B2BERP ("we," "our," or "us") provides a business-to-business (B2B) Enterprise Resource Planning (ERP) web application (the "Service"). This Privacy Policy outlines how we collect, process, protect, and share information when your organization or its authorized personnel interact with our platform.
Because our Service is a B2B tool, we primarily process data on behalf of our corporate clients ("Enterprise Customers") as a Data Processor or Service Provider. Where we determine the purposes and means of processing (e.g., account management or marketing), we act as a Data Controller.
1. Information We Collect
We collect information necessary to operate a comprehensive ERP system, categorizing data into three core areas:
Enterprise Data (Processed on behalf of our Clients)
As an ERP platform, we host and store data uploaded or integrated into the platform by our Enterprise Customers. This may include, but is not limited to:
- Financial & Accounting Data: Invoices, payroll records, ledgers, and bank routing information.
- Human Resources & Employee Logs: Internal employee profiles, time tracking, performance logs, and role permissions.
- Supply Chain & Operational Metrics: Vendor information, inventory levels, logistics data, and client procurement histories.
Administrative & Account Credentials
To provision and maintain system access for business users, we collect:
- Corporate Profile Details: Full name, business email address, job title, corporate phone number, and physical office address.
- System Credentials: Usernames, encrypted passwords, security tokens, and single sign-on (SSO) authentication states.
Infrastructure & System Telemetry
We automatically log technical data from your browser or device to maintain system health, stability, and security:
- Technical Logs: Internet Protocol (IP) address, browser engine version, device operating system, and unique hardware identifiers.
- Audit Trails & Security Logs: Comprehensive, immutable logs tracking which users access, alter, delete, or export records within the platform.
- Tracking Data: Session cookies essential for maintaining security states and optimizing UI performance.
2. Legal Basis for Processing (Global Standards)
For global users—specifically under frameworks like the EU/UK General Data Protection Regulation (GDPR) and similar cross-border laws—we process data under the following legitimate legal bases:
- Contractual Necessity: To execute, manage, and fulfill our core SaaS agreement with your employer or contracting organization.
- Legitimate Interests: To monitor for fraudulent activity, ensure network security, maintain server uptime, and optimize ERP workflow efficiency.
- Legal Obligations: To comply with regulatory bookkeeping, tax reporting, corporate compliance laws, and valid law enforcement demands.
3. Sharing and Disclosure of Corporate Data
We do not sell, rent, or trade secrets, client profiles, or employee data. We disclose corporate or personal data strictly in the following scenarios:
- Authorized Infrastructure Subprocessors: We share data with enterprise cloud infrastructure hosts, security providers, and database managers.
- Enterprise Customer Admins: Because this is a B2B app, some administrative users designated by your organization may have full visibility over all data, logs, and activity generated under their enterprise license.
- Corporate Restructuring: In the event of a merger, corporate acquisition, asset sale, or bankruptcy, data assets may be transferred to the acquiring entity subject to equivalent privacy protections.
- Regulatory Compliance: We disclose data to courts or regulatory bodies if required by law to prevent corporate fraud, tax evasion, or operational cyberattacks.
4. Regional Addenda & State Compliance
United States Compliance (All States)
This section accommodates state-level privacy statutes including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), and other comprehensive state privacy laws.
- B2B Exception: In accordance with US state laws, we treat user information as B2B personal data collected solely in the context of conducting business due diligence or providing enterprise services.
- No Sale or Sharing: We do not "sell" personal data or "share" it for cross-context behavioral advertising.
- Metrics: We do not use or disclose sensitive personal information for any purpose other than providing the core requested ERP service.
European Union, United Kingdom, and Switzerland (EEA)
- Cross-Border Transfers: Data collected from the EEA may be transferred to and stored in servers outside Europe. We utilize Standard Contractual Clauses (SCCs) approved by the European Commission to ensure data enjoys an equivalent level of protection.
- Data Protection Officer: For inquiries regarding EEA compliance, contact our data protection team directly using the details in Section 7.
Global Jurisdictions (Canada, Brazil, Australia, APAC)
We adhere to regional variations including Canada's PIPEDA, Brazil's LGPD, and Australia's Privacy Act. We ensure your personal data is handled with appropriate transparency, limiting collection to specific business-related transactional requirements.
5. Data Security & Retention
Security Infrastructure
We enforce rigorous, enterprise-grade physical, technical, and administrative protection mechanisms:
- Encryption Standards: All data is encrypted in transit using Transport Layer Security (TLS 1.3) and at rest using Advanced Encryption Standard (AES-256).
- Isolated Environments: Customer tenants are logically isolated within our database architecture to prevent cross-contamination or unauthorized access between separate corporate accounts.
Data Retention Timeline
We retain your data for as long as your organization maintains an active enterprise contract with B2BERP. Upon contract termination, data is securely archived, anonymized, or hard-deleted within standard contractual timeframes (typically 30 to 90 days), unless longer retention is required to fulfill international statutory legal or tax obligations.
6. Your Rights and Data Control
As a system user, you possess distinct data control rights depending on your jurisdiction. You may request to:
- Access & Export: Obtain a comprehensive report of all personal data we hold about you.
- Rectify Errors: Demand immediate corrections to inaccurate or obsolete corporate details.
- Erase Records: Request deletion of your personal login credentials (subject to your organization's administrative approval).
- Object to Processing: Restrict or block processing of your data based on specific local regulatory exceptions.
Note on B2B Data: If your request concerns data uploaded to B2BERP by your employer or corporate vendor, you must contact your organization's platform administrator directly. As a data processor, we cannot alter or delete internal enterprise databases without explicit authorization from the client account owner.
7. Contact and Administration
If you have technical questions regarding this global policy, wish to execute your data rights, or need to review our standard Data Processing Agreement (DPA), please contact us.