🤝 Meet Brex at the Gartner CFO & Finance Executive Conference - May 20-21 in Maryland ->

Platform Agreement

Applicant Privacy Policy

Revised August 31, 2023

OVERVIEW

This Applicant Privacy Policy (“Policy”) describes how Brex Inc., Brex Technologies UK Limited and Brex Treasury LLC and their affiliates (“Brex”, “Company”, "we", "us" and "our") collect, uses, and disclose information about individuals who are applicants for engagement with Brex as an employee, contractor, consultant, and other contingent worker of the Company (hereinafter “Applicants”, and "you").

We may update this Policy from time to time. We may also provide you additional privacy policies regarding our collection, use or disclosure of information, as applicable. When we update this Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Policy changes if, and where, required by applicable data protection laws.

You can see when this Policy was last updated by checking the “Effective Date" displayed at the top of this Policy. We encourage you to check back here periodically in order to be aware of the most recent version of this Policy.

This Policy does not apply to the Company’s handling of data gathered about Applicants arising from their role as a user of Company products and services. When interacting with the Company in that role, the Brex Privacy Policy associated with the relevant service applies.

Please read this Policy and any other privacy policies carefully.

DATA COLLECTION

Brex collects, stores, and uses various types of personal information through the application and recruitment process. Brex collects such information either directly from Applicants or (where applicable) from another person or entity, such as an employment agency or consultancy, background check provider, or other referral sources.

The categories and specific Applicant personal information Brex collects and/or processes are:

  • Identification and contact information and related identifiers, such as real name, alias, preferred name, pronouns, home postal address, home telephone number, personal email address, personal mobile number, online account name/screen name, or handle, and such information about an Applicant’s beneficiaries or emergency contacts.
  • Recruitment, employment, or engagement information such as application forms and information included in a resume, cover letter, or otherwise provided through any application and recruitment process including communication regarding recruitment, and our evaluations of your performance during the interview process. We also may collect Applicants' websites and professional networking addresses. Where permitted by law, and required by job responsibility, we may also collect criminal background check information.
  • Personal Characteristics and Voluntary Demographic Data, such as race, ethnic origin, sexual orientation, preferred pronouns, or gender.
  • Sensory information, such as videos and recordings of audio interviews.
  • Government-Issued Identification Numbers, such as driver’s license, operator’s license, or other motor vehicle information, passport number, social security number, birth certificate number, and other state or federal issued IDs.
  • Financial Information, such as credit history or credit checks.
  • Education Information, such as degrees or schooling, licenses and professional memberships, certifications, trainings, academic record, and other non-publicly available educational record information held by an education institution.
  • Professional or employment-related information, such as job titles, work history, work dates and work locations, employment, service or engagement agreements, contact and identification information about an Applicant’s references, appraisal and performance information, information about skills, qualifications, experience, publications, speaking engagements, and preferences (e.g., mobility), absence and leave records, disciplinary and grievance information, and termination information.

DATA USE

Brex collects, uses, shares, and stores personal information from job applicants for the operational purposes of Brex and its service providers in the recruitment and hiring process such as those listed below.

Purpose: Recruitment
Processing applications; tracking applications through the recruitment process; evaluating applicants for current and, as permitted by applicable laws, future job opportunities, (including matching skills and interests to applicable job requirements); making hiring decisions.

Examples of personal information that may be processed: Information concerning your application. This includes: your personal details, education and qualification details; as well as any relevant recordings e.g. of your interview. We also process: our assessment of your application; the fact of your application and our record of it, your references; any checks Brex may make to verify information provided or background checks (including criminal and credit history); any tests required for your position; and any information connected with your right to work. If relevant, we may also process information concerning your health, any disability and in connection with any adjustments to working arrangements. This may also include potentially legally protected classification information to the extent required or as permitted by law; and indirect identification information (such as publicly available social network profiles you provide).
Grounds for processing, if applicable under law: Legal obligation, Legitimate interests.

Purpose: Contacting you or others on your behalf
Communicating with applicants throughout the hiring process; contacting references / beneficiaries with Applicant authorization; (as permitted by applicable laws) contacting you in the future about other opportunities if you are not hired.

Examples of personal information that may be processed: Your address and phone number; emergency contact information and relevant beneficiaries / references. In case you authorize us to contact beneficiaries and references, you warrant that you have their authorization to provide their personal information, and you are responsible for informing them the terms and reasons for which we will contact them and, if applicable, the processing of their personal information in accordance with this Policy, as well as the means to access the full content thereof.
Grounds for processing, if applicable under law: Consent, Contract, Legitimate interests.

Purpose: Verifying your residency and right to work

Examples of personal information that may be processed: Information including your citizenship; passport data; and details of residency or work permit.
Grounds for processing, if applicable under law: Legal obligation.

Purpose: Supporting and managing any health concerns

Examples of personal information that may be processed: To the extent required or permitted by local law, information concerning your health, including self-certification forms, fit notes and medical and occupational health reports.
Grounds for processing, if applicable under law: Contract, Legal obligation, Legitimate interests, Vital interests.

Purpose: Physical and system security

Examples of personal information that may be processed: Information used in detecting security incidents, debugging and repairing errors, and preventing unauthorized access to our computer and electronic communications systems (including biometric identification information) and preventing malicious software distribution; and monitoring.
Grounds for processing, if applicable under law: Legal obligation, Legitimate interests.

Purpose: Internal Analysis
Understanding the applicants who apply and to improve the Company’s recruitment and interviewing process

Examples of personal information that may be processed: Information related to your experience as a Brex applicant (e.g. via applicant feedback surveys) including: your name; title; unit/department applied for; and location.
Grounds for processing, if applicable under law: Legitimate interests.

Purpose: Monitoring of diversity and equal opportunities

Examples of personal information that may be processed: To the extent required or permitted by local law, information on your nationality, racial and ethnic origin, gender and gender pronouns, sexual orientation, religion, disability and age.
Grounds for processing, if applicable under law: Legitimate interests, Consent.

Purpose: Disputes and legal proceedings
The Company may sometimes need to use applicant information for legal purposes, such as in connection with any challenges made to Brex’s hiring decisions.

Examples of personal information that may be processed: The Company may sometimes need to use applicant information for legal purposes, such as in connection with any challenges made to Brex’s hiring decisions.
Grounds for processing, if applicable under law: Legitimate interests, Legal obligation.

Purpose: Compliance with any other legal requirements

Examples of personal information that may be processed: Information relevant to our tax records, auditing requirements.
Information about Union membership, professional association membership, and licensure-related organizational memberships.
Grounds for processing, if applicable under law: Legal obligation.


The following purposes are considered secondary purposes under applicable data protection laws: (i) evaluating applicants for future job opportunities; and (ii) contacting you in the future about other opportunities if you are not hired. If you do not want your personal information to be processed for these secondary or accessory purposes, you may reach out to the People team and opt-out at people@brex.com.

We may also use personal information for any other legally permitted purpose (subject to your consent, where legally required).

As identified in the table above, under EU and UK data protection laws, there are various grounds on which we can rely when processing your personal information. Similar grounds may apply outside the EU and UK or some grounds may be inapplicable in some jurisdictions, e.g., Mexico. In some contexts more than one ground applies. We have summarized these grounds as Contract, Legal Obligation, Legitimate Interests, Vital Interests and Consent and outline what those terms mean below.

Term: Contract
Grounds for processing: Processing necessary for performance of a contract with you or to take steps at your request to enter a contract
Explanation: We need your personal information to perform a contract for services with you. This covers carrying out our contractual duties and exercising our contractual rights.

Term: Legal Obligation
Grounds for processing: Processing necessary to comply with our legal obligations
Explanation: Ensuring we perform our legal and regulatory obligations in particular in the area of labor and employment law, social security and protection law, data protection law, tax law, and corporate compliance laws. For example, providing a safe place of work and avoiding unlawful discrimination.

Term: Legitimate Interests
Grounds for processing: Processing necessary for legitimate interest
Explanation: We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data.

Your data will not be processed on this basis if our or a third party's interests are overridden by your own interests, rights and freedoms.

This includes:

  • implementation and operation of a group-wide matrix structure and group-wide information sharing
  • to help us conduct our business more effectively and efficiently – for example for general HR resourcing, IT security/management, accounting purposes, or financial planning
  • prevention of fraud, misuse of Brex IT system, or money laundering
  • operation of a whistleblowing/compliance hotline
  • addressing physical security, IT and network security, and
  • conducting internal investigations.

Term: Vital Interests
Grounds for processing: Processing necessary to protect your vital interests or those of another person
Explanation: We may use your information where it is necessary to protect your or someone else's life, physical integrity, or safety. This could include providing law enforcement agencies or emergency services with information necessary to protect health or life in an emergency circumstance (e.g. if you have a medical emergency at one of our offices and paramedics request information about your allergies / diabetes / etc.).

Term: Consent
Grounds for processing: You have given specific consent to processing your data
Explanation: In general, processing of your data in connection with employment will not be conditional on your consent. However, there may be occasions where we do specific things such as contacting a referee, seeking to monitor diversity or obtaining medical reports and rely on your consent to our doing so.

Certain information we collect may be “sensitive Personal Information”, “special category data” or otherwise sensitive under the data protection laws applicable to your country. Any such processing is undertaken in compliance with applicable laws.

For US Residents, except where you provide such information voluntarily on your resume or in your application, or for the purpose of requesting an accommodation during the recruitment process, or if you provide government identification or driver’s license information, we do not collect personal information that is considered “sensitive” under applicable law during the recruitment process. We do not use or disclose such information other than for disclosed and permitted business purposes for which there is not a right to limit under the applicable law.

For EU and UK residents, if we process special category data (or criminal conviction data) about you, we will make sure that one or more of the following legal grounds applies: (i) you have provided your explicit consent; (ii) the processing is necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorized by law or collective agreement; (iii) the processing protects your or our legitimate interests and relates to data about you that you have made public (e.g. if you tell us that you are ill); (iv) the processing protects your or our legitimate interests and the processing is necessary for the purpose of establishing, making or defending legal claims; or (v) the processing is necessary to protect you or someone else's vital interests (e.g. if you have a medical emergency at one of our offices office and paramedics request information about your allergies / diabetes / etc.). Further, we will ensure that any processing satisfies the additional "conditions for processing" under local laws including:

Sensitive Personal Data: Criminal History
Conditions for processing: Performing or exercising obligations or rights which are imposed or conferred by law on you or us in connection with employment, social security or social protection. Protecting the public against / regulatory requirements relating to unlawful acts and dishonesty.

Sensitive Personal Data: Union membership information
Conditions for processing: Insurance purposes, Occupational Pensions

Sensitive Personal Data: Biometric information
Conditions for processing: Preventing Fraud

Sensitive Personal Data: Health information and gender information
Conditions for processing: Assessment of the working capacity of an applicant

Sensitive Personal Data: Religious or philosophical beliefs
Conditions for processing: Identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained

Sensitive Personal Data: Racial/ethnic origin, sexual orientation, and/or disability status
Conditions for processing: Identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained. As part of a process of identifying suitable individuals to hold senior positions in a particular organization, a type of organization or organizations generally.

DATA DISCLOSURE

Brex will disclose the personal information of applicants to the following types of entities or in the following circumstances (where applicable):

  • Internally: to people within the Company who are involved in the recruiting and hiring process.
  • Service Providers: such as technology service providers, travel management providers, human resources suppliers, background check companies, recruitment consultants, and employment agencies or recruiters, where applicable. These entities process your Personal Information on Brex’s behalf in performing services for Brex, and are subject to contractual restrictions on use of your Personal Information. These are considered as transmissions under data protection laws such as Mexico.

Service Provider: Checkr and HireRight
Services: Background check / Verification Services
Personal data: Name, Email, Phone, Home address, Gender, Birth month and day, Social Security Number, Social Media details

Service Provider: Greenhouse
Services: Applicant Tracking System
Personal data: Name, Email, EEOC, Pronouns, Resume, Phone Number, Email, Address (City, State, Country)

Service Provider: ModernLoop
Services: Scheduling tool
Personal data: Name, Email, Phone Number, Position, Availability, Time Zone

Service Provider: Gem
Services: Sourcing / CRM / Analytics
Personal data: Name, Email, Resume, Location (Country)

Service Provider: Metaview
Services: Interview Note-taker
Personal data: Video records and transcribes interview

Service Provider: LinkedIn
Services: Sourcing Tool
Personal data: Name, Email, Location

Service Provider: Codesignal
Services: Coding Assessment Software
Personal data: Name, Email, IP Address, location

Service Provider: Seekout
Services: Sourcing Tool
Personal data: Name, Email, Phone, Location (City, State, Country)

  • Legal compliance and exercising legal rights: to governmental authorities, agencies, entities or to service providers (i) when required to do so by law, regulation, or court order, (ii) in response to a request for assistance by the police or other law enforcement agency, (iii) to seek legal advice from our external lawyers, (iv) in connection with litigation, or (v) to seek medical attention or to address any other emergency. These are considered as transfers under data protection laws such as Mexico.
  • Business Transaction Purposes: to potential buyers in the event of a merger, sale of capital stock or assets, or similar transaction (or the due diligence in contemplation thereof), in Mexico, only if such transfer is necessary by virtue of a contract concluded or to be concluded by the data controller and a third party, in the Applicants’ interest.
  • Consent: with your consent and as permitted by law, we may share personal information with other third parties. These may be considered as transfers under Mexican law.

DATA RETENTION

The personal information we collect from Applicants, including any sensitive personal information voluntarily provided by Applicants, and, subject to the terms of the applicable law, will be retained until we determine it is no longer necessary to satisfy the purposes for which it was collected and our legal obligations. In determining how long to retain information, we consider the amount, nature and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of the personal information, the purposes for which we process the personal information and whether we can achieve those purposes in other ways, the applicable legal requirements, and our legitimate interests.

For example, we will keep certain information about former applicants (e.g. your address and phone number) for as long as necessary for our legitimate interests in keeping this information as part of our organizational history and to confirm the facts of your recruitment with us and to comply with law. The purposes we process information (as well as the other factors listed above) may dictate different retention periods for the same types of information. For example, applicant names in email headers may be kept indefinitely depending on the nature of the email.

We may also retain certain information to deal with and resolve requests and complaints (for example, if there is an ongoing dispute surrounding Brex's hiring decisions this information would be retained until the legal claim had been concluded); or to protect individuals' rights and property (for example, we will retain information about a data subject access request for five years after the request is dealt with in case there is a subsequent complaint and the information is needed to demonstrate how the request was handled).

ADDITIONAL PRIVACY INFORMATION FOR CALIFORNIA RESIDENTS

California residents have certain rights regarding their personal information. Subject to certain exceptions, if you are a California resident, you may request:

  • access to your personal information including the right to know the categories of personal information we have or will collect about you and the reason we will or have collected such information;
  • correction of the personal information that we have or will hold about you that is inaccurate;
  • deletion or removal of your personal information.

You also have the right not to be discriminated against (as provided for in California law) for exercising your rights.

Exceptions to Your Rights: There are certain exceptions to these above rights. For instance, we may retain your personal information if it is reasonably necessary for us or our service providers to provide a service that you have requested or to comply with law or to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity or prosecute those responsible for that activity.

Exercising Your Rights: To exercise one of the rights above, you may contact us as provided below.

We will take reasonable steps to verify your identity before responding to a request. In doing so, we may ask you for verification information so that we can match at least two verification points with information we maintain in our files about you. If we are unable to verify you through this method, we shall have the right, but not the obligation, to request additional information from you.

California law places certain obligations on businesses that “sell” personal information to third parties or “share” personal information with third parties for “cross-context behavioral advertising” as those terms are defined under the California Consumer Privacy Act (“CCPA”). We do not “sell” or “share” the personal information covered by this Policy and have not done so in the twelve months prior to the effective date of this Policy.

ADDITIONAL PRIVACY INFORMATION FOR EU AND UK RESIDENTS

Your data protection rights
Brex Technologies UK Limited is the data controller for EU and UK resident applicants. Individuals located in the EU and UK have certain rights regarding their Personal Information.

  • Access your information. You can ask the People Team, to confirm what information we process about you, to provide certain information about the processing, and for a copy of your information. This applies irrespective of the legal basis we have relied upon to process your data.
  • Delete your information. You can ask us to delete some or all of your information. [E.g. Applicants can delete outdated information within the Applicant Portal or by emailing the People Team].
  • Rectify your information. Brex will make reasonable efforts to ensure that Personal Information collected, used, or disclosed is accurate and complete. However, please notify the People Team to request that Brex correct any errors or omissions in information about you that we may have on file.
  • Port your information. You have the right to data portability in circumstances where we rely on contractual necessity or consent as our legal basis. This means that you have the right to receive your information in a structured, commonly used, and machine-readable format and to share it with a third party. [E.g. Applicants can download copies of their completed application form from the Applicant Portal].
  • Object to the processing of your information. You also have the right to object to the processing of your information in certain circumstances. This right applies when we are pursuing our legitimate interests or those of a third party. In submitting an objection request to the People Team, please provide all relevant information, including the processing activity you are objecting to, why you want to object and how the processing activity affects you, and any additional information that you think will help us review your request. We will stop the particular processing if we don't have compelling legitimate grounds to continue that processing or don’t need it for legal claims.
  • Restrict the processing of your information. You can ask the People Team to restrict processing of your personal data where: (a) you are challenging the accuracy of the information, (b) the information has been unlawfully processed, but you are opposing the deletion of that information, (c) where you need the information to be retained for the pursuit or defense of a legal claim, or (d) you have objected to processing and you are awaiting the outcome of that objection request.
  • Withdraw consent. If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time by using the contact details provided under the "How to Contact Us About This Policy" heading below. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
  • Right to complain. You have the right to complain to a supervisory authority about our collection and use of your personal data. For more information, please contact your local supervisory authority[ies]. Contact details for the supervisory authority in the UK (the Information Commissioner's Office) are available here and in the EU here.

Some of these rights apply generally, while others will only apply in certain circumstances. Depending on the scenario, these rights may be subject to some limitations. Brex Technologies UK Limited will be responsible for responding to your request within the relevant periods provided by law. If necessary to resolve your request, Brex Technologies UK Limited will liaise with other Brex entities.

To exercise any of your rights see specific instructions below or contact us using the contact details provided under "How to Contact Us About This Policy" heading below. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. Before we can respond to a request to exercise one or more of the rights listed above, you may be required to verify your identity or provide additional information so that we can understand your request.

Automated decision-making
In some instances, our use of your personal data will result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.

Automated decisions mean that a decision concerning you is made automatically based on a computer determination (using software algorithms), without any human review. For example we may use automated decisions for:

  • automated screening of CVs. This involves processing automated scanning of CV documents to screen out applications lacking mandatory requirements (e.g. no legal qualifications for a legal counsel role). To safeguard your rights and interest, all CV screening suggestions must be reviewed by a human supervisor before being approved.

When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contacting us using the contact details provided under the "How to Contact Us About This Policy" heading below.

International Data Transfers
In some cases, where your personal data is transferred to another Brex company or third parties, it is processed in countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Specifically, we are headquartered in the United States and may use service providers that operate in the United States and other countries. Therefore, we may transfer your personal information to recipients outside of the UK and EU. Some of these recipients are located in countries which have been formally recognized as providing an adequate level of protection for personal information by the Secretary of State in the UK and the European Commission in the EU, in which case, we rely on the relevant "adequacy decisions".

Where the transfer is not subject to an adequacy decision or regulations, we take appropriate safeguards to ensure your personal information remains protected in accordance with this Privacy Policy and applicable laws by entering into appropriate data transfer mechanism permitted under Article 46 of the UK GDPR, such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum.

Our Standard Contractual Clauses entered into by our group companies and with our third party service providers and partners.

ADDITIONAL PRIVACY INFORMATION FOR MEXICO RESIDENTS

Your data protection rights
Brex Financial Technologies, S. De R.L. De C.V. is the data controller for Mexican resident applicants; its address for purposes of this Policy is 50 W Broadway, Ste 333, #15548, Salt Lake City, UT 84101, which is herein appointed to hear and receive notices. Individuals located in the Mexico have certain rights regarding their personal information: (i) rights of Access, Rectification, Cancellation and Opposition ("ARCO Rights"); (ii) revoke the consent granted to the Controller for the processing of Personal Data; and (iii) limit the use or disclosure of Personal Data.

How to exercise your data protection rights
You may send an email to people@brex.com and we will send you more information regarding the process through which you can exercise these rights. Our data privacy department oversees the processing of any personal data requests.

Data Transfers
We disclose your personal data for administrative purposes to affiliated or subsidiary companies of Brex Financial Technologies or other companies of its group, if they protect the personal information according to the same processes and internal policies, this is considered a personal information transfer under Mexican data protection laws.

ADDITIONAL INFORMATION

Nothing in this Policy shall be construed as limiting or restricting applicants from properly exercising any rights or entitlements under applicable federal, state, or local laws and regulations. To the extent anything in this Policy may conflict with any applicable law, such law will control.

Nothing in this Policy shall be construed as conferring any contractual right, either express or implied, to employment with Brex.

HOW TO CONTACT US ABOUT THIS POLICY

If you have any questions or concerns about our use of your personal data, please contact us at privacy@brex.com.

If you believe that Personal Information has been breached, please contact the Security Team immediately at security@brex.com.

ACCEPTANCE OF PRIVACY NOTICE.

I have read this Policy and give my express consent for my personal information to be processed in accordance with the provisions therein by submitting my application and associated information on this date.


You may read this Policy in Spanish here.