Effective date: August 2021
1. About eBillity
eBillity (eBillity, we, our or us) is a trading name of Boston Billing Solutions, LLC d/b/a eBillity.
3. What personal data do we collect about you?
This section informs you of what information we collect about you and why. Personal data means any information about an individual from which that individual can be identified.
Our primary purpose in collecting personal information from you is to provide you with a safe, smooth, efficient, and customized experience. This allows us to provide services and features that most likely meet your needs, and to customize our service to make your experience safer and easier. We only collect personal information about you that we consider necessary for achieving this purpose.
In general, you can browse our website and download our apps without telling us who you are or revealing any personal information about yourself. Once you become a Subscriber or a Customer (or a member of staff of either), we require you to provide your name, mailing and billing addresses, email addresses, telephone number, and credit card information (as described further below), and other personal information as indicated on the relevant forms on the Services (which vary, depending on what kind of User you are), and you are no longer anonymous to us. Where possible, we indicate which fields are required on these forms and which fields are optional.
In addition, as you use the Services, you can from time to time enter or send us personal information. For example, if you are a Subscriber, you can enter your own timesheet and other billing information, and if you are a Customer you can enter information about payment of any invoice submitted by a Subscriber. As you use the Services you can also from time to time enter personal information about third parties. For example, if you are a Subscriber, you can enter personal information about your Customers or your staff.
You always have the option to not provide information by choosing not to become a User or by not using the particular feature of the Services for which the information is being collected. However, each Customer should note that personal information concerning Customers may be retained by Subscribers whether or not such Customer uses the Services.
If you are a Subscriber, we collect your credit card or other payment information and your contact information for billing purposes. And if you are a Customer who wishes to pay amounts to a Subscriber on a recurring basis, we collect and store your credit card or other payment information and your contact information for billing purposes. We do not store credit card or other payment method information unless the Subscriber or any Customer chooses to enter credit card information for use in the eBillity recurring profiles module; in all other cases we share payment information with applicable financial institutions (such as PayPal, Authorize.net, and PSiGate) which store and process such information on their applicable terms.
As a time billing service, we store confidential information submitted by Users that may also constitute privileged communications between an attorney and client. We will not review, see, use or disclose such confidential information except as compelled or required by law as set forth below.
To provide greater detail about the personal data we collect: we may collect, use, store and transfer different kinds of personal data about you or in relation to you which we have grouped together as follows:
- Identity Data including first name, last name, username or similar identifier, marital status, title, date of birth and gender.
- Contact Data including billing address, home address, email address and telephone numbers.
- Financial Data including bank account and payment card details.
- Transaction Data including details about payments to and from you and other details of products and services you have purchased from us.
- Technical Data including internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device identifiers and other technology on the devices you use to access our websites.
- Profile Data including your username and password, purchases made by you, your interests, preferences, feedback and survey responses.
- Usage Data including information about how you use the websites and services.
- Marketing and Communications Data including your preferences in receiving marketing from us and third parties and your communication preferences.
- Location Data if you opt for location data to be activated when using the Services.
- Biometric Data including face geometry data, if you either request or use biometric data services from us.
With respect to Biometric Data, Subscribers are responsible for compliance with applicable law and for adopting their own biometric data privacy policies. To the extent required by law, Subscribers will obtain written authorization for the Subscriber and eBillity to collect, retain, and use Biometric Data from each staff member prior to collection of such data. Biometric Data will be used solely for identification and fraud prevention purposes.
Special Category Data means details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not seek to collect or otherwise process your Special Category Data unless you request us to.
4. How is your personal data collected?
We use different methods to collect data from and about you including through:
We collect personal data about you if you fill in forms on the Services or correspond with us by telephone, email or otherwise. This includes information you provide when you:
- register to use our Services or trial our products or services;
- buy our products or services;
- enter a competition, promotion or survey; or
- report a problem with our Services or give us feedback.
We may process personal data that you manifestly choose to make public, including via social media (e.g. we may collect information from your social media profile(s), to the extent that you choose to make your profile visible).
Automated technologies or interactions:
If you use our Services, we automatically collect the following information:
- web usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform; and
- information about your visit, including the full Uniform Resource Locators (URLs) clickstream to, through and from our Site (including date and time); time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs).
Where we collect information about you in the ways described above, we do so on the basis that it is in our legitimate interests to collect and process this data. In most situations this data will be anonymised, but we collect and process this data to ensure that our site is functioning properly and that our customer experience is to the standard that you and we expect.
Our website may contain links to and from the websites of advertisers, affiliates and partners. If you follow a link to any of these websites or authorise integration with any of the partners featured on the website, please note that these websites and partners have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites or partners.
In some circumstances we use automated profiling to help suggest new features of our Services that may interest you, depending on your usage of the Services, and to monitor usage of the Services to help us improve the Services.
Information we receive from other sources:
We are also working closely with third parties, (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
When we receive information from other sources, we rely on them having the appropriate provisions in place telling you how they collect data and who they may share it with. We carefully check our sources to ensure that we only receive your information when it is lawful for us to do so.
5. The purposes for which we will use your personal data
This section explains how we will use information you provide to us in order to carry out the activities relevant to the provision of our services to you.
Information you give to us. We will use this information to:
- carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
- respond to your enquiries or to process your requests in relation to your information;
- let you know about important changes or developments to our Services;
- provide and personalise our services generally;
- administer records of our services;
- bill any amounts due from you; resolve service and billing disputes; troubleshoot problems;
- carry out market research campaigns;
- provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
- provide you, or permit selected third parties that you have consented to provide you, with information about goods, services or educational programs we feel may interest you;
- contact you to let you know about other products and services that we offer and feel may be of interest, as set out in the section on Communications;
- ensure that content from our site is presented in the most effective manner for you and for your computer, making the site easier for you to use and to provide you with a smooth, efficient, safe and customized experience while using the Services;
Information we collect about you. We will use this information to:
- administer the Services and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- improve the Services to ensure that content is presented in the most effective manner for you and for your computer;
- customize the website and app content, layout, and services;
- allow you to participate in interactive features of our Services, when you choose to do so;
- be used as part of our efforts to keep the Services safe and secure;
- confirm the identities of staff members;
- measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and
- make suggestions and recommendations to you and other Users of our Services about goods or services that may interest you or them.
Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
We must have a lawful basis for processing your personal data. We consider that we have a lawful basis where:
- you have given us consent to do so for the specific purposes which we have told you about – for example, if you are an EEA or Switzerland resident, we will need your consent to send direct marketing materials to you;
- it is necessary for us to do so to enable us to provide you with the services that you have requested from us – for example, contacting you about the availability of the service;
- it is necessary in order to fulfil our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests; or
- the law otherwise permits or requires it.
Where we process your personal data on the basis of our legitimate interests, these are our (or our third party’s) interests in providing our services to you in an efficient and secure manner.
In addition to the above, and on occasion, we use email address or other contact information to contact our Users to ask them for their input on our Services, to forward to them media opportunities, and even to invite them to dinner.
This section is to explain how we will ensure that you only receive communications that you wish to receive.
If you have provided your consent to receive marketing communications from us and you change your mind, you can change your preferences and unsubscribe at any time by following the unsubscribe instructions provided in the materials or contacting us at email@example.com.
As detailed in section 5, we may send you communications such as those which relate to any service updates (e.g. service disruption) or provide customer satisfaction surveys. We consider that we can lawfully send these communications to you as we have a legitimate interest to do so, namely to effectively provide you with the best service we can and to grow our business.
7. Who will have access to your personal data?
8. Who else might we share your personal data with?
This section explains who we share your personal data with and why.
We will not sell, lease or trade your personal information to third parties without your explicit consent. The following describes some of the ways that your information may be disclosed in the normal scope of business to provide our services.
Subscribers, Customers, and other Users: In the normal operation of the Services Subscriber timesheets (including information entered by staff members) and invoices are disclosed to the applicable Customers, and Customer information is disclosed to the applicable Subscriber. In general, the information you enter via the Services is available to Customers, Subscribers, staff members of Customers and Subscribers, and other Users to whom you give access to your account or to whom you give access to the information through the normal operation of the Services.
Anonymized Aggregated Data: We aggregate and anonymize sales information including (but not limited to) industry type, number of invoices sent, average invoice size, method of sending invoices, percentage paid online, sales amounts and average sale per Customer, and disclose such information in a non-personally identifiable manner to Subscribers. However, in these situations, we do not disclose any information that could be used to identify you personally.
As Required By Law: We may be required to disclose your personal information by operation of law, or in response to a valid order of a court, public authorities or governmental agency, deposition, interrogatory, request for documents, subpoena, civil investigative demand or similar process, including to meet national security or law enforcement requirements, provided that you may, unless legally prohibited, provide us with prior written notice sufficient to permit us an opportunity to contest or limit the nature and scope of such disclosure, including but not limited to redacting or withholding privileged communications.
Our accountability for personal data that we receive under the Privacy Shield and subsequently transfer to a third party is described in the Privacy Shield Principles. In particular, we remain responsible and liable under the Privacy Shield Principles if third-party agents that we engage to process the personal data on our behalf do so in a manner inconsistent with the Principles unless we prove that we are not responsible for the event giving rise to the damage. We are also liable under European law for all data relating to EEA citizens that we share with third parties and under the laws of Switzerland for all data relating to Swiss citizens that we share with third parties.
If a business transfer or change of business ownership takes place or is envisaged, we may transfer your personal data to the new owner (or a prospective new owner). If this happens, you will be informed of this transfer.
9. How do we protect your personal data?
This section explains how we keep your personal data safe and where it will be held.
We take your privacy seriously and are committed to maintaining the privacy and security of the personal data you provide to us, and the choices you have regarding our collection and use of your personal data.
Once we have received your personal data, we follow strict security procedures as to how your personal data is stored and used, and who sees it, to help stop any unauthorised access.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Services, you are responsible for keeping this password confidential. You should not share this information with anyone.
The information that we collect from you will be stored at a destination outside the European Economic Area (EEA) and Switzerland. We will ensure that it is adequately protected by using appropriate safeguards as further detailed below.
For EEA citizens: your personal data is transferred from the EEA to the USA, which is not recognised by the European Commission as providing an adequate level of protection for personal data, and therefore the transfer will be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for personal data:
- Standard Contractual Clauses (the agreement in the form annexed to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which can be found here); o
- the EU-US Privacy Shield Framework, and Swiss-U.S. Privacy Shield Frameworks.
For Switzerland citizens: your personal data is transferred from Switzerland to the USA, which is not recognised by the Federal Data Protection and Information Commissioner as providing an adequate level of protection for personal data, and therefore the transfer will be covered by a framework recognised by the relevant authorities or courts as providing an adequate level of protection for personal data:
- A cross-border processing agreement consistent with the requirements of the Swiss Federal Data Protection and Information Commissioner and the relevant provisions of the Swiss Data Protection Act; or
- the Swiss-US Privacy Shield Framework.
Privacy Shield Frameworks
eBillity has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
eBillity is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Pursuant to the EU-US Privacy Shield and the Swiss-US Privacy Shield, eBillity remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.
Unfortunately, the transmission of your personal data via the internet is not completely secure and although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us over the internet and you acknowledge that any transmission is at your own risk.
10. How long do we keep your personal data?
This section explains the length of time that we will retain your personal data.
We will keep your personal data for no longer than is necessary for the purposes for which it was obtained. The criteria for determining the duration for which we will retain your personal data are as follows:
- All other personal information relating to Users (including information entered in timesheets and invoices, but excluding any Biometric Data) will be deleted after a period of three months from the last of the three dates referred to above (referring to the applicable account).
- We retain Biometric Data until the earlier of the following dates: (a) the date the Subscriber notifies us that it has terminated the applicable staff member, (b) the date the Subscriber notifies us that it has otherwise discontinued using a biometric data services with respect to that staff member, or (c) within 3 (three) years of the staff member’s last interaction with the Service.
- However, we may continue to process your personal data for such additional periods as are necessary in connection with any legal claims or legal proceedings that may exist after the time periods referred to above, but we shall process that data only for those purposes in such a case.
Any third parties that we engage will keep your data stored on their systems for as long as is necessary to provide the relevant services to you or us. If we end our relationship with any third party providers, we will make sure that they securely delete or return your personal data to us unless otherwise required by law.
We may retain personal data relating to you for statistical purposes. Where data is retained for statistical purposes it will always be anonymised, meaning that you will not be identifiable from that data.
11. What are your rights?
You have a right to access your data and may do so by emailing firstname.lastname@example.org. Subscribers may correct, amend, or delete the personal data they have provided us by logging into the Site and making such change to their information where applicable. eBillity may not have a direct relationship with all Users or individuals with whom our Subscribers may interact using the Service. Any such individual seeking access to, or who would like to correct, amend, or delete personal data which may be stored on the Site should direct his or her query to the applicable eBillity Subscriber who has entered their information. At the request of our Users, we will remove any data placed in their accounts.
For more details about the personal information we have collected over the last 12 months, including the categories of sources, please see Section 3 above. We collect this information for the business and commercial purposes described in Section 5 above. We share this information with the categories of third parties described in Sections 7 and 8 above. eBillity does not sell (as such term is defined in the California Consumer Privacy Act) the personal information we collect (and will not sell it without providing a right to opt out).
The following section applies to EEA residents only. It explains that you have a number of rights in relation to your personal data. There are circumstances in which some rights may not apply. You have the right to request that we:
- provide you with a copy of the information we hold about you;
- update any of your personal data if it is inaccurate or out of date;
- delete the personal data we hold about you – if we are providing services to you and you ask us to delete personal data we hold about you then we may be unable to continue providing those services to you;
- restrict the way in which we process your personal data;
- stop processing your data if you have valid objections to such processing; and
- transfer your personal data to a third party.
Subscribers may correct, amend, or delete the personal information they have provided us by logging into the Site and making such change to their information where applicable, but this does not affect our obligation to keep your data accurate. We may not have a direct relationship with all Users or individuals with whom our Subscribers may interact using the services. If you are such a User you would like to correct, amend, or delete personal information which we may hold, we ask that you direct your request first to the applicable eBillity Subscriber who has entered your information.
You have the right to object to automated decision-making. This is where a decision, which produces legal effects or similarly significantly affects you, has been based solely on automated processing (including profiling). Where we make an automated decision about you, you have the right to contest the decision and request a human review of the accuracy.
For more information on your rights and how to use them, or if you would like to make any of the requests set out above, please contact us using the details provided in this section.
If you seek to exercise any rights, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
As explained in the section on Communications even if you consented to the processing of your personal data for marketing purposes (by ticking the relevant box or by requesting information about services), you have the right to ask us to stop processing your personal data for such purposes.
You can exercise any right at any time by contacting us at email@example.com.
Web beacons, also known as pixel tags and clear GIFs, (Web Beacons), are electronic images that allow a website to access cookies and help track marketing campaigns and general usage patterns of visitors to those websites. Web Beacons can recognize certain types of information, such as cookie numbers, time and date of a page view and a description of the page where the Web Beacons are placed. No personal information about you is shared with third parties through the use of Web Beacons on the website. However, through Web Beacons, we may collect general information that will not personally identify you, such as Internet browser, operating system, IP address, date of visit, time of visit and path taken through the website.
eBillity may use Web Beacons internally to count visitors and recognize visitors through cookies. Access to cookies helps eBillity personalise the experience of our Subscribers and Customers when each visits the website.
13. Who can you ask for more information?
It is our goal to make our privacy practices easy to understand. If you have questions, concerns or if you would like more detailed information, please email our privacy officer at firstname.lastname@example.org.
For EEA residents: If you are unsatisfied with our response to any data protection issues you raise with us, you have the right to make a complaint to the Information Commissioner’s Office (ICO), or the data protection supervisory authority in your jurisdiction. The ICO is the authority in the UK which is tasked with the protection of personal data and privacy.
For Switzerland residents: If you are unsatisfied with our response to any data protection issues you raise with us, you have the right to make a complaint to the Swiss Federal Data Protection and Information Commissioner.