Effective Date: October 11, 2022
This notice supplements the BILL Privacy Notice and applies to all Bill.com, LLC (“BILL”) websites, applications, products and services in the European Union (“EU”) and the United Kingdom (“UK”).
To comply with the requirements of the European General Data Protection Regulation (“GDPR”) for our EU and UK users, this Supplemental Privacy Notice (“Supplement”) outlines the legal bases on which we rely to process your personal information and provides other information required by the GDPR. The terms and conditions contained in this Supplement apply only to the personal information of EU and UK residents we may process.
BILL is the data controller. Our representative in the UK is:
Our representative in the EU is:
Legal Bases for Processing Your Information
BILL will only process your information where we have a legal basis to do so. The legal basis will depend on the reason(s) BILL collected and needs to use your personal information. We describe these legal bases and some accompanying examples in more detail below.
BILL processes certain personal information based on your consent, which you may revoke at any time. For example:
BILL processes your personal information as is necessary for the adequate performance of the contract with you. For example:
BILL processes your personal information where it is necessary for BILL’s or a third party’s legitimate interests. For example:
BILL processes your personal information to comply with our legal obligations. For example:
Transfers of Personal Information
To facilitate our global operations, BILL may transfer, store, and process your information within our corporate family, partners, and service providers, including in the United States and Canada. Laws in these countries may differ from the laws applicable to your country of residence. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in these other countries may be entitled to access your personal information.
Where your information is transferred outside the EEA, we will take all steps reasonably necessary to ensure that your data is subject to appropriate safeguards, such as relying on a recognized legal adequacy mechanism, and that it is treated securely and in accordance with this Supplement and our Privacy Notice.
We will provide further information on the means to ensure an adequate level of data protection, such as a copy of the EU Model Clauses, on request. To request a copy, please contact us at EU or U.K. data representative.
How long we keep your personal information
The period for which we retain your information varies according to the use of that information. In some cases, there are legal requirements to keep certain data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain your information as long as is necessary to perform the Services, comply with our legal obligations, and as permitted by law.
You may have some of the following rights under applicable law. While some of these rights apply generally, certain rights apply only in certain limited cases. Please note that we may ask you to verify your identity and request before taking further action on your request. You can contact our EU or U.K. data representative to exercise any of the following rights.
Data access and portability
If you are unable to obtain the desired information by logging into your account, or if you are not currently a customer, you can request certain copies of your personal information held by us. In certain instances, you also have the right to request copies of personal information that you have provided to us in a structured, commonly used, and machine-readable format and/or request us to transmit this information to another service provider (where technically feasible).
If you are unable to delete the desired information by logging into your account, or if you are not currently a customer, you can request that we delete your personal information, subject to certain limitations and restrictions. Please note that if you request the erasure of your personal information:
If you are unable to correct the desired information by logging into your account, you can request that we correct inaccurate or incomplete personal information about you.
Restriction of processing
You can ask us to limit the ways in which we use your personal information.
Where the processing of your personal Information by us is based on consent, you have the right to withdraw that consent without detriment at any time. If you withdraw your consent to the use of your information for the purposes set out in this Supplement and the Privacy Notice, you may not have access to all (or any) of our Services and we might not be able to provide you all (or any) of the Services under this Supplement, Privacy Notice, and our Terms of Service. In certain cases, we may continue to process your information after you have withdrawn consent if we have a legal basis to do so.
If your request or concern is not satisfactorily resolved by us, you may lodge a complaint with our EU or UK representative or approach your local data protection authority.
If you would like to change your cookie settings, you may do so at any time by clicking here: