Last update: June 15, 2021
Tradeshift respects the privacy of individuals and the protection of personal data entrusted to our customers that is processed in our solutions. The Tradeshift Platform and associated software-as-a-service offerings are business-to-business services and are not a service for use by individual consumers.
We use the terms “you” and “your” in this document to refer to users of the solution authorized to use the Tradeshift services for the benefit of a business or organization and have drafted this policy to speak to you, as a user.
Please read the following carefully to understand our views and practices regarding your Personal Data and how we, as a processor of your Personal Data will interact with it.
The Tradeshift Platform and Software Services (referred to in this document together as the “Tradeshift Platform” or “Platform”) are operated by Tradeshift Inc. (“Tradeshift”, “we” or “us”) with certain operations subcontracted to Tradeshift affiliated companies and subcontractors. Our registered Federal Tax Identification Number is 98-1023485 and our address is 221 Main Street, Suite 250, San Francisco, CA 94015,USA.
“Personal Data” means the information identifiable as associated with an individual human being such as name, email address, and username as referenced below.
“Tradeshift Customer” means the organization or business entity that is subscribed to or authorized to use the Tradeshift Platform, which may include a Tradeshift reseller. Tradeshift Customers use the Tradeshift Platform as “buyers” or “sellers” to collaborate and exchange business documents and take advantage of other offerings (whether from Tradeshift or third party service companies) accessible via the Tradeshift Platform.
“User” means any person using our Platform (whether that person has paid for such use or not) and “Users”, “you” and “your” shall be construed accordingly. Each User is associated with and is using the Platform on behalf of a Tradeshift Customer referred to sometimes below as “your company.”
User Accounts: When you register your company on the Platform or add a new User to your company’s account we will collect the individual’s first and last name, a username, country of business and business email address. Individuals may also submit a business phone number and title. We do not collect an individual’s home address. Individuals should not submit personal credit card numbers, personal tax identifiers, or medical information to the Platform.
Cookies: Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit, register and use our Platform, we may collect information from you automatically through cookies or similar technology. Our cookies policy explains what data we collect from users of the Platform and what we do with it when you browse through our Site (e.g. your IP address).
Personal Data in Transactions: Some business documents exchanged on the Platform and via the various services available from the Platform may include Personal Data but are not required to do so. Increasingly companies are not including individual contact names but rather department email addresses and phone numbers on their transaction documents (e.g. Accountspayable@GoodSupply.com rather than “Sue Smith, Accounts Payable, Good Supply Company”).
Business contact information (containing Personal Data) for your company’s trading partners may also be stored in the Platform to facilitate engagement within the context of the Services.
Other Personal Data Collected: Certain Services may require additional Personal Data to be submitted to Tradeshift via the Platform, such as KYC information requested in connection with the Tradeshift Cash working capital programs, and in such cases, Tradeshift will provide additional clarification in relation to the request.
Usage Information: Information about how you transact with the platform using our Services, including access time, “log-in” and “log-out” information, browser type and language, country and language setting on your device, IP address, other attributes about your browser, mobile device and operating system, features you use, and the date and time of use of the Services.
Device Information: Information about your device, including hardware model, operating system and version, device name, unique device identifier, mobile network information, and information about the device’s interaction with our Services.
User Accounts: We will need your name and username in order to authenticate your User account and validate it with your company’s usage of our Platform, so that you can benefit from the Software Services that are being provided to your company. We will need your email address to send you an activation link to your profile so that you can receive business documents and network requests on behalf of your company. We will also need your email address in case you forget your password or wish to receive emails from us with news about our services or changes to any of our policies or terms and conditions. Your IP address is logged by us in association with transactions and activities on the Platform so that we mitigate spam, fraud or abuse of our Platform. We will store this data for as long as necessary for the purposes of the Services as agreed in our agreement with your company, unless we are required, for legal reasons or under exceptional circumstances, to retain this data for an extended period, or removal is technically impractical. For so long as it is stored we will protect the personal data according to the Tradeshift Information Security Policy and as agreed with your company.
Personal Data in Transactions: Tradeshift Customers decide how much or how little Personal Data to include in the business documents exchanged on the Platform, however Tradeshift Customers may not allow submission of personal medical information, personal tax ids or personal financial information (“Sensitive Personal Information”) or other sensitive personal data requiring special protection measures based on local law to the Platform.
Tradeshift Customers use the Platform to store business contact information about their trading partners to facilitate engagement and collaboration with such parties by the Tradeshift Customer and by Tradeshift acting on the customer’s behalf. In order for Tradeshift to perform certain actions related to seller onboarding for a buyer, Tradeshift needs some business contact information for trading partners which can include Personal Data.
We use your user account data to administer the Platform, log transactions, and otherwise provide the Services as agreed with your company. Others in your company may also have access to your user account data and may be the ones to administer changes to the data.
We will not share your login data (your name, username, email address and IP address) with anyone other than our service providers and others in your company (or the Tradeshift Customer who manages your user account) except in the circumstances referred to in this policy or in agreement with the Tradeshift Customer.
From time to time we communicate to users using the email address they’ve submitted, to notify them of updates or changes to the Platform or Services, announce changes to policies, request information regarding a support issue, and other standard communications associated with the operation and management of an online service. In most cases such communications will be directed to the “Admin” level users who will then communicate with other users from their company.
From time to time we may send you, as a representative of a Tradeshift Customer, news, updates and sales offers which you can easily opt out of receiving by clicking “unsubscribe” in the relevant email.
Tradeshift may use the business contact information stored by you in the Platform in performance of the Services for the Tradeshift Customer, such as seller onboarding activities, and as may be required by law for compliance.
All information you provide to us is stored on secure servers managed by us, an affiliate or a service provider. The Tradeshift Platform, used by organizations outside of China, is primarily hosted in a data center in Ireland although integrated services may be hosted in other countries. Personal data may be transferred internationally between the various data centers and integrated service locations.
Your account will be secured with a password which enables you to access the Platform. You are responsible for keeping this password confidential. You should never share your password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Platform; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access as described in the Tradeshift Information Security Policy.
We will need you to help us ensure the Personal Data you provided to us is accurate and up to date. If you wish to correct and update any of your Personal Data, you may do so by updating the Personal Data through the preferences available in your account. Your company’s administrator may also be able to assist with changes. Note that some changes or removal of your account need to be requested more formally by your company’s administrator because Tradeshift is operating the system for the benefit of and at the instruction of the Tradeshift Customer.
If European Union law is applicable to your Personal Data, note that Tradeshift is a “processor” of your information on behalf of your company who is the “controller.” Tradeshift will work with the controller to help you exercise your data protection rights (access, rectification, erasure, etc) but only upon consent and at the direction of the controller.
In the event of onward transfers of personal data, Tradeshift retains responsibility for only allowing further processing of data by third parties acting on our behalf to be done in a manner that is consistent with our agreement with your company or the Tradeshift Customer including, as may apply to Personal Data from individuals in the European Union and other countries with international transfer restrictions in their data protection laws, the Standard Contractual Clauses, and/or a Data Processing Agreement executed between Tradeshift and the Tradeshift Customer.
We engage service providers to perform functions and provide services to us. Where allowed by law, we may share your Personal Data with such service providers subject to obligations consistent with this policy and any other appropriate confidentiality and security measures, and on the condition that the third parties use your private personal data only on our behalf and pursuant to our instructions. Tradeshift maintains a list of service providers who perform follow-on processing of Personal Data at List of Subprocessors for the Tradeshift platform. We endeavor to keep the list up to date and each Tradeshift Customer may request the latest list at any time.
Our employees, agents, consultants, contractors, or other authorized personnel may have access to user information as necessary in the normal course of our business in support of operations, customer care and communications, usage tracking, processing of requested transactions, and security incident investigations.
If the Platform, a specific business line, a Software Service, Tradeshift, or substantially all of its assets, were acquired, liquidated, or dissolved, user information including Personal Data would be one of the assets that is transferred but the successor business would be bound by the terms of our agreements with Tradeshift Customers, including this policy.
We may disclose information, including, without limitation, Personal Data to comply with applicable laws, regulations, legal processes or governmental requests including the export laws of various countries to prevent access and use of the Services by certain entities and individuals. We reserve the right to disclose a user’s Personal Data if we believe, in good faith, that the user is in violation of the Terms of Service or other agreement with Tradeshift, even without a subpoena, warrant or other court order.
We provide you the ability to exercise certain controls and choices regarding our collection, use and sharing of your information, but since your user account is managed by the Tradeshift Customer, some choices must be made through your company and not from you, the individual.
If you have a Tradeshift account, you can help ensure that your contact information and preferences are accurate, complete, and up to date by logging in to your Tradeshift account For other Personal Data we hold, we will provide you with access for any purpose including requesting that we correct the data if it is inaccurate or delete the data if we are not required to retain it by law or for legitimate business purposes. We may decline to process requests that are frivolous/vexatious, jeopardize the privacy of others, are extremely impractical, or for which access is not otherwise required by local law.
We have put in place physical, electronic, and procedural controls designed to help prevent unauthorized access, to maintain data security, and to use correctly the information we collect online. These safeguards vary based on the sensitivity of the information that we collect and store. The Tradeshift Information Security Policy provides further information about our approach to security of our systems underlying the Platform.
For transfer of personal data of individuals in the European Economic Area (the “EEA”) to countries that do not have a statutory level of data protection approved by the EU Commission as comparable to the protection required within the European Union, Tradeshift utilizes the Standard Contractual Clauses approved by the EU Commission to contractually provide for a consistent level of protection.
Tradeshift considers the following uses of Personal Data in relation to use of the Software Services and Tradeshift Platform to constitute a legitimate interest, as that term is used in EU data protection law: Contacting you for billing purposes, administrative notices, system outage information, or investigation of security incidents, product and service updates and changes, legal disputes, claims of fraudulent use of the system or violation of the Terms of Service. If you do not agree with this, you may object as set out in this policy.
The California Consumer Privacy Act (“CCPA”), which is effective as of January 1, 2020, regulates how we handle personal information of California residents and gives California residents certain rights with respect to their personal information.
When we act as a service provider (for example, by providing our services to another company that you interact with), we follow the instructions of the business that engaged us with respect to how we process your personal information. If you would like more information about how your personal information is processed by other companies, including companies that engage us as a service provider, please contact those companies directly.
We may collect the following categories of information:
For each category of information, we collect the information from a variety of sources, including directly from you, from your devices, from your company, and/or from third party providers. We collect the information to provide you with services, protect our customers and ourselves (including the services), and to improve the services. We do not share personal information with Third Parties as the term is defined under the CCPA.
We do not sell personal information of any individual, including personal information of minors under 16 years of age.
We have disclosed the following categories of personal information for a business purpose in the 12 months prior to this Policy’s last update.
We have not disclosed any personal information for valuable consideration in the 12 months prior to this Policy’s last update.
You may have certain rights with respect to your personal information, including:
If you would prefer, you may designate an authorized agent to make a request on your behalf.