US State Supplemental Privacy Notice

Effective Date: January 25, 2025

This Supplemental Privacy Notice applies to You only if You are a natural person and live in California, Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia. This Supplemental Privacy Notice is incorporated into and forms part of the BILL Privacy Notice.

This Supplemental Privacy Notice describes how we collect, process, and disclose Your personal information. It also describes the rights You may have, depending on the state of Your residence, with regard to Your personal information, which apply when new or updated laws take effect in these states. This Supplemental Privacy Notice does not apply to any employees, owners, directors, officers, or contractors of BILL, BILL Companies,their affiliates or subsidiaries.

Categories of Personal Information We Collect, and How We Use that Information

Category of Personal Information  Category of Source   Business or commercial purpose(s) for collection Business or commercial purpose(s) for disclosure Categories of third parties to whom we disclose
Personal identifiers    Directly from You or Your agents

From Your Organization

From Your Vendors or Customers

From other third parties You choose to interact with

From Our service providers

From public sources
To provide Services to You

To communicate with You

To verify Your identity

To protect Your account

To prevent fraud or illegal activity

Marketing activities
To provide Services to You

To communicate with You

To verify Your identity

To protect Your account

To prevent fraud or illegal activity

Marketing activities
Our service providers

Your authorized service providers

Other third parties that You authorize

Our business and marketing partners

Third parties as required by law
Financial information, including bank account number, credit card number Directly from You or Your agents

From Your Organization

From Your Vendors or Customers

From other third parties You choose to interact with

From Our service providers
To provide Services to You

To verify Your identity

To protect Your account

To prevent fraud or illegal activity
To provide Services to You

To verify Your identity

To protect Your account

To prevent fraud or illegal activity
Commercial information, including products/service purchased  Directly from You or Your agents

From Your Vendors or Customers
Provide Services to You

Prevent fraud or illegal activity
Provide Services to You

Prevent fraud or illegal activity
 Internet or other electronic network activity information  Directly from You

From our service providers
Provide Services to You

Protect Your account

Prevent fraud or illegal activity

Debug or repair the Services

Maintain reliability, quality or safety of the Services

Improve the Services

Marketing activities
Provide Services to You

Protect Your account

Prevent fraud or illegal activity

Debug or repair the Services

Maintain reliability, quality or safety of the Services

Improve the Services

Marketing activities
Geolocation data  Directly from You

From Your mobile provider or ISP
Provide the Services to You

Protect Your account

Prevent fraud or illegal activity

Debug or repair the Services

Maintain reliability, quality or safety of the Services
Provide the Services to You

Protect Your account

Prevent fraud or illegal activity

Debug or repair the Services

Maintain reliability, quality or safety of the Services
Audio, electronic, visual, or similar information Directly from You Provide the Services to You

Prevent fraud or illegal activity

Improve the Services

Maintain reliability, quality or safety of the Services
Provide the Services to You

Prevent fraud or illegal activity

Improve the Services

Maintain reliability, quality or safety of the Services
Professional or employment-related information Directly from You

From Your Organization

From Your Vendors or Customers
Provide the Services to You

Prevent fraud or illegal activity

Marketing activities
Provide the Services to You

Prevent fraud or illegal activity

Marketing activities
Inferences drawn to create a profile about a consumer BILL Provide the Services to You

Prevent fraud or illegal activity

Maintain reliability, quality or safety of the Services

Marketing activities
Provide the Services to You

Prevent fraud or illegal activity

Maintain reliability, quality or safety of the Services

Marketing activities

We do not knowingly collect or use personal information of anyone under the age of 18. 

Sensitive Personal Information

When we collect government identification (such as Your driver’s license number or Social Security number) or financial details (such asYour bank account or credit card numbers), we are deemed to be collecting data that is “sensitive” under state privacy laws. We use this information for purposes such as to provide the Services to You, to detect security incidents, and protect against malicious or fraudulent actions. Where legally required, We will obtain Your consent for collecting this information. For Our California Users, We do not use or disclose sensitive personal information for any purpose that requires an opt out and use it only for purposes such as to provide the Services to You, to detect security incidents, and protect against malicious or fraudulent actions. We do not use or disclose such information to make inferences or to build a profile about You.

Retention

We retain Your personal information as long as it is necessary to provide You Our Services and to comply with Our data retention requirements, including to comply with legal and regulatory obligations. Even after You stop using the Services, We may be required to keep Your information for as long as necessary to comply with legal and regulatory obligations, to make or defend legal claims, and to protect against fraudulent activity of others.

Sales/Sharing

We allow third party ad providers to collect personal information from Our Website visitors in order to provide targeted advertising and analytics.This practice may constitute a sale of personal information under certain state laws and, in California, may also constitute “sharing” (which is a term used to address the sharing of information for advertising purposes) of personal information. To the extent that Our practice constitutes a sale or sharing of Your personal information, You have the right to opt-out of the same or sharing of Your personal information with third parties for purposes of targeted advertising by filling out this Opt-Out Form and by enabling Global Privacy Control on Your browser or opting-out of cookies by clicking here:

Global Privacy Control (“GPC”) is a setting You can enable in Your web browser to communicate Your privacy preference for not having certain information about Your webpage visits collected across websites. For all the details, including how to turn on GPC, visit https://globalprivacycontrol.org/. Our Websites that link to this Supplemental Privacy Notice recognize and respond to GPC signals.

Consistent with Our practice of not collecting data on anyone under 18 years old, we do not have actual knowledge that we shared information on minors with the companies We work with on targeted advertising.

Understanding Your Rights

Subject to certain limitations and depending on Your state of residence, You have the following rights with respect to the personal information that we collect about You:

  1. Right to Know. You can ask Us to give You information about our collection and use of Your personal information. Specifically, You can request that we provide You one or more of the following:

    • The categories of personal information we collected about You.

    • The categories of sources from which we collected Your personal information.

    • Our business and commercial purposes for collecting, selling, or sharing Your personal information.

    • The categories of third parties to whom we disclose Your personal information.

    • The specific pieces of personal information we collected about You.

  2. Right to Delete. Subject to certain limitations, You can ask Us to delete Your personal information.

  3. Right to Correct. You can ask Us to correct inaccurate personal information that we have about You.

  4. Right to Opt Out of Targeted Advertising or Sale. You can ask Us to stop using Your personal information for targeted advertising. Please see the discussion on Sales/Sharing above.

  5. Right Against Discrimination. We will not discriminate against You for exercising Your rights.

You can request to exercise Your right to know, delete, or correct Your personal information by emailing privacy@hq.bill.com or by initiating a chat with Our Support Team here. If You do not receive a confirmation of our receipt of Your request within 10 days, we may not have received Your request and You should re-submit it. Once we receive Your request, we will attempt to verify Your identity. We may ask You for additional information to help Us verify Your identity, including by asking You to confirm other personal information You have provided to Us. We may deny Your request for reasons permitted by law, including our inability to verify Your identity. If we deny Your request, we will tell You why we did so. 

Subject to certain restrictions, You can have an agent exercise Your rights for You. If You have an agent exercising Your rights, that person mUst provide to Us Your written authorization allowing them to make such a request on Your behalf. We reserve the right to deny the agent’s request if we are not reasonably able to confirm proper authorization and/or verify Your identity as the requestor.

Appeals

Residents of Colorado, Connecticut, Montana, Oregon, Texas, and Virginia can appeal a refusal to take action on a request by contacting Us by email at privacy@hq.bill.com.

Contact

If You have any questions or concerns about this Supplemental Privacy Notice, You can email Us at privacy@hq.bill.com or You can contact BILL Customer Support through the BILL Help Center.