Billdrop
Log inSign up

Privacy Policy

Last updated: 2 April 2026

1. Who we are

Billdrop ("we", "us", "our") is an online invoicing service. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller for your account data.

If you have questions about this policy or your data, contact us at privacy@billdrop.app.

2. What data we collect

Account data

  • Name, email address, and hashed password (if you register directly)
  • Google profile information (name, email, profile image) if you sign in with Google

Client and invoice data

  • Client names, email addresses, and postal addresses that you enter
  • Invoice details including line items, amounts, dates, and notes
  • Uploaded logos (stored as base64 within invoice data)

Payment data

  • Subscription payments are processed by Stripe. We store your Stripe customer ID but never see or store your card details.

Technical data

  • Authentication session cookies (strictly necessary for the service to function)
  • Basic analytics via Vercel Analytics (anonymous, aggregated page-view data)

3. How and why we use your data

We process your personal data on the following lawful bases:

  • Contract performance — to provide and maintain your account, generate invoices, and process subscription payments.
  • Legitimate interests — to improve the service, detect abuse, and provide customer support.

We do not use your data for marketing, profiling, or automated decision-making. We do not sell your data to third parties.

4. Who we share data with

We use the following third-party processors to operate the service:

  • Vercel — hosting and infrastructure
  • Neon — PostgreSQL database hosting
  • Stripe — payment processing (Stripe acts as an independent controller for payment data)
  • Google — OAuth authentication (if you choose to sign in with Google)

We do not share your data with any other third parties.

5. International transfers

Some of our processors (Vercel, Stripe) may process data outside the United Kingdom. Where this occurs, transfers are protected by standard contractual clauses or an adequacy decision recognised by the UK government.

6. Data retention

  • Account and invoice data is retained for as long as your account is active.
  • If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes (e.g. financial records may be retained for up to 6 years).
  • Anonymous, aggregated analytics data may be retained indefinitely.

7. Your rights

Under the UK GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data
  • Restriction — limit how we process your data
  • Portability — receive your data in a portable format
  • Object — object to processing based on legitimate interests

To exercise any of these rights, email us at privacy@billdrop.app. We will respond within one month.

8. Cookies

We use only strictly necessary session cookies for authentication. These are essential for the service to function and do not require consent. We do not use advertising, tracking, or third-party cookies.

9. Data security

We protect your data using encryption in transit (TLS), hashed passwords (bcrypt), and access controls. Our database is hosted in a secure, managed environment with automatic encryption at rest.

10. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ico.org.uk/make-a-complaint

11. Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify you by email or by posting a notice on the site. The "last updated" date at the top will always reflect the most recent version.