    • Category of Recipient: Third party accounting and expense management services
  • Business Purpose: Travel integration partners
    • Data Categories Disclosed: Contact, Financial, Transaction, Company, Travel
    • Category of Recipient: Travel management partners
      • When you make a booking using Brex Travel, your information is processed by a Service Provider. Please refer to our Service Provider’s privacy policy for information about their privacy practices.

B. Restrictions on Service Provider’s Use of Your Personal Information

Brex may transfer your Personal Information to our Service Providers. Brex contractually prohibits our Service Providers from retaining, using, or disclosing information about you for any purpose other than performing the services for us and fulfilling their own regulatory and legal obligations, although we may permit them to use information that does not identify you (including information that has been aggregated or de-identified) for other purposes except as prohibited by applicable law or contractual obligation.

C. Transfers authorized by you, by the Brex Account holder, or authorized representatives

Brex enhances its Services by integrating with products and services provided by other companies. As identified in section A above, Brex currently has integrations that transfer Personal Information to provide accounting, expense management, and travel services. For these integrations to work, we may need to provide your Personal Information to these companies. Information we transfer to these companies will be used and disclosed according to that company’s privacy policy and subject to appropriate contracts with our partners. You should review the privacy policy of any company that has access to your Personal Information related to the integration with your Brex Account. Brex’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including any limited use requirements.

D. Data transfers in corporate transactions

In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Information and data we process from you may become part of the assets we transfer or share in preparation for any such transaction. Any acquirer or successor of Brex may continue to process Personal Information consistent with this Policy.

E. Compliance and compelled disclosures

We may disclose or transfer Personal Information in the following circumstances:

  • To comply with applicable law, regulation or payment network rules;
  • To enforce our contractual rights or comply with contractual obligations;
  • To protect the rights, privacy, safety and property of Brex, you, our customers, our business partners, or others; or
  • To respond to requests from auditors, courts, law enforcement agencies, regulators, and other public and government authorities, which may include authorities outside your country of residence. When complying with court orders and other similar legal processes, Brex strives for transparency. We will make reasonable efforts to notify our customers and users of any disclosure of their Personal Information, unless we are prohibited by law, court order, or exigent circumstances prevent us from doing so.

F. For California residents: No sale or sharing of Personal Information

Brex does not sell or allow our Service Providers to process your Personal Information for their own use without your consent, unless the processing of that information is either required by law or we determine that disclosure is reasonably necessary to enforce our rights, protect our property or operations, or enforce the rights and protect the property or operations of our business partners and customers. As part of our arrangements with Service Providers, Brex may receive your Personal Information from and transfer your Personal Information to our Service Providers as part of providing our Services and Products, but these transfers are conducted under contracts that protect your data from additional uses and are not considered a sale pursuant to California law. Brex also does not share Personal Information for cross-contextual behavioral advertising as defined in the California Privacy Rights Act.

Brex has not sold or shared Personal Information for cross-context behavioral advertising for the last 12 months.

V. How Brex stores and protects Personal Information

A. How long Brex retains Personal Information and when we delete it

Brex collects and retains Personal Information to provide our Services. We retain that information for as long as we have a business or operational reason to retain that information, or where we have a legal or regulatory obligation to continue to retain that Personal Information after it has served its business or operational purpose. Brex deletes or de-identifies Personal Information when we no longer are required to or have a reasonable business purpose to retain it.

Brex’s legal retention obligations may require us to retain your Personal Information after you are no longer an authorized user of a Brex account or after your Brex account has closed. These retention obligations also prohibit us in some cases from deleting certain Personal Information after you have asked us to delete your data under the data privacy and data rights laws in different jurisdictions. Brex retains data where it is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements or where deleting it prevents us from billing for our Services, calculating taxes, conducting required audits, or carrying out other legitimate business functions.

Please see the “Your Rights and Choices” section and the sections detailing the rights you may have under the laws of your location below for more information.

B. Where Brex stores Personal Information and international data transfers

As we strive to serve our customers everywhere in the world they operate, Brex may process and store Personal Information for the purposes described in this Policy in the United States or any other country in which Brex, its subsidiaries, affiliates, or Service Providers operate. These countries may have data privacy or protection laws that are different to the laws of your country and may not be as protective. Brex takes measures to comply with applicable data privacy laws when we transfer Personal Information internationally.

For Personal Information transferred from Europe or the United Kingdom, we will provide appropriate safeguards, such as use of the Standard Contractual Clauses approved by the European Commission, to protect your Personal Information.

C. Brex’s data security

Brex uses organizational, technical, and administrative measures to protect Personal Information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Information. The specific measures we use include encrypting your Personal Information in transit and at rest, device and identity verification processes, and idle lockouts. For more information about our security measures, please see https://www.brex.com/security.

Where you have created a username and unique password to enable you to access your Brex Account, or use our Services, it is your responsibility to keep this password secure and confidential.

Please contact us as set out in the "How to Contact Us" section below immediately if you believe that your Personal Information or any other confidential information that you have provided to us is no longer secure or has been lost or stolen.

VI. Additional Important Information About Your Personal Information

A. Brex Account users and administrators’ access and authorities

Brex Services are intended for use only by companies, and you may only use a Brex Account or Card if you are an employee or other authorized representative of a company that has opened a Brex Account. The information in your Brex Account is governed by our agreements with the applicable business customer. You may access, update, or delete certain information within your Brex Account through the Platform, provided that the business customer’s administrator is responsible for determining how that data is processed. The business customer's administrator is responsible for your Brex Account and any Brex Cards associated with the business customer. The administrator can also access information about you via their own access to Brex’s Services, access and retain information we have stored on its behalf, and limit your ability to edit, modify, delete, or use information associated with your use of the Services.

However, losing authorized access to a company’s Brex Account does not deprive you of rights you may have under the data privacy or other data rights laws in your jurisdiction. Please see the “Your Rights and Choices” section and the sections detailing the rights you may have under the laws of your location below for more information.

B. Closure of a Brex Account

Closure or deletion of your company’s Brex Account will mean that the business customer will permanently lose access to the Personal Information and data associated with the Brex Account. Personal information or de-identified information associated with your company’s Brex Account may nonetheless remain on systems owned or maintained by Brex where required to comply with the law, our contractual obligations, or carrying out legitimate business functions.

Where Brex retains Personal Information after an account has closed, individuals may have the right to access, delete, or assert other rights under the laws of their jurisdiction.

C. For EEA and UK residents: Brex’s role as a data controller and processor

Data protection laws in Europe distinguish between organizations that process personal data for their own purposes (known as "controllers") and organizations that process personal data on behalf of other organizations (known as "processors"). Brex acts as a controller with respect to personal data collected as you interact with and use our Services. For the Products, Brex acts as a processor when we act on the instructions of or on behalf of a business customer, and as a controller when Brex is deciding how to process your data directly. For example, when your data is being processed for your business’s financial planning, Brex is acting as a processor, but when Brex is processing data to comply with its regulatory obligations, like the requirements to detect and prevent financial crime, it is acting as a controller. This Policy describes the processing undertaken by Brex as a controller.

Where Brex is a controller you can contact us using the details in the "How to Contact Us" section. Any questions that you have relating to the processing of personal data by Brex as a processor should be directed to the relevant business customer.

VII. Your Rights and Choices

A. Your Choices with Brex

1. Electronic Communications

  • Emails. You may choose not to receive promotional emails from us by following the unsubscribe/opt-out instructions in those emails at any time. Please note that you cannot opt-out of non-promotional messages, such as those about your Brex account, transaction information about our Services (such such as updates to our platform agreement, privacy notices, security alerts, and other notices relating to your access to or use of our Services) or our ongoing business relationship.
  • Text, SMS, or WhatsApp Messages. If you have opted in to receiving text, SMS, or WhatsApp messages related to your use of the Products or Services, you can opt-out at any time by texting "STOP" to the short code. After you send the SMS or WhatsApp message "STOP" to us, we will send you an SMS or WhatsApp message to confirm that you have been unsubscribed. After this, you will no longer receive SMS or WhatsApp messages from us.

Please note that your opt out is limited to the email address or phone number used and will not affect subsequent subscriptions.

2. California Resident Rights and Choices

If you are a California resident, you have certain rights over the information that we have about you. You can:

  • Delete any Personal Information we have collected from you when we do not have legal or contractual obligations to keep the information or a need for the information to carry out a legitimate business function.
  • Opt out of the sale of your Personal Information and opt out of having your personal data shared for the purpose of cross-context behavioral advertising. As discussed above, Brex does not sell your Personal Information nor share it for these purposes.
  • To request that Brex corrects any inaccurate Personal Information Brex holds about you.
  • To request that Brex limit the use and disclosure of your sensitive Personal Information to uses that are necessary to provide our Services and to the uses defined in California law or regulation (defined in the California Civil Code, Section 1798.121).
  • Request that Brex provide you with any or all of the following regarding Brex’s data processing for the 12 months preceding the request:
    • The categories of information Brex has collected about you;
    • The categories of sources from which the Personal Information is collected;
    • The business or commercial purpose for collecting Personal Information;
    • The categories of third parties to whom Brex discloses Personal Information; and/or
    • A copy of the specific pieces of information Brex has collected about you.
  • Appoint an authorized agent to act on your rights on your behalf. Brex will require appropriate proof of the agent’s authority to make these requests and will need to verify your identity directly.

Brex will not discriminate against you for any use of your privacy rights.

To exercise any of these rights, you may make a request on Brex’s Privacy Request Portal or by emailing us at privacy@brex.com. You can also reach out to our Customer Experience team by phone at +1 833 228 2044. Brex will confirm receipt of your request and provide you with information about our processes for acting on your request, including when you can expect a response, within 10 business days. We will need to verify your identity to ensure the security of your Personal Information before providing you with any Personal Information.

If you are currently a Brex user, you may correct any Personal Information we have about you either in your settings, by contacting your Brex Account administrator, or by using the contact details above in addition to requesting correction through our Privacy Request Portal.

3. European and United Kingdom Rights

You have the following rights regarding the Personal Information we collect and use about you:

  • You may access, correct, update or request deletion of your Personal Information.
  • You can object to processing of your Personal Information, ask us to restrict processing of your Personal Information, and request we transfer your Personal Information to a third party.
  • You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us via the Privacy Portal or at privacy@brex.com.
  • If we have collected and processed your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a supervisory authority about our collection and use of your Personal Information. For more information, please contact your local data protection authority.

To exercise any of these rights, please contact us either through Brex’s Privacy Request Portal or at privacy@brex.com. We will respond to your request within 30 days. We may require specific information from you to help us confirm your identity and process your request.

If Personal Information about you has been processed by us as a processor on behalf of a business customer and you wish to exercise any rights you have with such personal data, please inquire with our customer directly. If you wish to make your request directly to us, please provide the name of the customer on whose behalf we processed your personal data. We will refer your request to that third party, and will support them to the extent required by applicable law in responding to your request. Read more about how Brex operates as both a controller and processor in the section "Brex’s role as a data controller and processor" above.

Please note that we retain information as necessary to fulfill the purposes for which it was collected, and may continue to retain and use your Personal Information, even after a data subject request, for purposes of our legitimate interests and to comply with our legal obligations, including where needed to resolve disputes, prevent fraud and financial crime, and enforce our agreements as well as to comply with statutory retention obligations.

4. Residents of other locations

If you reside in a US state or territory other than California or anywhere else in the world other than the European Economic Area or United Kingdom and would like more information about how Brex processes your Personal Information or have questions about your rights under this Policy, please submit your request on Brex’s Privacy Portal or to privacy@brex.com.

B. Your Choices with Google Analytics and Interest-Based Advertising Providers

1. Google Analytics

Brex uses Google Analytics to better understand how users interact with our websites and advertising. Google provides tools to allow you to opt out of the use of certain information collected by Google Analytics at https://tools.google.com/dlpage/gaoptout and by Google Analytics for Display Advertising or the Google Display Network at https://www.google.com/settings/ads/onweb.

2. Interest-Based Advertising

The companies we work with to provide you with targeted ads in connection with the Services are required by us to give you the choice to opt out of receiving targeted ads. Most of these companies are participants of the Digital Advertising Alliance ("DAA") and/or the Network Advertising Initiative ("NAI"). To learn more about the targeted ads provided by these companies, and how to opt out of receiving certain targeted ads from them, please visit: (i) for website targeted ads from DAA participants, https://www.aboutads.info/choices; and (ii) for targeted ads from NAI participants, https://www.networkadvertising.org/choices. Opting out only means that the selected participants should no longer deliver certain targeted ads to you, but does not mean you will no longer receive any targeted content and/or ads (e.g., in connection with the participants' other customers or from other technology services).

Please note that if you opt out using any of the methods described for Google Analytics, DAA,or NAI, the opt out will only apply to the specific browser or device from which you opt out. We are not responsible for the effectiveness of, or compliance with, any opt out options or programs, or the accuracy of any other entities' statements regarding their opt out options or programs.

VIII. Updates to This Policy

We may update this Policy from time to time in response to changing legal, regulatory, technical or business developments. When we update this Policy, we will notify you of material changes, changes that limit any of the rights you have related to the manner in which we process your Personal Information, or that we are required to disclose by law, via a prominent notice on our website, login screen, your mobile app, or via email at least 30 days prior to the changes taking effect. We will obtain your consent to any material changes to this Policy if, and where, required by applicable data protection laws.

You can see when this Policy was last updated by checking the “Revised” date displayed at the top of this Privacy Notice.

IX. How to Contact Us

If you have concerns, questions, or would like to better understand our privacy practices at Brex, please contact us using the following details:

By email: privacy@brex.com

By mail:

Brex Inc.

Attn: Legal

50 W Broadway Ste 333

PMB 15548

Salt Lake City, Utah 84101-2027 USA

By phone to our Customer Experience team: +1 833 228 2044

X. Previous Privacy Policies

05.07.2020

09.19.2019

06.06.2018