Privacy Policy

Effective date: 26 April 2026 · Last updated: 26 April 2026

InboxBill ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how it is used, and your rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and where applicable the EU General Data Protection Regulation (EU GDPR).

Please read this policy carefully. By using InboxBill you acknowledge you have read and understood it.

1. Who we are (Data Controller)

InboxBill is the data controller for personal data processed through this service.

Company: InboxBill
Address: [YOUR REGISTERED ADDRESS]
Company number: [YOUR COMPANY NUMBER]
Email: hello@inboxbill.com
ICO registration number: [YOUR ICO REGISTRATION NUMBER]

ℹIf you have questions about how we handle your personal data, contact us at hello@inboxbill.com.

2. Data we collect and why

2.1 Account data

When you create an account we collect:

Name and email address (from Google or Microsoft OAuth)
Profile picture (from your Google or Microsoft account)
Account creation date and login timestamps

Legal basis: Contract — necessary to create and maintain your account.

2.2 Email access data

When you connect a Gmail or Outlook account, we access your inbox to scan for invoices. Specifically:

Email metadata (sender address, subject line, date)
Email body content where we detect invoice-related text
Email attachments (PDFs and images) identified as invoices

We access the minimum data necessary to identify and extract invoice information. We do not read personal emails, store your full inbox, or access emails unrelated to invoices.

Legal basis: Contract — necessary to provide the core service.

2.3 Invoice data

Data extracted from invoices, including:

Supplier name and contact details
Invoice number, date, and due date
Line items, amounts, tax, and currency

Legal basis: Contract — core service functionality.

2.4 Billing and payment data

Payment processing is handled entirely by Stripe. We store only your subscription plan, billing status, and Stripe customer ID. We never see or store your full card number.

Legal basis: Contract — to manage your subscription.

2.5 Usage data

We collect limited operational data including:

Number of invoices processed per billing period
Feature usage (rules created, integrations connected)
Error logs for debugging purposes

Legal basis: Legitimate interests — to operate, maintain, and improve the service.

2.6 Support data

When you contact our support team through the in-app ticket system, we collect the content of your messages and any attachments you provide.

Legal basis: Contract — to respond to your support requests.

2.7 Cookies and technical data

See Section 8 (Cookies) for full details.

3. How we use automated data extraction

InboxBill uses an automated processing engine provided by Anthropic, Inc. to extract structured data from invoice emails and attachments. When an email is identified as a potential invoice, its content is sent to Anthropic's API for processing. Anthropic processes this data as a data processor on our behalf under a data processing agreement.

Automated extraction is used solely to populate the invoice fields shown in your inbox. You retain full control and can edit or reject any extracted data before it is used or synced. No solely automated decisions with legal or similarly significant effects are made about you on the basis of this processing.

Legal basis: Contract — necessary to deliver the automated extraction feature of the service.

4. Third-party processors

We share your data with the following processors, each under appropriate data processing agreements:

Processor	Purpose	Location
Supabase, Inc.	Database, authentication infrastructure, real-time messaging	USA (AWS)
Stripe, Inc.	Payment processing and subscription management	USA / EU
Google LLC	OAuth login; Gmail inbox access (user-authorised)	USA
Microsoft Corporation	OAuth login; Outlook inbox access (user-authorised)	USA / EU
Anthropic, Inc.	Automated invoice data extraction	USA
Resend, Inc.	Transactional email (team invitations, notifications)	USA
Vercel, Inc.	Application hosting and edge delivery	USA / Global
Xero Ltd.	Accounting integration (user-authorised)	New Zealand / Global
Intuit Inc.	QuickBooks accounting integration (user-authorised)	USA
FreeAgent Network Ltd.	FreeAgent accounting integration (user-authorised)	UK

Accounting integrations (Xero, QuickBooks, FreeAgent) only receive data you explicitly instruct us to sync by approving an invoice.

5. International data transfers

Some of our processors are based outside the UK and EU (primarily in the USA). Where personal data is transferred to countries not considered adequate by the UK ICO or European Commission, we ensure appropriate safeguards are in place, including:

UK International Data Transfer Agreements (IDTAs)
EU Standard Contractual Clauses (SCCs) where applicable
Adequacy decisions where available

You can request details of the specific safeguards in place for any transfer by contacting us at hello@inboxbill.com.

6. Data retention

Account dataFor the duration of your account, plus 30 days after deletion to allow recovery.

Email access tokensUntil you disconnect the email account or revoke access via Google/Microsoft.

Invoice dataFor the duration of your account. Deleted 30 days after account closure.

Support messages3 years from ticket closure, then deleted.

Billing records7 years (UK legal requirement for financial records).

Server logs90 days, then automatically purged.

7. Your rights under UK GDPR

You have the following rights regarding your personal data:

Right of access — Request a copy of the personal data we hold about you.
Right to rectification — Ask us to correct inaccurate or incomplete data.
Right to erasure — Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Right to restrict processing — Ask us to limit how we use your data in certain circumstances.
Right to data portability — Receive your data in a structured, machine-readable format.
Right to object — Object to processing based on legitimate interests.
Rights related to automated decision-making — Request human review of any solely automated decision that significantly affects you.

To exercise any right, email us at hello@inboxbill.com. We will respond within one calendar month. We may ask you to verify your identity before acting on a request.

ℹYou can delete your account and all associated data at any time from Settings → Account → Delete account. This triggers immediate deletion of your invoice data and email connections.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK supervisory authority: Information Commissioner's Office (ico.org.uk). EU residents may also contact their local data protection authority.

8. Cookies

We use a small number of cookies that are necessary to operate the service. We do not use advertising, analytics, or tracking cookies.

Cookie	Purpose	Duration	Type
next-auth.session-token	Keeps you signed in	30 days	Essential
next-auth.csrf-token	Protects against cross-site request forgery	Session	Essential
next-auth.callback-url	Redirects you to the right page after login	Session	Essential
__stripe_mid	Stripe fraud prevention (set by Stripe.js)	1 year	Functional
__stripe_sid	Stripe session identifier	30 minutes	Functional
invosyncer_cookie_consent	Remembers your cookie preferences	1 year	Essential

Essential cookies cannot be disabled as the service cannot function without them. You can manage your Stripe cookie preferences via your browser settings.

9. Children's data

InboxBill is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us immediately at hello@inboxbill.com and we will delete it promptly.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
OAuth tokens stored encrypted; we never store your email password
Read-only access to connected email accounts — we cannot send emails or modify your inbox
Row-level security policies on the database so users can only access their own data
Regular security reviews and dependency updates

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to hello@inboxbill.com.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you by email and update the effective date at the top of this page. Continued use of the service after the updated policy takes effect constitutes your acceptance of the changes.

12. Contact us

For any privacy-related queries or to exercise your rights:

Email: hello@inboxbill.com
Post: InboxBill, [YOUR REGISTERED ADDRESS]

We aim to respond to all privacy requests within 30 calendar days. For complex requests we may extend this by a further two months and will notify you.

Terms and Conditions Help Center Back to home