Buybill Logo

    BuyBill Privacy Policy

    Last Updated: 17 May 2025

    In Simple Terms:

    We collect only the data we need to provide our Services, like your name and payment details. We don't sell or share your data for marketing, keep it secure, and let you control how we use it. Email us at info[at]buybill.co with any questions.

    BuyBill Limited ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our websites, mobile applications, or other services that link to this policy (collectively, the "Services").

    By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use our Services.

    1. Who We Are

    BuyBill Limited is a company registered in England and Wales (Company Number 14539026) with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. We are the data controller responsible for your personal data. Contact us at info[at]buybill.co.

    2. The Data We Collect

    We collect only the personal data necessary to provide our Services, including:

    CategoryExamplesPurpose
    Identity & ContactName, email address, phone number, billing addressAccount setup, authentication, support
    Financial & TransactionPayment details (processed via third-party providers like Stripe, who may collect card numbers or bank details; we store only the last four digits of cards for reference), transaction historyProcessing payments, fraud prevention, refunds
    TechnicalIP address, device ID, browser type, usage logs, cookiesService delivery, security, analytics
    CommunicationsEmails, chat messages, survey responsesCustomer support, service improvements

    We do not collect special-category data (e.g., health, ethnicity, political opinions) unless strictly necessary and with your explicit consent.

    Plain English: We only collect what we need to run our Services, like your name, contact details, payment info (handled by trusted providers), and how you use our site. We don't collect sensitive information unless you specifically allow us to.

    3. Why and How We Use Your Data

    We process personal data only for lawful purposes under the UK GDPR:

    PurposeLawful Basis
    Provide and operate the Services (e.g., process payments, deliver invoices)Performance of a contract (Art. 6(1)(b))
    Improve and personalise the user experience, troubleshoot issuesLegitimate interests (Art. 6(1)(f)), balanced against your rights
    Communicate about your account, transactions, or service updatesPerformance of a contract or legitimate interests
    Comply with legal obligations (e.g., tax, anti-money laundering)Legal obligation (Art. 6(1)(c))
    Send marketing emails about new features (only with your consent)Consent (Art. 6(1)(a)), which you can withdraw anytime

    We may use automated tools (e.g., for fraud prevention), but these do not produce legal or significant effects without human oversight.

    Plain English: We use your information to process payments, manage your account, improve our Services, reply to you, and follow the law. We only send marketing emails if you opt in, and we don't make big decisions about you using only computers.

    4. We Do Not Sell Your Data

    We do not sell, rent, or trade your personal data to third parties for their own marketing or commercial purposes. We do not engage in large-scale profiling or data mining for external parties. Your data is used only to provide our Services and is shared only as described in Section 5.

    Plain English: We don't sell your information to anyone or collect it to share with other companies. Your details stay with us to help you use our Services.

    5. When We Share Your Data

    We share your personal data only when necessary, under contracts that require recipients to protect it:

    • Service Providers: Trusted third parties who help us run our Services, such as Stripe (payment processing), OpenAI and xAI (AI features), MailerLite (email communications), and cloud-hosting providers. These providers are contractually prohibited from using your data for their own purposes and must enforce similar restrictions on their subprocessors.
    • Professional Advisers: Lawyers, accountants, or auditors, where needed for legal or financial compliance.
    • Public Authorities: When required by law, court order, or to prevent fraud.
    • Business Transfers: If BuyBill is involved in a merger or acquisition, your data may be transferred to the new entity, subject to equivalent safeguards.
    Plain English: We share your data only with companies that help us provide our Services (like payment or email providers), if the law requires it, or if our business is sold. We make sure they keep your data safe and don't use it for their own purposes.

    6. International Transfers

    If we transfer your personal data outside the UK (e.g., to service providers like OpenAI or MailerLite), we ensure it is protected using UK GDPR-approved mechanisms, such as UK government adequacy decisions or Standard Contractual Clauses with the UK Addendum.

    Plain English: If we send your data outside the UK, we use legal safeguards to keep it secure.

    7. Data Security

    We use robust security measures to protect your data, including encryption (TLS 1.2+ in transit, AES-256 at rest), access controls, multi-factor authentication, and periodic security assessments. We rely on trusted service providers to maintain security for data they process on our behalf. No system is completely secure, and we cannot guarantee absolute protection.

    Plain English: We keep your data safe with strong security, like encryption and access limits, but no system is perfect. Our partners also help keep your data secure.

    8. Data Retention

    We keep personal data only as long as needed:

    • Customer Account Data: For the lifetime of your account and up to 6 years after closure, unless a longer period is required by law or to defend legal claims.
    • Payment & Transaction Records: Up to 7 years, per tax requirements.
    • Marketing Consents: Until you withdraw consent (we delete or anonymise within 30 days of withdrawal).
    • Support Communications: 3 years from resolution, unless needed longer for legal purposes.

    Data no longer required is securely deleted or anonymised.

    Plain English: We keep your data only as long as we need it for our Services or legal reasons, then delete or anonymise it securely.

    9. Your Rights

    Under the UK GDPR, you have the right to:

    • Access: See the data we hold about you.
    • Rectify: Correct inaccurate or incomplete data.
    • Erase: Request deletion where we no longer need it.
    • Restrict: Limit how we use your data.
    • Port: Receive your data in a machine-readable format or have it transferred to another provider.
    • Object: Challenge processing based on legitimate interests or marketing.
    • Complain: Contact the Information Commissioner's Office (ICO) at www.ico.org.uk or 0303 123 1113.

    To exercise these rights, email info[at]buybill.co. We may require proof of identity to protect your data. We'll respond within one month (or up to three months for complex requests). We may refuse or charge for requests that are manifestly unfounded or excessive, as permitted by law.

    Plain English: You can ask to see, fix, delete, or limit how we use your data, or move it elsewhere. Email us, and we may ask for ID to keep your data safe. If you're unhappy, you can contact the ICO.

    10. Marketing Communications

    We send marketing communications (e.g., emails about new features or offers) only if you explicitly opt in, such as by ticking a box during account creation or enabling the Marketing toggle in Account → Notifications. You can choose which channels (e.g., email, SMS) and topics you want.

    To stop marketing, use the "unsubscribe" link in emails, adjust settings in-app, or email info[at]buybill.co. You'll still receive essential service messages (e.g., payment receipts, security alerts) as these are needed to provide our Services. We keep a record of your consent or withdrawal to comply with UK GDPR.

    Plain English: We only send marketing if you say it's okay, and you can choose what you get. You can stop it anytime by clicking "unsubscribe" or emailing us. You'll still get important messages like receipts.

    11. Cookies & Similar Technologies

    Our Services use cookies and similar technologies to keep you signed in, remember preferences, and analyse site performance (anonymised where possible). We obtain consent for non-essential cookies via a cookie banner. You can manage preferences in your browser or via our [Cookie Settings] link.

    Plain English: We use cookies to make our site work better and remember your settings. You can control non-essential cookies through our banner or your browser.

    12. Children's Privacy

    Our Services are not intended for children under 13. We do not knowingly collect their data, and we delete it promptly if we discover it was provided.

    Plain English: Our Services aren't for kids under 13. If we find out we have their data, we delete it right away.

    13. Limitation of Liability

    We are not liable for indirect, consequential, or incidental losses arising from unauthorised access, data breaches, or misuse of our Services where we have complied with UK GDPR and DPA 2018 obligations, or where such losses result from your failure to maintain secure account credentials (e.g., weak passwords). This does not limit statutory rights or exclude liability for death, personal injury caused by negligence, fraud, or other non-excludable liabilities.

    Plain English: We do our best to keep your data safe and follow the law, but we're not responsible for problems caused by things outside our control, like if you use a weak password, unless the law says otherwise.

    14. Changes to This Policy

    We may update this Privacy Policy to reflect changes in our Services or legal requirements. For material changes affecting your rights or our use of your data, we'll notify you at least 30 days in advance by email or in-app message, where required by law. The latest version is always at www.buybill.co/privacy.

    Plain English: If we make big changes to this policy, we'll let you know by email or in-app message. Check the latest version on our website.

    15. Contact Us

    Email us at info[at]buybill.co for all inquiries. We aim to respond within 5 business days and to data subject requests within one month, as required by law. For legal correspondence only, our registered office is BuyBill Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.