Privacy Policy
Last updated: 5 March 2026
1. Data Controller
SendBillie is the data controller responsible for your personal data. We are operated from the Netherlands and are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR).
If you have questions about how we handle your data, you can contact us at privacy@sendbillie.com.
2. Personal Data We Collect
2.1 Freelancer Account Data
When you register and use the Platform, we collect:
- Identity information — Full name, email address, password (hashed)
- Business information — Company name, KVK number, BTW (VAT) number, business address
- Financial information — IBAN, BIC, bank account holder name
- Invoice data — Invoice numbers, amounts, line items, payment status, client details
- Template preferences — Selected invoice template, brand colours, logo
2.2 Client Portal Data
When a client accesses the portal to view or pay invoices, we collect:
- Identity information — Name, email address (as provided by the freelancer)
- Portal account data — Email, password (hashed), if registered
- Payment information — Payment method used, transaction status (processed by Mollie, not stored by us)
2.3 Automatically Collected Data
- Usage data — Pages visited, features used, session duration
- Device information — Browser type, operating system, screen resolution
- Connection data — IP address, access timestamps
2.4 Banking Data (Optional)
If you connect your bank account via TrueLayer:
- Account information — Bank name, account name, IBAN, account type
- Transaction data — Transaction amounts, dates, descriptions, counterparty details
- OAuth tokens — Encrypted access and refresh tokens (see Data Security)
2.5 Cross-Provider Invoice Aggregation
When you access the Client Portal, SendBillie may display invoices from multiple freelancers or service providers in a single dashboard view. This allows you to see all your outstanding invoices in one place, regardless of which freelancer sent them. This aggregation is based on your email address or business registration number (KVK).
To enable this feature, we generate a SendBillie ID (SB-ID) — a pseudonymised, deterministic identifier derived from your KVK number (for businesses) or email address (for individuals) using a one-way cryptographic hash (HMAC-SHA256). The SB-ID cannot be reversed to reveal your original data. It is used solely to link your invoices across different freelancers on the Platform.
The portal only displays invoice-level data: invoice numbers, dates, amounts, line item descriptions, and payment status. It does not reveal any freelancer’s internal business data, pricing structures, profit margins, client lists, or any information beyond what appears on the invoice itself.
3. Legal Basis for Processing
We process your personal data based on the following legal grounds:
- Contract Performance (Art. 6(1)(b) GDPR)
- Processing your account data, invoice data, and payment information is necessary to provide our invoicing services to you.
- Legitimate Interest (Art. 6(1)(f) GDPR)
- We process usage data and device information to improve our services, ensure security, and prevent fraud. We have assessed that these interests do not override your rights.
- Legal Obligation (Art. 6(1)(c) GDPR)
- We retain certain financial records as required by Dutch tax law (Algemene wet inzake rijksbelastingen), which mandates a 7-year retention period for financial administration.
- Consent (Art. 6(1)(a) GDPR)
- For optional features such as analytics cookies and marketing communications, we rely on your explicit consent, which you can withdraw at any time.
4. How We Use Your Data
- Providing services — Creating invoices, processing payments, managing your account
- Payment processing — Facilitating online payments through Mollie
- Banking integration — Fetching transactions and matching them to invoices via TrueLayer
- Communication — Sending transactional emails (invoice notifications, payment confirmations, account alerts)
- Service improvement — Understanding how features are used to improve the Platform
- Security — Detecting and preventing fraud, abuse, and unauthorised access
- Legal compliance — Meeting our obligations under Dutch and EU law
We do not sell your personal data to third parties. We do not use your data for profiling or automated decision-making.
5. Third-Party Processors
We share your data with the following third-party processors, each of whom acts under a Data Processing Agreement (DPA) in compliance with the GDPR:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Mollie B.V. | Payment processing | Invoice amounts, payment method, payer info | Netherlands |
| TrueLayer Ltd. | Open Banking (transaction fetching) | Bank account info, transaction data (encrypted tokens) | United Kingdom |
| Gigalixir LLC | Application hosting | All platform data (encrypted at rest) | United States (AWS eu-west-1) |
| Swoosh (self-hosted) | Transactional email | Email addresses, email content | Netherlands |
6. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Until account deletion + 30 days | Service provision |
| Invoice and financial records | 7 years after creation | Dutch tax law (AWR) |
| Payment records | 7 years after transaction | Dutch tax law (AWR) |
| Banking tokens (TrueLayer) | Until disconnection or expiry (90 days) | Service provision |
| Session and security logs | 90 days | Security and fraud prevention |
| Cookie consent preferences | 12 months | GDPR compliance |
When you delete your account, we remove your personal data within 30 days. Financial records subject to the 7-year tax retention period are retained in anonymised form after account deletion.
7. Your Rights Under the GDPR
As a data subject in the European Economic Area, you have the following rights:
- Right of Access (Art. 15)
- You can request a copy of all personal data we hold about you. Use the export tools in Settings to download your data at any time.
- Right to Rectification (Art. 16)
- You can update your personal data directly in your account settings. If you need help, contact us.
- Right to Erasure (Art. 17)
- You can delete your account from Settings. We will remove your personal data within 30 days, subject to legal retention requirements.
- Right to Data Portability (Art. 20)
- You can export your invoices, client data, and financial records in CSV, UBL, MT940, and CAMT.053 formats using our built-in export tools.
- Right to Restrict Processing (Art. 18)
- You can request that we limit how we process your data while a complaint or dispute is being resolved.
- Right to Object (Art. 21)
- You can object to processing based on legitimate interest. We will stop processing unless we have compelling legitimate grounds.
- Right to Withdraw Consent (Art. 7(3))
- Where processing is based on consent (e.g., analytics cookies), you can withdraw consent at any time via Settings → Data & Privacy or the cookie consent manager.
To exercise any of these rights, contact us at privacy@sendbillie.com. We will respond within 30 days as required by the GDPR.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
8. Data Security
We implement appropriate technical and organisational measures to protect your data:
- Encryption in transit — All data is transmitted over HTTPS (TLS 1.2+).
- Encryption at rest — Sensitive data (OAuth tokens, banking credentials) is encrypted using AES-256-GCM before storage.
- Password hashing — Passwords are hashed using bcrypt with a cost factor that prevents brute-force attacks.
- Access controls — Company data is scoped to authenticated users. IDOR protection prevents cross-account access.
- Rate limiting — OAuth endpoints and sensitive operations are rate-limited to prevent abuse.
- Audit logging — Security-sensitive operations are logged for monitoring and incident response.
- Webhook validation — Payment webhooks are validated and sanitised to prevent injection attacks.
10. International Data Transfers
Our application is hosted on Gigalixir (AWS eu-west-1, Ireland). While Gigalixir LLC is a US company, your data is stored in the EU region. Data transfers to the UK (TrueLayer) are covered by the EU-UK adequacy decision.
Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.
11. Children’s Privacy
SendBillie is a business tool designed for professionals aged 18 and over. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.
13. Contact Us
For privacy-related questions, data requests, or concerns:
- Email: privacy@sendbillie.com
- General support: support@sendbillie.com
- Website: sendbillie.com