Effective Date: October 11, 2022
This notice supplements the BILL Privacy Notice and applies to all Bill.com, LLC (“BILL”) websites, applications, products and services in the European Union (“EU”) and the United Kingdom (“UK”).
To comply with the requirements of the European General Data Protection Regulation (“GDPR”) for our EU and UK users, this Supplemental Privacy Notice (“Supplement”) outlines the legal bases on which we rely to process your personal information and provides other information required by the GDPR. The terms and conditions contained in this Supplement apply only to the personal information of EU and UK residents we may process.
Identity of Controller and Representative
BILL is the data controller. Our representative in the UK is:
Bird & Bird GDPR Representative Services UK
12 New Fetter Lane
Our representative in the EU is:
Bird & Bird GDPR Representative Services Ireland
29 Earlsfort Terrace
Dublin 2D02 AY28
Legal Bases for Processing Your Information
BILL will only process your information where we have a legal basis to do so. The legal basis will depend on the reason(s) BILL collected and needs to use your personal information. We describe these legal bases and some accompanying examples in more detail below.
BILL processes certain personal information based on your consent, which you may revoke at any time. For example:
We may send you promotional, marketing, and advertising messages and other information that may be of interest to you based on your preferences, where consent is necessary based on applicable law;
If you ask to link or integrate third party accounts to BILL, we may process information from those accounts, partners, and integrations;
If you decide to use location services in the context of BILL, we may collect and process such location information; and
BILL processes your personal information as is necessary for the adequate performance of the contract with you. For example:
We process your information to create and manage your account, process and receive payments, provide customer service, and send you messages, updates, security alerts, and account notifications;
We process your information to verify your identity so that we may provide the Services to you;
We transfer your information outside of the EU and the UK to the U.S. and Canada in order to provide the Services.
BILL processes your personal information where it is necessary for BILL’s or a third party’s legitimate interests. For example:
We process your information to keep the Services safe and secure, such as to implement and enhance security measures and protections, protect against a breach of the law or fraud, enforce or defend legal rights, claims, or obligations, and enforce our Terms of Service;
We process your information to undertake marketing activities and provide you with advertisements both on and off BILL, measure and analyze the effectiveness of our ads, and offer you products or services that may be of interest to you, in accordance with applicable law;
We process your information to provide and improve the Services and your experience with the Services, and to understand and improve our business; and
We share your information across the BILL family of companies to provide you with cohesive and seamless Services. For example, where the Services require the engagement of other BILL companies, we share your information with such affiliates to provide and improve the Services.
BILL processes your personal information to comply with our legal obligations. For example:
We may process, retain, and share your information if it is necessary to respond, based on applicable law, to a valid legal request;
We may process and retain your information for tax, legal reporting and auditing obligations; and
We may process, retain and share your information as is necessary to comply with the legal requirement to which we are subject, for example, anti-money laundering regulations.
Transfers of Personal Information
To facilitate our global operations, BILL may transfer, store, and process your information within our corporate family, partners, and service providers, including in the United States and Canada. Laws in these countries may differ from the laws applicable to your country of residence. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in these other countries may be entitled to access your personal information.
Where your information is transferred outside the EEA, we will take all steps reasonably necessary to ensure that your data is subject to appropriate safeguards, such as relying on a recognized legal adequacy mechanism, and that it is treated securely and in accordance with this Supplement and our Privacy Notice.
We will provide further information on the means to ensure an adequate level of data protection, such as a copy of the EU Model Clauses, on request. To request a copy, please contact us at EU or U.K. data representative.
How long we keep your personal information
The period for which we retain your information varies according to the use of that information. In some cases, there are legal requirements to keep certain data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain your information as long as is necessary to perform the Services, comply with our legal obligations, and as permitted by law.
You may have some of the following rights under applicable law. While some of these rights apply generally, certain rights apply only in certain limited cases. Please note that we may ask you to verify your identity and request before taking further action on your request. You can contact our EU or U.K. data representative to exercise any of the following rights.
Data access and portability
If you are unable to obtain the desired information by logging into your account, or if you are not currently a customer, you can request certain copies of your personal information held by us. In certain instances, you also have the right to request copies of personal information that you have provided to us in a structured, commonly used, and machine-readable format and/or request us to transmit this information to another service provider (where technically feasible).
If you are unable to delete the desired information by logging into your account, or if you are not currently a customer, you can request that we delete your personal information, subject to certain limitations and restrictions. Please note that if you request the erasure of your personal information:
We may retain and use your personal information as necessary for our legitimate business interests, such as prevention of money laundering, fraud detection and prevention, and enhancing safety;
We may retain and use your personal information to the extent necessary to comply with our legal obligations.
To the extent another party has received your personal information in the course of BILL providing Services to you, the other party may continue to retain your information; and
Copies of your personal information may not be removed from our backup systems for a period of time.
If you are unable to correct the desired information by logging into your account, you can request that we correct inaccurate or incomplete personal information about you.
Restriction of processing
You can ask us to limit the ways in which we use your personal information.
Where the processing of your personal Information by us is based on consent, you have the right to withdraw that consent without detriment at any time. If you withdraw your consent to the use of your information for the purposes set out in this Supplement and the Privacy Notice, you may not have access to all (or any) of our Services and we might not be able to provide you all (or any) of the Services under this Supplement, Privacy Notice, and our Terms of Service. In certain cases, we may continue to process your information after you have withdrawn consent if we have a legal basis to do so.
If your request or concern is not satisfactorily resolved by us, you may lodge a complaint with our EU or UK representative or approach your local data protection authority.
If you would like to change your cookie settings, you may do so at any time by clicking here: