BX Privacy Statement

Download the PDF Version

1. Introduction

As Bottomline (full legal name: Bottomline R&D B.V.) we value your privacy. The purpose of this BX Privacy Statement is to inform you as a user of BX of how we process your personal data. BX is a logistics cloud platform for inventory routing optimization, including mobile apps and BX API’s. Your employer, client or its business relation, our customer, has purchased a subscription to BX as it has an interest in the planning of transport of fuels or other goods. You are using BX because our customer requests you to work with BX.

Under the applicable privacy laws, the party that determines the purpose of the processing of personal data is responsible for that processing and must provide information to person whose data are processed. This is the so-called “controller” of the processing. Both your employer or client and Bottomline have their own purposes for processing your data in BX. For example, your employer, client or its business relation requests or invites you to work with BX for the timely delivery of fuels or other goods, whereas we want to provide the software to correctly plan that delivery and monitor the use for your employer or client and for the stability and security of the whole platform. This Privacy Statement does not apply to the processing of your data for the purpose of your employer or client.

Where we are such ‘controller’ for the processing of your data, we are responsible for the lawful, fair, and transparent processing of your personal data. As we are a company that is established in the Netherlands, we process your data in accordance with the privacy laws that apply in the Netherlands, including the General Data Protection Regulation (“GDPR”).

We may change this BX Privacy Statement from time to time, in order to be compliant with the applicable privacy laws or if changes are made to the processing of personal data.

2. Processing activities, purposes and personal data categories

Where we act as a controller of the processing of your personal data, we process your data solely for the purposes set out in this section 2.

The personal data processed by us are your name, job title, business contact details (email address(es), phone number(s), login details (usernames and passwords)), use requests, support tickets, communication (emails, chats), information on your use of the BX Service (e.g. time stamps), and, if you are a truck driver, the license plate number of the truck you drive and the location of that truck during the trip(s) planned in BX. Our processing activities include the storage and retrieval of your personal data.

Our purposes for these processing activities are:

  • the execution of regular business processes, such as preparing business proposals, processing orders of customers and resellers, sending invoices and payment reminders, sales/relationship management; and
  • to account for the provision of the BX Service to our customer (e.g. providing the correct output data, the timely handling of support requests); and
  • to monitor the use by our customer of the BX Service (e.g. compliance with security obligations and license restrictions); and
  • to monitor your and other users’ compliance with the BX Terms of Use (including the reconstruction, via audit trails, of any data you enter in BX or changes you make to such data).

3. Legal basis of the processing activities

EU privacy laws permit the processing of personal data only if the party responsible for the processing can rely on a legal basis.

The legal basis for our processing activities is “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”, Bottomline’s legitimate interest is to be able to execute its business processes, to account for the provision of the BX Service, to monitor the use of the BX Service and to keep the BX Service secure for all of its customers. The legal basis for personal data transfers is consent, please see section 5.

4. Recipients of personal data

To the extent necessary for the purposes, stated under section 2, we may share your personal data with our resellers, suppliers and your employer or client.

Your personal data are also shared with our processors, to the extent that their access is necessary for the execution of their services. Processors are the third-party IT suppliers who perform processing activities on our behalf and on our instruction. Such processing activities involve storage and transmission of personal data. We have entered into data processing agreements with our processors and have assessed, and periodically re-evaluate the technical and organizational security measures they have taken to protect your personal data against loss or unauthorized access.

5. Data transfers

We are a company operating globally and, therefore, the processing of your personal data may take place in a “third country”. This is a country outside the EEA that may not ensure a level of protection that is adequate within the meaning of the GDPR. By agreeing to the BX Terms of Use, you explicitly consent to such data transfers. You may withdraw your consent at any time, but this will mean that you can no longer use BX.

6. Retention period

The personal data that we process are stored no longer than necessary for the purposes described under section 2, unless and to the extent a longer period is prescribed by law. In practice this means that your personal data are stored for a maximum of 7 years from the year in which your personal data were collected. If, within such 7-year period, a legal dispute between us and you, your employer or business relation arises, your data may be retained until the dispute is resolved.

7. Security and personal data breach notification

We take the security of your personal data seriously. We have implemented adequate organizational, physical and technical security measures to protect your personal data against loss or unauthorized access. We have implemented technical measures to respond to threats to the BX Service, both on a cloud and authentication and authorization level. On an application level, mitigating measures against OWASP top 10 threats have been taken. We use a hosting provider that is ISO27001 certified, and we have backup and restore measures in place. Specific information on security measures can be obtained by contacting us at privacy@bottomline.eu.

8. Your rights

The GDPR grants everyone whose personal data are processed (“data subjects”) certain rights regarding the processing of their personal data. In this section 8, we briefly explain these rights to you.

Right to information
The right to information means that we must let you know, at your request, which personal data we process of you.

Right to rectification
The right to rectification means that, when the personal data that we process of you are incorrect, we must rectify them at your request.

Right to erasure
The right to erasure means that you can request us to erase your personal data if we do not have an ‘overriding legitimate ground’ to continue the processing.

Right to restriction
The right to restriction means that you can request us to suspend the processing of your data when you believe that the personal data we process of you are incorrect or that the processing is unlawful or unnecessary, or object to the processing (see below). If you request us to suspend the processing we can only – apart from a few exceptions – store your data (also without your consent) until it is clear whether your opinion is correct.

Right to object
The right to object means that you can, at any time, object to the processing activities based on “legitimate interest”. We will then discontinue the processing unless we have an overriding legitimate ground to deny your request.

Right to data portability
The right to data portability means that you can request us, to make the personal data that you entered in BX available to you in a structured, commonly used and machine-readable format.

If you want to make one of the foregoing requests, you can contact us at privacy@bottomline.eu. We will respond to your request as soon as possible. We will let you know what the possible consequences are if we grant your request (which may include that you can no longer use BX). If we believe that we have a valid reason to deny your request, we will inform you of that reason.

9. Questions, requests, and complaints

If you believe that we, by processing your personal data, act in breach of the law, or if you have other questions regarding the processing and security of your data, please inform our support team via the communication channels notified in the BX Service. We will use our best efforts to address your question or complaint within 14 days. If we cannot solve the matter with you, you can file a complaint with the Dutch Data Protection Authority (see its website for more information: https://autoriteitpersoonsgegevens.nl).