Privacy Policy

The data controller responsible for this website is:

When you use Billbot, we collect the following data:

• Account data — email address, name, company name, and address when you sign up
• Invoice data — invoices, line items, client information, and payment details you enter
• Usage data — pages visited, features used, and API calls made (via privacy-friendly analytics)
• Technical data — IP address, browser type, and device information (processed but not stored long-term)

We process your data on the following legal bases (Art. 6 GDPR):

• Contract performance (Art. 6(1)(b)) — to provide the invoicing service you signed up for
• Legitimate interest (Art. 6(1)(f)) — to improve our service, prevent fraud, and ensure security
• Consent (Art. 6(1)(a)) — for optional analytics and marketing communications (you can withdraw consent at any time)
• Legal obligation (Art. 6(1)(c)) — to comply with tax and accounting retention requirements

We use the following third-party services to operate Billbot:

• Supabase (Database, Authentication, Storage) — EU region (Frankfurt)
• Vercel (Hosting, Edge Network) — Global CDN with EU processing
• Resend (Transactional Email) — Email delivery for invoices and notifications
• Anthropic (AI Processing) — Invoice parsing from emails, used only when you explicitly trigger AI features
• Datafast (Analytics) — Privacy-friendly, cookie-free website analytics

All sub-processors are bound by data processing agreements. We do not sell your data to third parties.

Some of our sub-processors are based in the United States. These transfers are protected by:

• The EU-US Data Privacy Framework (for certified providers)
• Standard Contractual Clauses (SCCs) as approved by the European Commission

• Account data — retained while your account is active, deleted upon request
• Invoice data — retained for 10 years after creation to comply with tax retention requirements (§147 AO, §14b UStG), then deleted
• Usage data — aggregated and anonymized, no personal data retained
• Technical logs — deleted after 30 days

Under the General Data Protection Regulation, you have the right to:

• Access your personal data (Art. 15 GDPR)
• Rectify inaccurate data (Art. 16 GDPR)
• Delete your data (Art. 17 GDPR), subject to legal retention obligations
• Restrict processing (Art. 18 GDPR)
• Data portability — receive your data in a structured format (Art. 20 GDPR)
• Object to processing based on legitimate interest (Art. 21 GDPR)
• Withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email hello@billbot.io. We will respond within 30 days.

Billbot uses only essential cookies required for authentication and session management. We do not use tracking cookies or advertising cookies. Our analytics provider (Datafast) is cookie-free.

We protect your data with:

• TLS encryption for all data in transit
• API keys hashed with SHA-256 before storage
• HTTP-only session cookies
• Row-level security on the database
• Regular security reviews of our infrastructure

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For users in Germany, the relevant authority depends on your state of residence. A list is available at bfdi.bund.de.

We may update this privacy policy from time to time. We will notify you of significant changes by email or by displaying a notice in the application. The latest version is always available at this URL.