Privacy Statement

In this Data Protection Notice we, BillFront Ltd., are informing you of the way in which your personal data are processed when you use our website, billfront.com.

Personal data comprise information referring to an identified or identifiable person. They include particularly all information making it possible to conclude your identity, for instance your name, telephone number, address or e-mail address. Statistical data, which we collect for example when someone visits our website, do not fall under the meaning of personal data.

Contact

The personal contact and so-called Controller for the processing of your personal data under the terms of the EU General Data Protection Regulation (GDPR) when you visit this website is

BillFront Ltd.
Flat 1 54 Golborne Road, London, W10 5PR, UK
hello@billfront.com

For all questions about matters of data protection in connection with our products or the use of our website you can also contact our Data Protection Officer at any time. They can be reached under the above postal address and under the e-mail address given above.

1. Data processing on our website

1.1. Calling up our website, access data

Every time you visit our site, we collect access data which your browser automatically transmits to make your visit to the website possible. This includes:

  • IP address of enquiring device;
  • Date and time of enquiry;
  • Address of the website called up and of the website enquiring;
  • Information on the browser and operating system used;
  • Online identifiers (e.g. device identifiers, session IDs).

The processing of access data is necessary to ensure the accessibility of our website and permanent functionality and security of our systems. Access data will additionally be processed and stored in internal logfiles, to further develop our website, based on usage patterns of our visitors (e.g. if the proportion of mobile devices on which the pages are called up rises) and to administer our website generally. The legal basis is Art. 6 sec. 1 clause b GDPR.

1.2. Making contact

You have various possible ways of contacting us. These include the Contact Form, live chat, registration for events, or the call-back function. In this context we process data solely for the purpose of communication. The legal basis is Art. 6 sec. 1 lit. b GDPR.

1.3. Registration

To use our Service you have to register to our login area. In this context we require your name, business and email address and telephone number. Without this data registration is not possible. The legal basis for this processing is Art. 6 sec. 1 lit. b GDPR.

1.4. Job applications

You can use out website to apply for vacant jobs via recruitee. The purpose of the data collection is that of applicant selection for providing possible employment. For receiving and processing your application we collect the following data: first name and surname, e-mail address, application documents (e.g. references, CV), earliest date for taking up the job, and desired salary. The legal basis for the processing of your application documents is Art. 6, sec. 1 lit. b and Art. 88 sec. 1 GDPR in combination with sec. 26 of the German Data Protection Act (BDSG).

1.5. Insertion of our own cookies

For a part of our service it is necessary for us to insert cookies. A cookie is a small text file which is saved by your browser on your device. Cookies are not inserted to execute programs or to load viruses into your computer. Instead the main purpose of cookies is to provide a personalized product or service and to make use of our services as convenient as possible.

We use our own cookies in particular:

  • For log-in identification;
  • For load distribution;
  • To store your language settings;
  • To note that information placed on our website has been displayed to you - so that on your next visit to the website it does not need to be displayed again.
  • These services are based on our legitimate interest, Art. 6 sec. 1 lit. f GDPR.

1.6. Insertion of cookies for analytics purposes

To improve our website, we use cookies and comparable technologies (e.g. web beacons) for the statistical collection and analysis of general usage patterns, using access data.

The legal basis for the data processing described in the following section is Art. 6, Paragraph 1, Clause 1, Point (f) of the GDPR, based on our legitimate interest in the needs-based design and continual optimisation of our website.

1.6.1. Google Analytics

This website uses Google Analytics, a web-analysis service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses cookies and similar technologies to analyse and improve our website on the basis of your usage pattern. The data accrued in this context may be transmitted by Google for analysis to a server in the USA and stored there. Should personal data be transmitted to the USA, Google has acceded to the EU-US Privacy Shield. Your IP address will be abbreviated prior to the analysis of usage statistics, however, so that no conclusions can be drawn about your identity. For this purpose, Google Analytics has been extended on our website to include the code "anonymizeIP", in order to guarantee an anonymised capture of IP addresses.

Google will process the information so gained in order to evaluate your use of the website, to assemble reports on the website activities for the website operators, and to supply further services connected with website use and internet use.

As set out above, you can so configure your browser that it rejects cookies, or you can prevent the capture of the data generated by cookies and relating to your use of our websites (including your IP-address) and the processing of this data by Google by downloading and installing the browser add-on provided by Google. As an alternative to the browser-addon or if you browse our website from a mobile device, you can use this opt-out link. This will prevent the data collection of Google Analytics within this website (the opt-out link will only work in this browser and only for this domain). If you delete your cookies in this browser, you have to click on the link again.

You will find more detailed information on this matter in the Privacy Statement of Google Analytics.

1.7. Setting of cookies and comparable technologies for online advertising

We also use cookies and comparable technologies for advertising purposes. Some of the access data accrued during the use of our website are used for interest-based advertising. By analysing and evaluating these access data we are able to display personalised advertising to you on our website and on the websites of other providers. That means advertising which reflects your actual interests and needs.

The legal basis for the data processes described in the following section is Art. 6, Paragraph 1, Clause 1, Point (f) of the GDPR, grounded on our legitimate interest in providing you with personalised advertising.

In the following section we would like to explain these technologies, and the providers employed for the purpose, in more detail.

The data so collected include in particular:

  • The IP address of your device,
  • The date and time of the access,
  • The identification number of a cookie,
  • The device identification of mobile devices,
  • Technical information on the browser and the operating system,
  • The data so collected are saved only in pseudonymous form, however, so that no direct conclusions can be drawn about you personally.

In the following descriptions of the technology which we employ you will find instructions on how to object to our analysis procedures and advertising campaigns by means of a so-called opt-out cookie. Please note that after the deletion of all cookies in your browser or the later use of another browser and/or profile, another opt-out cookies must be placed.

In the following paragraphs we describe the ways in which you can object to our analysis processes and advertising campaigns. Alternatively you can exercise your objection through settings to that effect on two websites: TrustArc or Your Online Choices, which provide objection facilities by many advertisers in bundled form. Both sites make it possible to disable all advertisements at once for the providers listed, using opt-out cookies, or alternatively to make the settings for each provider individually.

1.7.1. Facebook conversion and retargeting

For marketing purposes our websites use so-called conversion and retargeting tags (also "Facebook pixels") of the social network Facebook, a service of Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA ("Facebook"). We use Facebook pixels in order to analyse the general use of our websites and to trace the efficacy of Facebook advertising ("conversion"). In addition, we use the Facebook pixels to play you individualised publicity messages based on your interest in our products ("retargeting"). For this purpose Facebook processes data which the service collects via cookies and similar technologies on our websites.

The data accrued in this context may be transmitted by Facebook for evaluation to a server in the USA and stored there. Should personal data be transmitted to the USA, Facebook has acceded to the EU-US Privacy Shield.

If you are a Facebook member and have allowed Facebook to do so via the privacy settings of your account, Facebook may in addition link with your member account the information about your visit captured by ourselves and use it for the targeted insertion of Facebook Ads. You can view and change the privacy settings in your Facebook profile at any time. If you are not a Facebook member, you can prevent this data processing by Facebook by operating the disable button for the provider "Facebook" on the TrustArc website mentioned above. You can further prevent this data processing by clicking the following opt-out link.

If you deactivate this data processing by Facebook, Facebook will only display general advertisements, which are not selected on the basis of the information captured about you.

You will find more detailed information on this matter in Facebook's Privacy Statement.

1.7.2. Google AdWords conversion tracking and remarketing

Our websites use the AdWords conversion tracking and AdWords remarketing services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). AdWords conversion tracking is used by us to capture specific customer actions (such as clicking on an advertisement, page call-ups, downloads) and to analyse them. We use AdWords Remarketing to display individualised advertising messages to you for our products on partner websites of Google.

For this purpose both services insert cookies and similar technologies. The data accrued in this context may be transmitted by Google for analysis to a server in the USA and stored there. Should personal data be transmitted to the USA, Google has acceded to the EU-US Privacy Shield.

If you use a Google account, Google may - depending on the settings saved in your Google account - link your web and app browser history with your Google account and use information from your Google account in order to personalise advertisements. If you do not wish for this allocation to the Google account, it will be necessary for you to log out before calling up our contact page at Google.

As set out above, you can so configure your browser that it rejects cookies. Additionally, in the cookie settings of Google's Privacy Statement, you can prevent Google cookies from being used for advertising purposes.

You can find more detailed information on this matter in Google's Privacy Statement.

2. Transmission of data

Data which we have collected are passed on only if:

  • You have given an express declaration of consent for this, pursuant to Art. 6 sec. 1 lit. a GDPR,
  • Further transmission is necessary, pursuant to Art. 6 sec. 1 lit. f GDPR, for bringing, exercising or defending legal claims, and no reason exists to suppose that you have a predominant and properly protected interest in preventing your data from being passed on,
  • We have a legal duty to pass on your data pursuant to Art. 6 sec. 1 lit. c GDPR, or
  • This is legally permissible and requisite, pursuant to Art. 6 sec. 1 lit. b GDPR, for the handling of contracts with yourself or for the execution of precontractual actions which are being carried out at your request.

A part of the data processing can be handled via service providers. Along with the service providers stated in this Data Protection Notice, these may include in particular computer centres which store our website and databases, IT service providers which maintain our systems, and consultancy firms. Should we pass data on to our service providers, these data may only be used for performance of their tasks. We select and commission these service providers carefully. They are bound contractually to follow our instructions, have suitable technical and organisational measures for the protection of the rights of data subjects, and are monitored by ourselves on a regular basis.

Further transmission may also be made in connection with requests by government authorities, decisions of the courts and legal proceedings if it is necessary for prosecution or execution at law.

2.1. Amazon Web Services

Some of your data will be processed on servers which are provided by Amazon Web Services, a service of Amazon Web Services Inc., 410 Terry Avenue North, Seattle, Washington 98109, USA ("AWS"). Via these AWS servers your device will be connected with the contents in our website. The servers which we use are normally located inside the European Union. For technical reasons, however, portions of your data may be processed outside the European Economic Area, particularly in the USA. To ensure the protection of your data in this case too, AWS participates in the EU-US Privacy Shield. In addition, we have concluded a contract with AWS which meets the requirements stipulated by the standard clauses of the European Commission. The legal basis is Art. 6 sec. 1 lit. f GDPR, based on our legitimate interest in storing the contents of our website securely and reliably through external service providers while reducing our own expenditure of resources for the provision of our website's EDP infrastructure.

2.2. Google Tag Manager

Our website uses Google Tag Manager, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Tag Manager serves to administrate tracking tools and further services, so-called website tags. A tag is an element placed in our website's source text, in order for instance to capture prescribed usage data. Google Tag Manager operates without the use of cookies. Google Tag Manager ensures that the usage data required by our partners (Cf. the data-processing operations set out above) are passed on to them. Some of the data are processed on a Google server in the USA. Should personal data be transmitted to the USA, Google has acceded to the EU-US Privacy Shield. The legal basis is Art. 6 sec. 1 lit. f GDPR, based on our legitimate interest in incorporating and managing a number of tags in an uncomplicated way on our website.

You will find more detailed information in Google's information on Tag Manager.

3. Duration of storage

We store personal data only for as long as is necessary to fulfill contractual or statutory duties for which the data were collected. We then erase the data immediately, unless we still need these data until expiry of the statutory period of limitation for purposes of evidence in civil claims or due to statutory duties of storage.

For purposes of evidence we must still store contact data for three years from the end of the year in which business relations with you end. Any claims will expire, under the normal statutory period of limitation, no earlier than at this time.

Thereafter we must also store some of your data for purposes of book-keeping. We have an obligation to do so under statutory duties of documentation which may arise under the German Commercial Code, the German Tax Code, the German Credit and Loans Act, the German Money Laundering Act, and the German Securities Act. The periods stipulated there for storage of documents are two to ten years.

4. Your rights

You have the right at any time to require us to provide information about the processing of your personal data (right of access). When providing you with this information we shall explain the data processing and supply an overview of the data relating to your person which are stored. Should data stored with us be inaccurate or no longer up-to-date, you enjoy the right to have these data corrected (right to rectification). You can also require the erasure of your data (right to erasure or right to be forgotten). Should the erasure exceptionally not be possible due to other legal regulations, the data processing will be restricted, so that in future they are only available for this statutory purpose. You can also have the processing of your data restricted, i.e. if you believe that the data which we have saved are not correct (right to restriction of processing). You also have the right of data portability, i.e. that we send you on request a digital copy of the personal data which you have provided (right to data portability).

To exercise your rights as set out here, you can communicate with the foregoing contact details at any time. This also applies should you wish to receive copies of guarantees for certification of an adequate data-protection level.

You also have the right to object to the data processing based on Art. 6, para., lit. e or f of the GDPR. Finally, you have the right to complain to the regulatory authority to which we are subject. You can exercise this right at a regulatory authority in the member country of your place of residence, of your workplace, or of the place of alleged breach.

5. Right of revocation and objection

Under Article 7 sec. 3 GDPR you have the right at any time to withdraw to us any consent which has once been given. This will have as a consequence that in future we no longer continue the data processing based on this consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Insofar as we process your data on the basis of legitimate interests under Art. 6 sec. 1 lit. f GDPR, you have the right under Art. 21 GDPR to object to the processing of your data and to mention grounds relating to your particular situation that in your opinion speak in favour of prevailing legitimate interests. Where personal data are processed for direct marketing purposes, you have a general right of objection which will also be implemented by us without your stating reasons.

If you wish to make use of your right to withdraw or object, a notification without set form to the contact details above will be sufficient.

6. Data security

We maintain up-to-date technical measures to ensure data security, particularly for the protection of your personal data against dangers during data transmissions and against cognizance by third parties. These are amended in each case to reflect the current state of technology. To secure the personal data which you have stated on our website, we use transport layer security (TLS), which encrypts the information which you have entered.

7. Amendments to Data Protection Notice

We occasionally update this Data Protection Notice, for instance when we revise our website or statutory or official regulations change.

May 2018