Privacy Policy

Last updated: 4 May 2026

Plain-language template. This policy describes how Eurobillr handles personal data in line with the GDPR (Regulation EU 2016/679) and Belgian data-protection law. It is not a substitute for legal advice tailored to your jurisdiction or use case.

1. Who we are

Eurobillr ("Eurobillr", "we", "us") operates the Eurobillr platform from Muelesteedsesteenweg 216, 9000 Gent, Belgium. We act as the data controller for the personal data we process about you when you use the marketing site or your account, and as a data processor on behalf of your business for the customer/supplier data you upload into your workspace.

Contact: info@eurobillr.com · Privacy queries: privacy@eurobillr.com · Data Protection Officer: dpo@eurobillr.com.

2. What we collect and why

We process the minimum data we need to run the service. The categories below also list the GDPR Article 6 lawful basis we rely on.

2.1 Account & identity

Name, work email, country, locale, hashed password, login timestamps.
Basis: performance of the contract (Art. 6(1)(b)) and our legitimate interest in account security (Art. 6(1)(f)).

2.2 Workspace & business data you upload

Invoices, expenses, clients, suppliers, time entries, accounting metadata, attachments (PDF, images), bank account details (IBAN/BIC), VAT numbers.
This often includes personal data about your customers and suppliers; you remain the controller for that data and we process it as your processor under our Data Processing Agreement (available on request).
Basis: performance of the contract.

2.3 Camera, microphone and file uploads

The receipt scanner and invoice parser may ask your browser for access to your camera or to files on your device. We only use those permissions when you initiate a scan, and only for the page you are on. We do not record video or audio in the background, do not fingerprint your device, and do not retain raw frames after the OCR step. The resulting document is stored as part of your workspace until you delete it.

Basis: performance of the contract; your in-browser permission to the camera/file API is the technical gateway, not a separate consent for processing.

2.4 Technical & security data

IP address, user-agent, request method/path, error stack traces (in our application logs), audit-log entries (who created/edited/deleted which record).
Basis: legitimate interest in detecting abuse and meeting our Art. 32 GDPR security duty; legal obligation for accounting audit trails.

2.5 Billing & payments

Plan, billing email, country, VAT id, invoice history. We do not store full card numbers — payment details go directly to our payment processor (Stripe).
Basis: performance of the contract; legal obligation to retain invoices for tax purposes.

2.6 Marketing communications (only if you opt in)

Email + opt-in timestamp.
Basis: consent (Art. 6(1)(a)). You can unsubscribe with one click in every email.

3. How long we keep it

Active workspace data: for as long as your account is open.
After account closure: 30 days of grace where you can recover the workspace, then deletion within 60 days, except where a longer period is required by law.
Invoices & accounting records: retained for the period required by Belgian tax/accounting law (currently 7 years), even if your account is closed.
Audit / security logs: 12 months.
Marketing consent records: until you withdraw consent + 24 months for proof.

4. Who else processes your data (sub-processors)

We use vetted European or GDPR-equivalent sub-processors to deliver the service. We sign data processing agreements with each one, and rely on the EU Standard Contractual Clauses where data crosses the EEA border.

Hosting & storage: EU-region cloud (database, files, backups).
Email delivery: SMTP / transactional email provider.
Payments: Stripe Payments Europe (Ireland).
OCR / receipt scanning: AWS Textract or equivalent OCR vendor — only when you actually scan a document.
PEPPOL access point: when you dispatch an e-invoice, the document is signed and routed through our certified access-point partner.
Error monitoring: aggregated, no payload bodies.

A current list of sub-processors with locations is available on request from privacy@eurobillr.com.

5. International transfers

We host inside the EEA. If a transfer outside the EEA is necessary (for example a US-based OCR vendor at your request), we rely on the European Commission's adequacy decisions or on the Standard Contractual Clauses (SCCs) and apply additional technical safeguards such as encryption in transit and at rest.

6. Your rights under the GDPR

You can exercise the following rights at any time:

Right of access (Art. 15) — request a copy of the personal data we hold about you.
Right to rectification (Art. 16).
Right to erasure / "to be forgotten" (Art. 17).
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20) — export your workspace as JSON/CSV at any time from Settings → Account.
Right to object (Art. 21), in particular to direct marketing.
Right not to be subject to a purely automated decision with legal effect (Art. 22). The OCR scoring and any AI suggestions in Eurobillr are advisory only — a human always confirms the result.
Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To use any of these rights, write to privacy@eurobillr.com. We respond within 30 days (extendable by two further months for complex requests, with notice).

You also have the right to lodge a complaint with your supervisory authority. In Belgium that is the Gegevensbeschermingsautoriteit / Autorité de protection des données (APD/GBA), Drukpersstraat 35, 1000 Brussel — dataprotectionauthority.be.

7. Cookies and similar technologies

Eurobillr uses only strictly-necessary first-party cookies by default (session, CSRF, locale, consent). Optional analytics cookies require your prior consent through the cookie banner. Details and category list: Cookie Policy.

8. Security

We follow Art. 32 GDPR: encrypted transport (TLS), encrypted-at-rest backups, hashed passwords (Argon2 / bcrypt), role-based access, audit logging, multi-tenant isolation enforced by every database query, periodic restore tests, and a documented incident-response procedure. No system is unbreakable; if we become aware of a personal-data breach we notify the supervisory authority within 72 hours and notify affected users without undue delay where the breach is likely to result in a high risk to their rights.

9. Children

Eurobillr is a B2B service intended for users aged 18 or over acting in a professional capacity. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be communicated by email or by a notice in the app at least 14 days before they take effect.

11. Contact

Questions, requests, or complaints: privacy@eurobillr.com · postal: Eurobillr, Muelesteedsesteenweg 216, 9000 Gent, Belgium.