Privacy Policy

Welcome to Billpal 👋

Billpal e.U. ("we", "us") is the data controller for personal data processed through https://billpal.io (the "Service"). For full company details, see our Imprint. This policy explains what data we collect, why, and what rights you have.

1. What We Collect

• Account information: name, email address, company name, VAT ID, domain, and profile photo – provided during signup, onboarding, or in Settings.
• Bank data: when you connect a bank account, we receive account details (e.g. IBAN, account holder name) and transaction data (amounts, dates, descriptions) via a licensed open-banking provider. We do NOT store your bank login credentials.
• Documents: invoices, receipts, and statements you upload, forward via email, or send via WhatsApp. We store attachments and extract structured data (amounts, dates, line items, tax details) using an OCR provider.
• WhatsApp: if you connect WhatsApp, we store your phone number, message content, and voice messages (which are transcribed using AI) to enable our AI chatbot. Attachments are processed through our document extraction and processing pipeline.
• Email: when you connect an email provider, we access attachments from your inbox. We do NOT store email content – only attachments (e.g. PDFs) and minimal metadata (message ID, attachment ID) for deduplication.
• Payment information: if you subscribe, payments are processed securely by Stripe. We do not see or store your full card number.
• Technical data: IP address (processed in hashed form for rate limiting and security), browser type, and device information.

2. How We Use Your Data

We use your data to:

• Provide and operate Billpal (importing transactions, processing documents, matching document and transaction records).
• Determine whether documents are incoming or outgoing using your company details.
• Classify, categorize, and match documents using Artificial Intelligence.
• Process payments and manage subscriptions.
• Send transactional and product update emails (account verification, billing, support, product news).
• Improve the Service and fix issues.

We only collect what is necessary to operate Billpal.

3. AI processing

Billpal uses AI to classify documents, categorize transactions, match documents to transactions, and power the WhatsApp chatbot. This means document content, transaction metadata, and WhatsApp messages are sent to an AI provider for processing. AI results are suggestions – you always have full control to review and override them.

Our AI provider's data processing terms prohibit using your data for model training.

4. Data Sharing

• We use trusted third-party providers for hosting, banking connections, payment processing, document extraction, AI, email delivery, and analytics. These providers process data on our behalf and only as instructed by us.
• We do NOT sell or share your data with any third parties for marketing or independent use.
• Some of our providers are based in the United States. Where data is transferred outside the EEA, we rely on appropriate safeguards such as standard contractual clauses or equivalent legal frameworks.

5. Cookies & Analytics

• Billpal uses essential cookies required for secure login and operation of the Service. These do not require consent.
• We use DataFast for web analytics – a GDPR-compliant, privacy-friendly analytics tool. By default, DataFast runs in cookieless mode, which does not use cookies for visitor identification and does not collect personal data. If you accept analytics cookies via our cookie banner, we switch to cookie-based analytics for improved accuracy.
• Any non-essential cookies are only activated with your consent via our cookie banner.

6. Legal Basis for Processing

• Contract: processing necessary to deliver the Service you signed up for.
• Legitimate interest: maintaining security, improving Billpal, communicating updates.
• Consent: optional analytics cookies and marketing communications.

7. Your Rights

Under GDPR, you have the right to:

• Access your personal data.
• Correct inaccurate data.
• Delete your data – you can do this directly in Settings or by contacting us.
• Export your data in a portable format (CSV/ZIP exports are built into the app).
• Restrict or object to certain processing.
• Withdraw consent at any time where consent is the legal basis.
• Lodge a complaint with the Austrian Data Protection Authority (dsb.gv.at).

8. Data Retention

• We retain your data for as long as your account is active or as needed to provide the Service.
• Billing records are kept as required by Austrian tax law (up to 7 years).
• When you delete your account, your data is permanently removed from our servers. Third-party provider access (bank connections, email connections) is revoked as part of the deletion process.

9. Security

• All data is encrypted in transit (TLS) and at rest.
• We do NOT store bank or email login credentials – connections are handled by licensed third-party providers.
• Sensitive tokens are encrypted at rest using AES-256.
• We use bot protection, rate limiting, and row-level access controls to protect your data.

10. Children's Privacy

We do not knowingly collect personal information from children under the age of 14. If you believe a child has provided us with personal information, please contact us so we can take appropriate action.

11. Updates & Contact

• We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email.
• For any questions, contact us at support@billpal.io

Thank you for using Billpal! 🙏