Tradeshift platform privacy policy

Last update: June 15, 2021

Tradeshift respects the privacy of individuals and the protection of personal data entrusted to our customers that is processed in our solutions.  The Tradeshift Platform and associated software-as-a-service offerings are business-to-business services and are not a service for use by individual consumers.

This Tradeshift Platform Privacy Policy (together with our Terms Of Service and any other documents referred to in it) sets out the basis for processing of any Personal Data we collect (or which is provided to us) from the companies who use the Tradeshift Platform and the Tradeshift software-as-a-service offerings for businesses (e.g. Tradeshift® Pay, Tradeshift® Buy, and Tradeshift® Engage) (the “Software Services”), including Personal Data associated with the users authorized by such companies.  Third parties may offer their own software from the Tradeshift Platform and in use of such software, the privacy statement of the third party applies and this Privacy Policy does not.

We use the terms “you” and “your” in this document to refer to users of the solution authorized to use the Tradeshift services for the benefit of a business or organization and have drafted this policy to speak to you, as a user.

This policy does not address the handling of personal data by Tradeshift gathered from or submitted by visitors to Tradeshift’s marketing website pages, educational events, webinars, conferences and other marketing activities.  Processing of personal data by Tradeshift related to such marketing activities is governed by the Tradeshift Website Privacy Policy.

Please read the following carefully to understand our views and practices regarding your Personal Data and how we, as a processor of your Personal Data will interact with it.

A. Who we are

The Tradeshift Platform and Software Services (referred to in this document together as the “Tradeshift Platform” or “Platform”) are operated by Tradeshift Inc. (“Tradeshift”“we” or “us”) with certain operations subcontracted to Tradeshift affiliated companies and subcontractors.   Our registered Federal Tax Identification Number is 98-1023485 and our address is  447 Sutter Street, Suite 405, San Francisco, CA 94015,USA.

B. Defined terms

“Personal Data” means the information identifiable as associated with an individual human being such as name, email address, and username as referenced below.

“Tradeshift Customer” means the organization or business entity that is subscribed to or authorized to use the Tradeshift Platform, which may include a Tradeshift reseller.  Tradeshift Customers use the Tradeshift Platform as “buyers” or “sellers” to collaborate and exchange business documents and take advantage of other offerings (whether from Tradeshift or third party service companies) accessible via the Tradeshift Platform.

“User” means any person using our Platform (whether that person has paid for such use or not) and “Users”, “you” and “your” shall be construed accordingly.  Each User is associated with and is using the Platform on behalf of a Tradeshift Customer referred to sometimes below as “your company.”

C.  Information we collect, why, and how we use it

When you register on the Platform

User Accounts: When you register your company on the Platform or add a new User to your company’s account we will collect the individual’s first and last name, a username, country of business and business email address.  Individuals may also submit a business phone number and title.  We do not collect an individual’s home address.  Individuals should not submit personal credit card numbers, personal tax identifiers, or medical information to the Platform.

Cookies: Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit, register and use our Platform, we may collect information from you automatically through cookies or similar technology. Our cookies policy explains what data we collect from users of the Platform and what we do with it when you browse through our Site (e.g. your IP address).

As you use the Tradeshift Platform

Personal Data in Transactions: Some business documents exchanged on the Platform and via the various services available from the Platform may include Personal Data but are not required to do so.  Increasingly companies are not including individual contact names but rather department email addresses and phone numbers on their transaction documents (e.g. Accountspayable@GoodSupply.com rather than “Sue Smith, Accounts Payable, Good Supply Company”).

Business contact information (containing Personal Data) for your company’s trading partners may also be stored in the Platform to facilitate engagement within the context of the Services.

Other Personal Data Collected: Certain Services may require additional Personal Data to be submitted to Tradeshift via the Platform, such as KYC information requested in connection with the Tradeshift Cash working capital programs, and in such cases, Tradeshift will provide additional clarification in relation to the request.

Usage Information: Information about how you transact with the platform using our Services, including access time, “log-in” and “log-out” information, browser type and language, country and language setting on your device, IP address, other attributes about your browser, mobile device and operating system, features you use, and the date and time of use of the Services.

Device Information: Information about your device, including hardware model, operating system and version, device name, unique device identifier, mobile network information, and information about the device’s interaction with our Services.

Why we need this data

User Accounts: We will need your name and username in order to authenticate your User account and validate it with your company’s usage of our Platform, so that you can benefit from the Software Services that are being provided to your company. We will need your email address to send you an activation link to your profile so that you can receive business documents and network requests on behalf of your company. We will also need your email address in case you forget your password or wish to receive emails from us with news about our services or changes to any of our policies or terms and conditions. Your IP address is logged by us in association with transactions and activities on the Platform so that we mitigate spam, fraud or abuse of our Platform. We will store this data for as long as necessary for the purposes of the Services as agreed in our agreement with your company, unless we are required, for legal reasons or under exceptional circumstances, to retain this data for an extended period, or removal is technically impractical.  For so long as it is stored we will protect the personal data according to the Tradeshift Information Security Policy and as agreed with your company.

Personal Data in Transactions: Tradeshift Customers decide how much or how little Personal Data to include in the business documents exchanged on the Platform, however Tradeshift Customers may not allow submission of personal medical information, personal tax ids or personal financial information (“Sensitive Personal Information”) or other sensitive personal data requiring special protection measures based on local law to the Platform.

Tradeshift Customers use the Platform to store business contact information about their trading partners to facilitate engagement and collaboration with such parties by the Tradeshift Customer and by Tradeshift acting on the customer’s behalf.  In order for Tradeshift to perform certain actions related to seller onboarding for a buyer, Tradeshift needs some business contact information for trading partners which can include Personal Data.

How we use this data

We use your user account data to administer the Platform, log transactions, and otherwise provide the Services as agreed with your company.  Others in your company may also have access to your user account data and may be the ones to administer changes to the data.

We will not share your login data (your name, username, email address and IP address) with anyone other than our service providers and others in your company (or the Tradeshift Customer who manages your user account) except in the circumstances referred to in this policy or in agreement with the Tradeshift Customer.

From time to time we communicate to users using the email address they’ve submitted, to notify them of updates or changes to the Platform or Services,  announce changes to policies, request information regarding a support issue, and other standard communications associated with the operation and management of an online service.  In most cases such communications will be directed to the “Admin” level users who will then communicate with other users from their company.

From time to time we may send you, as a representative of a Tradeshift Customer, news, updates and sales offers which you can easily opt out of receiving by clicking “unsubscribe” in the relevant email.

Tradeshift may use the business contact information stored by you in the Platform in performance of the Services for the Tradeshift Customer, such as seller onboarding activities, and as may be required by law for compliance.

D.  How we store your personal data

All information you provide to us is stored on secure servers managed by us, an affiliate or a service provider. The Tradeshift Platform, used by organizations outside of China, is primarily hosted in a data center in Ireland although integrated services may be hosted in other countries.  Personal data may be transferred internationally between the various data centers and integrated service locations.

Your account will be secured with a password which enables you to access the Platform. You are responsible for keeping this password confidential. You should never share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Platform; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access as described in the Tradeshift Information Security Policy.

E.  Updating your personal data

We will need you to help us ensure the Personal Data you provided to us is accurate and up to date. If you wish to correct and update any of your Personal Data, you may do so by updating the Personal Data through the preferences available in your account.  Your company’s administrator may also be able to assist with changes.  Note that some changes or removal of your account need to be requested more formally by your company’s administrator because Tradeshift is operating the system for the benefit of and at the instruction of the Tradeshift Customer.

If European Union law is applicable to your Personal Data, note that Tradeshift is a “processor” of your information on behalf of your company who is the “controller.”  Tradeshift will work with the controller to help you exercise your data protection rights (access, rectification, erasure, etc)  but only upon consent and at the direction of the controller.

F.  Information Sharing

Onward transfers

In the event of onward transfers of personal data, Tradeshift retains responsibility for only allowing further processing of data by third parties acting on our behalf to be done in a manner that is consistent with our agreement with your company or the Tradeshift Customer including, as may apply to Personal Data from individuals in the European Union and other countries with international transfer restrictions in their data protection laws, the Standard Contractual Clauses, and/or a Data Processing Agreement executed between Tradeshift and the Tradeshift Customer.

Service Providers

We engage service providers to perform functions and provide services to us. Where allowed by law, we may share your Personal Data with such service providers subject to obligations consistent with this policy and any other appropriate confidentiality and security measures, and on the condition that the third parties use your private personal data only on our behalf and pursuant to our instructions.  Tradeshift maintains a list of service providers who perform follow-on processing of Personal Data at List of Subprocessors for the Tradeshift platform.  We endeavor to keep the list up to date and each Tradeshift Customer may request the latest list at any time.

Authorized Personnel

Our employees, agents, consultants, contractors, or other authorized personnel may have access to user information as necessary in the normal course of our business in support of operations, customer care and communications, usage tracking, processing of requested transactions, and security incident investigations.

Business Transfers

If the Platform, a specific business line, a Software Service, Tradeshift, or substantially all of its assets, were acquired, liquidated, or dissolved, user information including Personal Data would be one of the assets that is transferred but the successor business would be bound by the terms of our agreements with Tradeshift Customers, including this policy.

Government, Law Enforcement and Third Parties

We may disclose  information, including, without limitation, Personal Data to comply with applicable laws, regulations, legal processes or governmental requests including the export laws of various countries to prevent access and use of the Services by certain entities and individuals.  We reserve the right to disclose a user’s Personal Data if we believe, in good faith, that the user is in violation of the Terms of Service or other agreement with Tradeshift, even without a subpoena, warrant or other court order.

G.  Choice and Opt-Out

We provide you the ability to exercise certain controls and choices regarding our collection, use and sharing of your information, but since your user account is managed by the Tradeshift Customer, some choices must be made through your company and not from you, the individual.

H.  Access and Correcting Your Information

If you have a Tradeshift account, you can help ensure that your contact information and preferences are accurate, complete, and up to date by logging in to your Tradeshift account For other Personal Data we hold, we will provide you with access for any purpose including requesting that we correct the data if it is inaccurate or delete the data if we are not required to retain it by law or for legitimate business purposes. We may decline to process requests that are frivolous/vexatious, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by local law.

I. Security of Your Information

We have put in place physical, electronic, and procedural controls designed to help prevent unauthorized access, to maintain data security, and to use correctly the information we collect online. These safeguards vary based on the sensitivity of the information that we collect and store.  The Tradeshift Information Security Policy provides further information about our approach to security of our systems underlying the Platform.

J.  Changes to the Privacy Policy

Although most changes are likely to be minor, we may change our Tradeshift Platform Privacy Policy from time to time, and in our sole discretion and subject to our agreements with Tradeshift Customers. We encourage visitors to frequently check this page for any changes to the Tradeshift Platform Privacy Policy. Your continued use of the Platform after any change in this policy will constitute your acceptance of the changes.

K.  Users From Other Jurisdictions

By using the Platform and/or specific Software Services, you acknowledge that you accept the practices and policies outlined in this Tradeshift Platform Privacy Policy and consent to having your data transferred to and processed on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction. If you do not accept this Privacy Policy, please do not use the Platform. The Platform is controlled and operated by Tradeshift from the United States with data centers in several jurisdictions as discussed above. If you are not a resident of the United States or you are located outside the United States and choose to use the Platform or provide information to us, please note that we may transfer the information, including Personal Information, to the United States and process it there.

Acceptance of this Privacy Policy, followed by your submission of such information represents your agreement and consent to that transfer. We do not represent or warrant that the Platform, or any portion of the Software Services, are appropriate or available for use in any particular jurisdiction. Those who choose to access the Platform do so on their own initiative and at their own risk, and are responsible for complying with all local laws, rules and regulations. You also are subject to United States export controls in connection with your use of the Platform and are responsible for any violations of such controls, including, without limitation, any United States embargoes or other federal rules and regulations restricting exports. We may limit the availability of the Platform, in whole or in part, to any person, geographic area or jurisdiction that we choose, at any time and in our sole discretion.

Users from Switzerland and the EU

For transfer of personal data of individuals in the European Economic Area (the “EEA”)  to countries that do not have a statutory level of data protection approved by the EU Commission as comparable to the protection required within the European Union, Tradeshift utilizes  the Standard Contractual Clauses approved by the EU Commission to contractually provide for a consistent level of protection.

Legitimate Interest

Tradeshift considers the following uses of Personal Data in relation to use of the Software Services and Tradeshift Platform to constitute a legitimate interest, as that term is used in EU data protection law: Contacting you for billing purposes, administrative notices, system outage information, or investigation of security incidents, product and service updates and changes, legal disputes, claims of fraudulent use of the system or violation of the Terms of Service. If you do not agree with this, you may object as set out in this policy.

Users from California – Supplemental Privacy Policy

The California Consumer Privacy Act (“CCPA”), which is effective as of January 1, 2020, regulates how we handle personal information of California residents and gives California residents certain rights with respect to their personal information.

Tradeshift is both a “business” and a “service provider” under the CCPA. The following supplemental privacy policy applies to information we collect in our role as a business—this is when we interact directly with you.

When we act as a service provider (for example, by providing our services to another company that you interact with), we follow the instructions of the business that engaged us with respect to how we process your personal information. If you would like more information about how your personal information is processed by other companies, including companies that engage us as a service provider, please contact those companies directly.

This supplemental privacy policy is effective as of June 15, 2021, shall apply only to residents of California, and may be subject to change. The general privacy policy shall continue to apply to the extent that it applies to you as a resident of California. If you are a resident of California, we are required to disclose certain uses and disclosures in a certain format, as well as to inform you of certain rights you may have. Any capitalized terms used in this supplemental privacy policy shall have the same meaning as in the general privacy policy.

Information We May Collect – Using CCPA Terminology

We may collect the following categories of information:

  • Identifiers
  • Commercial Information
  • Internet or other electronic network activity information
  • Audio, electronic, visual, or similar information
  • Geolocation data
  • Professional or employment-related information

For each category of information, we collect the information from a variety of sources, including directly from you, from your devices, from your company, and/or from third party providers. We collect the information to provide you with services, protect our customers and ourselves (including the services), and to improve the services. We do not share personal information with Third Parties as the term is defined under the CCPA.

Additional Disclosures

We do not sell personal information of any individual, including personal information of minors under 16 years of age.

We have disclosed the following categories of personal information for a business purpose in the 12 months prior to this Policy’s last update.

  • Identifiers
  • Demographic Information
  • Commercial Information
  • Internet or other electronic network activity information
  • Geolocation data
  • Audio, electronic, visual, or similar information
  • Professional or employment-related information
  • Inferences drawn from any of the above information.

We have not disclosed any personal information for valuable consideration in the 12 months prior to this Policy’s last update.

Your Rights

You may have certain rights with respect to your personal information, including:

  • The right to access, including the right to know the categories and specific pieces of personal information we collect;
  • The right to deletion of your personal information, subject to certain limitations under applicable law;
  • The right to request disclosure of information collected;
  • The right to disclosure of information disclosed for valuable consideration; and
  • The right not to be discriminated against for exercising certain rights under California law.

If you would prefer, you may designate an authorized agent to make a request on your behalf.

L. Contact Information

If you have any questions, feedback, requests or to report a violation regarding the Privacy Policy, you may email us at dpo@tradeshift.com or contact us by mail addressed to: Tradeshift Inc. 447 Sutter Street, Suite 405, San Francisco, CA 94108