Effective as of May 26, 2023
Bluevine Inc. (“Bluevine” or “us” or “we”) is serious about protecting the privacy of your personal data. This European Privacy Notice applies to any individuals located within the European Economic Area (“EEA”) or United Kingdom (“UK”) about whom Bluevine and/or its affiliated entities may have collected personal data, including through your use of products or services provided by Bluevine, whether in your capacity as a Bluevine customer or as someone doing business with a Bluevine customer (“Services”).
We have put strict policies into place to ensure that the privacy of your personal data is protected, and we provide this European Privacy Notice to comply with applicable privacy laws, including the General Data Protection Act (“GDPR”), the UK’s Data Protection Act 2018 (“UK GDPR”), and related laws, regulations, and guidance from the European Union and/or its member states, and the UK. Any capitalized term used and not otherwise defined below has the meaning assigned to it in our Privacy and Security Policy.
European law provides individuals located in Europe with rights to receive certain disclosures regarding the collection, use, and sharing of personal data, as well as rights to be informed, to access, to rectification, to erasure, to restrict processing, to data portability, and to object with respect to collected personal data. For the purposes of this European Privacy Notice, “personal data” means any information relating to an identified or identifiable natural person.
For more information about Bluevine’s general privacy practices, please view our online Privacy and Security Policy.
A. Basis for Processing Your Personal Data
Bluevine relies on one or more legal bases to process your personal data under applicable law. We may process personal data (1) as necessary to perform our contractual obligations to you; (2) as necessary to pursue our legitimate interests as further detailed below; and/or (3) as necessary for our compliance with our legal obligations such as a request or order from courts, law enforcement or other government authorities. Where Bluevine does not process your personal data under one of those three legal bases, it may do so pursuant to your express consent in certain identified circumstances.
Legitimate business interests. We may collect, process, and maintain personal data to pursue the legitimate business interests outlined below. To determine these legitimate interests, we balance our legitimate interests against the legitimate interests and rights of you and others, and only process personal data in accordance with those interests where they are not overridden by your data-protection interests or fundamental rights and freedoms.
Our legitimate interests generally include:
- Providing requested Services to you and/or the legal entity that you are associated with, including making or receiving international payments (such as sending or receiving funds via wire).
- Risk management, including compliance with our legal and regulatory obligations and for fraud detection, prevention, and investigation, including “know your customer”, anti-money laundering, conflict, and other necessary onboarding and ongoing client checks, due diligence and verification requirements, credit checks, credit risk analysis, compliance with sanctions procedures or rules, and tax reporting.
- Complying with laws and regulations applicable to us, including any legal or regulatory guidance, codes, or opinions and to other legal process and law enforcement requirements, including any internal policy based on or reflecting legal or regulatory guidance, codes, or opinions. We may also respond to subpoenas, court orders, or legal process, and establish and exercise our legal rights or defenses against legal claims.
B. Categories of Personal Data
The categories of personal data that we may collect and store include:
- Identifiers, which may include real name and alias; mailing address; and email address.
- Commercial information, which may include bank account number and other information relating to your bank account and/or your bank or financial institution.
We do not collect special categories of personal data for the processing purposes set forth in this Privacy Notice.
C. Recipients of Personal Data
We use third party service providers, such as Wise US Inc. (“Wise,” formerly TransferWise), for money transmission services for international payments (such as sending or receiving funds via wire transfer). All of our service providers have entered into agreements with us that restrict what they can do with your personal data. If you would like specific information about our service providers who have received your information, please contact us at firstname.lastname@example.org and we will provide that information to you.
D. Your Privacy Rights
In certain circumstances, individuals located within the EEA and UK may have the following data protection rights regarding their personal data:
- Right to access. You may have the right to request confirmation of whether Bluevine processes personal data relating to you, and if so, to request a copy of that personal data.
- Right to rectification. You may have the right to request that Bluevine correct or update your personal data that is inaccurate, incomplete, or outdated.
- Right to deletion. You may have the right to request that Bluevine erase your personal data in certain circumstances provided by law.
- Right to restrict processing. You may have the right to request that Bluevine restrict the use of your personal data in certain circumstances.
- Right to object to processing. You may have the right to object to Bluevine’s processing of your personal data, under certain conditions.
- Right to data portability. You may have the right to request that Bluevine export the data that we have collected to you or another company, under certain conditions.
Where the processing of your personal data is based on your previously provided consent, you have the right to withdraw your consent at any time. If you would like to exercise any of these rights, please submit a written request to email@example.com. We will respond to these requests in accordance with applicable data protection laws. We may ask you to verify your identity to help us respond efficiently to your request.
You may also have the right to lodge a complaint about our data collection and processing actions with the appropriate supervisory authority. If you are in the European Economic Area, you can view the contact information for your data protection authority here. If you are in the United Kingdom, please visit https://ico.org.uk/make-a-complaint/.
E. Data Sharing and Transfers to Third Countries
Where we transfer personal data we will seek to take account of any applicable statutory obligations relevant to personal data transfers. In the case of transfers out of the EEA, we will, in the absence of a European Commission (“EC”) adequacy decision relevant to the destination country, seek to rely on appropriate safeguards such as a valid Privacy Shield certified US recipient or enter into appropriate EC approved standard contractual clauses (see http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm).
This may include the transfer of your personal data to one or more countries outside the UK and the EEA, where we or our service providers maintain operations. You understand and accept that if your personal data is disclosed to third parties outside the UK and EEA those parties may be based in territories that may not have data protection provisions in law. In the case of transfers out of the UK and EEA, we will, in the absence of an EC adequacy decision relevant to the destination country, seek to rely on appropriate safeguards provided under law.
F. Data Retention
We will retain personal data for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (1) the length of time we have an ongoing relationship with you; (2) whether there is a legal obligation to which we are subject; (3) whether there is a privacy right for which the data has been exercised (such as a request to delete); and (4) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
G. Controller and Contact Details
If you have any questions about this European Privacy Notice or would like more information, you may contact Bluevine in one of the following ways: