BX Privacy Statement

Download the PDF Version

1. Introduction

Bottomline R&D B.V. (hereafter “Bottomline”) values your privacy. The purpose of this BX Privacy Statement is to inform you of how we process your personal data in relation to our provision of and/or your use of the BX Service (the provision of a logistics cloud platform for inventory routing optimization).

Where we, Bottomline, process your personal data for our own purposes, we are responsible for the lawful, fair, and transparent processing of your personal data. The purpose of this BX Privacy Statement is to be transparent on this processing.

Please be aware that where we process your personal data to provide the BX Service, your employer or business relation in whose interest you use the BX Service, is responsible for the processing of your personal data. For these purposes, Bottomline is merely facilitating the processing as ordered by your employer or business relation. For example if your name or contact details are entered in BX to create a user account, or to be contacted by other users in a logistics supply chain or to receive support from an expert user, your employer or business relation is responsible. For these processing activities your employer or business relation is the “controller”, with Bottomline acting as its “processor”. This Privacy Statement does not apply to the processing of your personal data for which your employer or business relation is the controller.

As we are a company that is established in the Netherlands, we process your data in accordance with the privacy laws that apply in the Netherlands, including the General Data Protection Regulation (“GDPR”).

Bottomline may change this BX Privacy Statement from time to time, in order to be compliant with the applicable privacy laws or if changes are made to the processing of personal data. 

2. Processing activities, purposes and personal data categories

We collect your data solely for the purposes set out in this section 2.

Our processing activities include the storage and retrieval of your personal data. The personal data processed by us are your name, job title, business contact details (email address(es), phone number(s), login details (usernames and passwords)), use requests, support tickets, communication (emails, chats), information on your use of the BX Service (e.g. time stamps), and, if you are a truck driver, the license plate number of the truck you drive and the location of that truck during the trip(s) planned in BX.

The purposes of these processing activities are: (a) the execution of regular business processes, such as preparing business proposals, processing orders of customers and resellers, sending invoices and payment reminders, sales/relationship management; and (b) to account for the provision of the BX Service to the customer that has purchased the relevant subscription to the BX Service; and (c) to monitor the use by that customer of the BX Service; and (d) to monitor your and other users’ compliance with the BX Terms of Use (including the reconstruction, via audit trails, of any data you enter in BX or changes you make to such data.

3. Legal basis of the processing activities

EU privacy laws permit the processing of personal data only if the party responsible for the processing can rely on a legal basis.

The legal basis for our processing activities is “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”, Bottomline’s legitimate interest is to be able to execute its business processes, to account for the provision of the BX Service, to monitor the use of the BX Service and to keep the BX Service secure for all of its customers. The legal basis for personal data transfers is consent, please see section 5.

4. Recipients of personal data

To the extent necessary for the purposes, stated under section 2, we may share your personal data with our resellers, suppliers and your employer or business relation.

Your personal data are also shared with our processors, to the extent that their access is necessary for the execution of their services. Processors are the third-party IT suppliers who perform processing activities on behalf of us and on our instruction. Such processing activities involve storage and transmission of personal data. We have entered into data processing agreements with our processors and have assessed and periodically re-evaluate the technical and organizational security measures they have taken to protect your personal data against loss or unauthorized access.

5. Data transfers

Your personal data are stored on servers located in the Netherlands or other EEA member states . However, as we are a company operating globally, our customers and their business relations may use the BX Service in a “third country” (a country outside the EEA that cannot rely on an adequacy decision of the EC). By agreeing to this Privacy Statement you explicitly consent to such data transfers. You may withdraw your consent at any time, but this will mean that you can no longer use the BX Service in a third country.

6. Retention period

The personal data that we process are stored no longer than necessary for the purposes described under section 2, unless and to the extent a longer period is prescribed by law. In practice this means that your personal data are stored for a maximum of 7 years from the year in which your personal data were collected. If, within such 7-year period, a legal dispute between us and you, your employer or business relation arises, your data may be retained until the dispute is resolved.

7. Your rights

We take the security of your personal data serious. We have implemented adequate organizational, physical and technical security measures to protect your personal data against loss or unauthorized access. We have implemented technical measures to respond to threats to the BX Service, both on a cloud and authentication and authorization level. On an application level, mitigating measures against OWASP top 10 threats have been taken. We use a hosting provider that is ISO27001 certified, and we have backup and restore measures in place. Specific information on security measures can be obtained by contacting us at privacy@bottomline.eu.

8. Your rights

The GDPR grants everyone whose personal data are processed (“data subjects”) certain rights regarding the processing of their personal data. In this section 8, we briefly explain these rights to you.

Right to information
The right to information means that we must let you know, on you request, which personal data we process of you.

Right to rectification
The right to rectification means that when the personal data we process of you are incorrect, we must rectify them on your request.

Right to erasure
The right to erasure means that you can request us to erase your personal data if we do not have an ‘overriding legitimate ground’ to continue the processing.

Right to restriction
The right to restriction means that you can request us to suspend the processing of your data when you:
believe that the personal data we process of you are incorrect or that the processing is unlawful or unnecessary; or
object to the processing (see hereafter).

This means that we can only – apart from a few exceptions – store  your data (also without your consent) until it is clear whether your opinion is correct.

Right to object
The right to object means that you can, at any time, object to the processing activities based on “legitimate interest”. We will then discontinue the processing unless we have an overriding legitimate ground to deny your request.

Right to data portability
The right to data portability means that you can request us, to make the personal data that you entered in BX available to you in a structured, commonly used and machine-readable format.

If you want to make one of the foregoing requests you can contact us at privacy@bottomline.eu. We will respond to your request as soon as possible. We will let you know what the possible consequences are if we grant your request (which may include that we cease providing the BX Service to you). If we believe that we have a valid reason to deny your request, we will inform you of that reason.

9. Questions, requests, and complaints

If you believe that Bottomline, by processing your personal data, acts in breach of the law, or if you have other questions regarding the processing and security of your data, please inform Bottomline’s support team via the communication channels notified in the BX Service. We will use our best efforts to address your question or complaint within 14 days. If we are not able to solve the matter with you, you can file a complaint with the Dutch Data Protection Authority (we refer to its website for more information: Autoriteit Persoonsgegevens