What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This policy engages the California Consumer Privacy Act as amended by the CPRA, which grants California residents rights to know, delete, correct, and opt out of sale or sharing of personal information, enforced by the California Privacy Protection Agency and California AG. It also engages GDPR and UK GDPR for EU and EEA and UK residents, requiring lawful bases for processing, data subject rights, and cross-border transfer mechanisms. The Gramm-Leach-Bliley Act applies…

How does Brex's Brex Privacy Policy affect users?

The agreement establishes that Brex collects financial account details, transaction history, identifiers, device and usage data, and third-party sourced information for purposes including product improvement, fraud prevention, marketing, and targeted advertising. Under these terms, personal data may be shared with service providers, financial institution partners, analytics vendors, advertising platforms, and regulatory or law enforcement bodies as described. You can opt out of data sale or sha…

How often is Brex's Brex Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Brex updates this document?

Yes. Monitor subscribers ($19/month) can add Brex to their watchlist and receive same-day email alerts whenever this document or any other Brex document changes.

CA-D-000534

Brex Privacy Policy

Brex

Last change detected May 16, 2026 Privacy policy

SHA-256: 2d4e6b75544907e7cc8… 2 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Brex ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

9 Total

2 High severity

6 Medium severity

1 Low severity

Summary

This is Brex's Privacy Policy, describing how the company collects and uses personal and financial data from customers of its corporate card, business account, payment, and expense management products. The policy authorizes collection of financial account details, transaction data, device identifiers, browsing activity, geolocation data, and third-party sourced information, and permits sharing this data with advertising, analytics, financial, and service provider partners. California residents, EU users, and UK users are granted specific rights including the ability to opt out of data sale or sharing for targeted advertising, request deletion, and access their personal information.

Technical / Legal Breakdown

This document is Brex's Privacy Policy, governing how Brex collects, uses, shares, and retains personal information in connection with its financial services platform, including corporate cards, business accounts, treasury, payments, and travel products. The policy states that Brex collects identifiers, financial account data, transaction history, device and usage information, location data, and information from third-party sources including financial institutions and data providers; the terms authorize sharing this data with service providers, financial partners, analytics vendors, advertising partners, and government or regulatory bodies. The policy includes provisions authorizing use of personal data for marketing and targeted advertising purposes, with opt-out rights described for certain uses, and discloses sharing with third parties in ways that may constitute a 'sale' or 'sharing' of personal information under California law, engaging the CCPA and CPRA frameworks. The policy engages CCPA/CPRA for California residents, GDPR and UK GDPR for EU and UK users, and financial privacy frameworks including the Gramm-Leach-Bliley Act given Brex's financial services context; compliance exposure is heightened for business account holders whose employees' personal data may also be processed under the policy. Material considerations include the scope of data shared with advertising and analytics partners, the applicability of financial privacy notices alongside this general privacy policy, and the adequacy of consent mechanisms for cross-border data transfers.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

2 versions captured · Last updated: May 2026

May 16, 2026

low

What changed Brex removed two items from its Privacy Policy table of contents: 'Prohibited and Restricted Activities' and the Rewards section header. These sections are no longer listed in the document's navigation structure as of May 16, 2026. The operational impact depends on whether these sections were deleted from the policy itself or merely removed from the table of contents; the change summary does not clarify whether the underlying content remains in the policy body.

Why this matters The revised table of contents no longer lists 'Prohibited and Restricted Activities' and 'Rewards' sections. The practical impact is unclear because the change summary does not confirm whether these sections were removed from the policy body itself or simply delisted from the navigation structure. If the sections remain in the policy but are not indexed, users may have difficulty locating that information. If the sections were deleted entirely, the terms governing those topics would no longer apply.

View full change record →

Recent Provision Changes May 16, 2026

7 provisions unchanged.

View full change record →

High — 2 provisions

Sharing with Advertising and Analytics Partners Compare →

The policy authorizes Brex to share personal information with advertising and analytics vendors for targeted advertising and campaign measurement, and discloses that this sharing may qualify as a sale or sharing under CCPA/CPRA, triggering opt-out rights for California residents.

Added May 21, 2026 Standard Seen across 284 platforms
Financial Data and GLBA Context Compare →

The policy discloses collection of bank account numbers, payment card data, transaction history, and credit information in connection with Brex's financial services products, engaging financial privacy obligations under GLBA in addition to general privacy frameworks.

Added May 21, 2026 Standard Seen across 284 platforms

Medium — 6 provisions

Data Collection Scope Compare →

The policy states that Brex collects identifiers, financial account and transaction data, device and usage information, location data, and information obtained from third-party sources including financial institutions and data providers.

Added May 21, 2026 Standard Seen across 284 platforms
California Resident Privacy Rights Compare →

The policy discloses that California residents hold CCPA/CPRA rights to access, delete, correct, and opt out of sale or sharing of personal information, and states that Brex will not discriminate against users who exercise these rights.

Added May 21, 2026 Standard Seen across 284 platforms
GDPR and UK GDPR Rights for EU and UK Users Compare →

The policy grants EU and UK users data subject rights under GDPR and UK GDPR, including access, rectification, erasure, restriction, portability, objection, and consent withdrawal, with a designated contact for exercising these rights.

Added May 21, 2026 Standard Seen across 284 platforms
Third-Party Service Provider Sharing Compare →

The policy authorizes sharing personal information with service providers performing functions including payment processing, data analysis, email delivery, hosting, customer service, and marketing, subject to a contractual limitation that restricts these providers to use the data only for the stated service purposes.

Added May 21, 2026 Standard Seen across 284 platforms
Cross-Border Data Transfers Compare →

The policy discloses that personal data may be transferred to and processed in countries outside the user's country of residence, and states that Standard Contractual Clauses are used as the transfer mechanism for international data flows.

Added May 21, 2026 Standard Seen across 284 platforms
Cookies and Tracking Technologies Compare →

The policy discloses use of cookies, web beacons, pixel tags, and other tracking technologies to collect browsing activity, device information, and interaction data, with browser settings and a cookie preference center identified as controls.

Added May 10, 2026 Standard Seen across 284 platforms

Low — 1 provision

Data Retention Compare →

The policy states that personal data is retained for as long as needed to fulfill collection purposes and meet legal and regulatory obligations, after which it will be deleted or anonymized.

Added May 8, 2026 Standard Seen across 284 platforms

Monitoring

Brex has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Financial Data and GLBA Context and similar clauses.

Compare across platforms →

Archival ProvenanceSource & Archival Record

Last Captured May 16, 2026 00:50 UTC

Capture Method Automated scheduled archival capture

Document ID CA-D-000534

Version ID CA-V-002679

Source URL https://www.brex.com/legal/privacy

Wayback Machine View external archival references →

SHA-256 2d4e6b75544907e7cc81d201fac3c31caca2dfe4b400a05c23774fa9bf862362

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Brex Privacy Policy

May 16, 2026

Recent Provision Changes May 16, 2026

Monitor governance changes across the platforms you rely on.