The policy states that Brex collects identifiers, financial account and transaction data, device and usage information, location data, and information obtained from third-party sources including financial institutions and data providers.
This analysis describes what Brex's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the full scope of personal data Brex processes, which spans both standard digital identifiers and sensitive financial account details, creating compliance obligations under CCPA, GLBA, and GDPR depending on the user's jurisdiction and the nature of the data.
Interpretive note: The document was truncated in the source text; specific verbatim language for data categories is based on available policy content and standard Brex policy disclosures.
The agreement establishes that Brex collects a broad set of personal and financial data categories including transaction history, government-issued identifiers, device identifiers, and location information, both directly from users and automatically through platform use.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Brex has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect information you provide directly to us, information we collect automatically when you use our services, and information we obtain from third parties. This includes identifiers such as name, email address, phone number, and government-issued identification; financial account information including bank account numbers, credit history, and transaction data; device and usage information including IP address, browser type, operating system, and browsing activity on our services; and location information.— Excerpt from Brex's Brex Privacy Policy
(1) REGULATORY LANDSCAPE: Collection of financial account data and transaction history engages the Gramm-Leach-Bliley Act and its implementing regulations, enforced by applicable federal financial regulators. Collection of identifiers, browsing activity, and geolocation engages CCPA/CPRA enforced by the California Privacy Protection Agency. GDPR Article 5 principles of data minimization and purpose limitation apply to EU and UK user data. (2) GOVERNANCE EXPOSURE: Medium. The combination of financial account data, government-issued identifiers, and device/behavioral data creates a broad data inventory obligation. Compliance teams must maintain accurate data maps covering all listed categories and ensure retention schedules and security controls address the sensitivity of financial and identity data. (3) JURISDICTION FLAGS: California residents have CPRA rights over all listed categories. EU/UK users have GDPR rights. Financial data collected in connection with credit products may be subject to additional state financial privacy laws. (4) CONTRACT AND VENDOR IMPLICATIONS: Third-party data sourcing described in this provision requires vendor assessment to confirm data providers have appropriate collection authority and contractual data sharing agreements. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should confirm data inventories reflect all categories listed; verify that security controls match data sensitivity levels, particularly for financial account numbers and government identifiers; and review third-party data provider agreements for GLBA and CCPA compliance.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the full scope of personal data Brex processes, which spans both standard digital identifiers and sensitive financial account details, creating compliance obligations under CCPA, GLBA, and GDPR depending on the user's jurisdiction and the nature of the data.
The agreement establishes that Brex collects a broad set of personal and financial data categories including transaction history, government-issued identifiers, device identifiers, and location information, both directly from users and automatically through platform use.
ConductAtlas has identified this type of provision across 17 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Brex.