The policy grants EU and UK users data subject rights under GDPR and UK GDPR, including access, rectification, erasure, restriction, portability, objection, and consent withdrawal, with a designated contact for exercising these rights.
This analysis describes what Brex's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes Brex's GDPR and UK GDPR compliance framework for EU and UK users, requiring the company to maintain lawful bases for all processing activities, respond to data subject requests within statutory timeframes, and support cross-border transfer mechanisms for data flows outside the EEA and UK.
Interpretive note: The source document was truncated; the verbatim excerpt reflects available policy language. The specific lawful bases relied upon for each processing activity are not fully visible in the truncated document.
EU and UK users may submit requests to access, correct, delete, restrict, or port their personal data, and may object to processing or withdraw consent, by contacting privacy@brex.com as stated in the policy.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Monitoring
Brex has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the European Economic Area or the United Kingdom, you have certain rights under applicable data protection law, including the right to access, rectify, erase, restrict processing of, and port your personal information. You also have the right to object to processing and to withdraw consent where processing is based on consent. To exercise these rights, please contact us at privacy@brex.com.— Excerpt from Brex's Brex Privacy Policy
(1) REGULATORY LANDSCAPE: This provision implements obligations under GDPR (enforced by EU supervisory authorities including lead DPA for cross-border processing) and UK GDPR (enforced by the UK Information Commissioner's Office). GDPR Articles 15-22 establish the data subject rights listed; Article 77 provides the right to lodge complaints with supervisory authorities. Response to requests is required within one month, extendable by two additional months for complex requests. (2) GOVERNANCE EXPOSURE: High for organizations with EU or UK employees using Brex business accounts, as employee personal data processed through corporate expense tools may be subject to GDPR obligations beyond standard customer privacy disclosures. Brex's role as controller versus processor for employee data in B2B contexts requires clear contractual definition. (3) JURISDICTION FLAGS: EEA and UK create heightened obligations. Cross-border data transfers from EU to US require Standard Contractual Clauses or other approved transfer mechanisms under GDPR Chapter V. Brexit has created a separate UK adequacy and transfer framework that requires parallel assessment. (4) VENDOR AND CONTRACT IMPLICATIONS: B2B customers using Brex for employee expense management should assess whether a Data Processing Agreement with Brex is in place, clearly defining controller and processor roles for employee personal data. (5) COMPLIANCE CONSIDERATIONS: Confirm that Standard Contractual Clauses or alternative transfer mechanisms are documented for EU-US data flows; verify that a GDPR-compliant Data Processing Agreement is available for business customers; confirm response SLAs for data subject requests meet GDPR timelines; and assess whether consent-based processing activities include functioning consent withdrawal mechanisms.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes Brex's GDPR and UK GDPR compliance framework for EU and UK users, requiring the company to maintain lawful bases for all processing activities, respond to data subject requests within statutory timeframes, and support cross-border transfer mechanisms for data flows outside the EEA and UK.
EU and UK users may submit requests to access, correct, delete, restrict, or port their personal data, and may object to processing or withdraw consent, by contacting privacy@brex.com as stated in the policy.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Brex.