BX Privacy Statement

Download the PDF Version

1. Introduction

As Bottomline (full legal name: Bottomline R&D B.V.) we value your privacy. The purpose of this BX Privacy Statement is to inform you as a user of BX of how we process your personal data. BX is a logistics cloud platform for inventory routing optimization, including mobile apps and BX API’s. The “BX Service” as referred to in this BX Privacy Statement means the provision of BX and maintenance and support, provided by Bottomline in accordance with its agreement with your employer, client or business relation. Your employer, client or its business relation (our customer or reseller), has purchased a subscription to BX as it has an interest in the planning of transport of fuels or other goods, or in reselling such subscription. You are using BX because our customer or reseller requests you to work with BX.  

Under the applicable privacy laws, the party that determines the purpose of the processing of personal data is responsible for that processing and must provide information to persons whose data are processed. This is the so-called “controller” of the processing. Both your employer or client and Bottomline have their own purposes for processing your data in BX. For example, your employer, client, or its business relation requests or invites you to work with BX for the timely delivery of fuels or other goods or to resell BX subscriptions and provide support to users of BX, whereas we want to provide the software to correctly plan the delivery and monitor the use for your employer or client, for the stability and security of the whole platform and for the distribution of BX. This Privacy Statement applies to the processing of your personal data for Bottomline’s purposes, it does not apply to the processing of your personal data for the purposes of your employer or client. 

Where we are the ‘controller’ for the processing of your personal data, we are responsible for the lawful, fair, and transparent processing of your personal data. As we are a company that is established in the Netherlands, we process your personal data in accordance with the privacy laws that apply in the Netherlands, including the General Data Protection Regulation (“GDPR”). 

We may change this BX Privacy Statement from time to time, whether to be compliant with the applicable privacy laws or to inform users of BX of any changes, made to the processing of your personal data.

2. Processing activities, purposes and personal data categories

Where we act as a controller of the processing of your personal data, we process your data solely for the purposes set out in this section 2.

The personal data, processed by us are your name, job title, business contact details (email address(es), phone number(s), login details (usernames and passwords)), use requests, support tickets, communication (emails, chats), information on your use of BX (e.g. time stamps), and, if you are a truck driver, the license plate number of the truck you drive and the location of that truck during the trip(s) planned in BX. Our processing activities include the storage, transmission and retrieval of your personal data.

Our purposes for these processing activities are:

  • the execution of regular business processes, such as preparing business proposals, processing orders of customers and resellers, sending invoices and payment reminders, sales/relationship management; and
  • to provide the BX Service in accordance with our obligations under the agreements with our customers and resellers; and
  • to invoke our rights arising from the agreements with our customers and resellers; and
  • to account for the provision of the BX Service to our customer (e.g. providing the correct output data, the timely handling of support requests); and
  • to monitor the use, by our customer or reseller, of the BX Service in accordance with our agreement with them (e.g. compliance with security obligations and license restrictions); and
  • to monitor your and other users’ compliance with the BX Terms of Use (including the reconstruction, via audit trails, of any data you enter in BX, or of changes you make to such data).

3. Legal basis of the processing activities

EU privacy laws permit the processing of personal data only if the party responsible for the processing can rely on a legal basis.

The legal basis for our processing activities is “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”, Bottomline’s legitimate interest is to be able to execute its business processes, to account for the provision of the BX Service, to monitor the use of the BX Service and to keep the BX Service secure for all of its customers and their users. The legal basis for personal data transfers is consent, please see section 5 for further explanation of the concept ‘data transfer’.

4. Recipients of personal data

To the extent necessary for the purposes, stated under section 2, we may share your personal data with our customers, our resellers and their customers and our suppliers.

Your personal data are also sent to our processors, to the extent necessary for the execution of their services. Processors are the third-party IT suppliers who perform processing activities on our behalf, and on our instruction. Such processing activities involve storage and transmission of personal data. We have concluded data processing agreements with our processors and have assessed, and periodically re-evaluate, the technical and organizational security measures that they have taken to protect your personal data against loss or unauthorized access. For more information on security, see section 7 of this BX Privacy Statement.

5. Data transfers

We are a company, operating globally and, therefore, the processing of your personal data may take place in a “third country”. This is a country outside the EEA that may not ensure a level of protection that is adequate within the meaning of the GDPR. By agreeing to the BX Terms of Use, you explicitly consent to such data transfers. You may withdraw your consent at any time, but this means that you can no longer use BX.

6. Retention period

The personal data that we process are stored no longer than necessary for the purposes described under section 2, unless and to the extent a longer period is prescribed by law. In practice this means that your personal data are stored for a maximum term of 7 years from the year in which your personal data were collected. If, within such 7-year period, a legal dispute between us and you, your employer, client or business relation arises, your personal data may be retained until the dispute is resolved.

7. Security and personal data breach notification

We take the security of your personal data seriously. We have implemented adequate organizational, physical and technical security measures to protect your personal data against loss or unauthorized access. We have implemented technical measures to respond to threats to the security of BX, both on a cloud and authentication and authorization level. On an application level, mitigating measures against the so-called OWASP top 10 threats have been taken. We use a hosting provider that is ISO27001 certified, and we have backup and restore measures in place. Specific information on security measures can be obtained by contacting us at privacy@bottomline.eu.

8. Your rights

The GDPR grants everyone whose personal data are processed (“data subjects”) certain rights regarding the processing of their personal data. In this section 8, we briefly explain these rights to you.

Right to information
The right to information means we must let you know, at your request, which personal data we process of you.

Right to rectification
The right to rectification means that, when the personal data that we process of you are incorrect, we must rectify them at your request.
 
Right to erasure
The right to erasure means that you can request us to erase your personal data if we do not have an ‘overriding legitimate ground’ to continue the processing.

Right to restriction
The right to restriction means that you can request us to suspend the processing of your data when you believe that the personal data we process of you are incorrect or that the processing is unlawful or unnecessary or object to the processing (see below). If you request us to suspend the processing we can only – apart from a few exceptions – store  your data (also without your consent) until it is clear whether your request is granted.

Right to object
The right to object means that you can, at any time, object to the processing activities based on “legitimate interest”. If you do, we will discontinue the processing unless we have an overriding legitimate ground to deny your request.

Right to data portability
The right to data portability means that you can request us to make the personal data that you entered in BX available to you in a structured, commonly used and machine-readable format.

If you want to make one of the foregoing requests, you can contact us at privacy@bottomline.eu. We will respond to your request as soon as possible. We will let you know what the possible consequences are if we grant your request (which may include that you can no longer use BX). If we believe that we have a valid reason to deny your request, we will inform you of that reason.

9. Questions, requests, and complaints

If you believe that we, by processing your personal data, act in breach of the law, or if you have other questions regarding the processing and security of your data, please inform our support team via the communication channels notified in BX. We will use our best efforts to address your question or complaint within 14 days. If we cannot solve the matter with you, you can file a complaint with the Dutch Data Protection Authority (see its website for more information: https://autoriteitpersoonsgegevens.nl).