Privacy & Security Policy (GDPR)

This privacy policy applies to the personal data collected and processed when you browse the Billify website and application (the “Site”) and when you use the associated services (the “Services”), in particular the OCR analysis and data extraction from invoices, expense receipts and supporting documents (the “Documents”).

Information marked “to be completed” must be adapted with your exact details (company name, address, registration numbers, contacts, retention periods). This document does not constitute legal advice.

Last updated: March 2026

---

1. Data Controller / Data Processor

The Site and Services are published by to be completed, to be completed with a share capital of to be completed, whose registered office is located at to be completed, registered under number to be completed (hereinafter “Billify” or “we”).

Under the GDPR, Billify may act:

• as data controller for the data required to manage the Site, your account, the commercial relationship, billing, support and security (the “Billify Data”);
• as data processor for the data contained in the Documents you upload on behalf of your company or organisation (the “Organisation”) (the “Client Data”). In this case, Billify processes such data solely on the instruction of the Organisation, in accordance with a data processing agreement (DPA).

GDPR contact: contact@exemple.com
Address: to be completed

2. Data collected

2.1 Billify Data (data controller)

• Account data: first name, last name, email address, company/organisation, role/job title (optional), language, preferences.
• Authentication data: technical identifiers, connection logs, and passwords stored in encrypted/hashed form via the authentication provider (never in plain text).
• Usage data: pages visited, actions within the interface, number of sessions, duration, technical errors.
• Billing data: plan/subscription, credits, invoice history, information required for accounting purposes.
• Support: exchanges with the support team (content you choose to share with us).
• Cookies/trackers: see the “Cookies” section.

2.2 Client Data (data processing)

Uploaded Documents may contain personal data (e.g. names, contact details, references, financial information). Billify processes this data to perform the Services (OCR, extraction, structuring, export).

• Documents: invoices, expense reports, receipts, supporting documents, administrative/accounting records.
• Data contained in Documents: supplier/client information, employee details, amounts, VAT, dates, references, payment details (sometimes IBAN), addresses, email addresses, etc.
• Extracted data: structured fields produced by the analysis (net/gross amounts, VAT, date, invoice number, supplier, etc.).

3. Purposes of processing

3.1 Purposes relating to Billify Data

• Site provision: account creation/management, secure access, preference management.
• Service provision: credit management, analysis tracking, availability and performance.
• Billing and accounting: subscription management, payments, invoices, legal obligations.
• Support: assistance, incident resolution, customer relations.
• Security: fraud and abuse prevention, logs, anomaly detection.
• Improvement: aggregated statistical analyses, UX improvement and service quality.
• B2B communications (where applicable): product updates, demos, newsletters (unsubscribe available at any time).

3.2 Purposes relating to Client Data

• OCR and automatic extraction of information contained in the Documents.
• Data structuring (accounting/financial fields) to facilitate data entry and export (Excel/CSV/API).
• Making results available to the Organisation and its authorised users.

4. Legal bases (GDPR)

• Performance of a contract: providing the Site and Services (account, analysis, exports, service-related support).
• Legal obligation: accounting/tax obligations (retention of invoices, accounting records, etc.).
• Legitimate interest: security, fraud prevention, service improvement, internal statistics.
• Consent: only where required (e.g. non-essential cookies, certain marketing communications).

For Client Data, Billify acts as a data processor; the legal basis is determined by the Organisation (typically performance of a contract or legitimate interest).

5. Retention periods

• Account and profile data: for the duration of the active relationship, then up to 3 years after the last activity (subject to any contrary legal obligations).
• Billing / accounting data: 10 years (legal obligations and evidence purposes).
• Technical/security logs: generally 6 to 12 months, unless an incident or dispute requires longer retention.
• Client Data (Documents): retained for the time necessary to perform the processing and make the results available, then deleted no later than 30 days after upload, unless a specific configuration or contract with the Organisation provides otherwise.
• Cookies: see the “Cookies” section (variable durations depending on type; your choice is retained for a limited period).

6. Recipients & processors

We do not sell your data. It may be accessible:

• to authorised Billify teams (support, technical, billing), strictly on a need-to-know basis;
• to our sub-processors required for operations (hosting, database, authentication, payment, transactional email, monitoring/security), who are contractually bound to confidentiality and GDPR compliance;
• to competent authorities where required by law or for the defence of our rights.

A list of key sub-processors can be provided on request at contact@exemple.com.

7. Hosting & transfers outside the EU

Where possible, data is hosted within the European Union, and Billify favours hosting in France where this is compatible with the architecture and service providers used.

Should a transfer outside the EU be required via certain providers (e.g. international services), it would be governed by appropriate safeguards (standard contractual clauses, supplementary measures, etc.), in accordance with the GDPR.

8. Security, confidentiality & integrity

Billify implements technical and organisational measures appropriate to the risk, including:

• Encryption in transit (HTTPS/TLS) between your browser and our servers;
• Access control (authentication, sessions, permissions, principle of least privilege);
• Logging of relevant events and anomaly monitoring;
• Backups and restoration procedures for critical components;
• Environment separation (production / testing / development);
• Incident management: internal procedures and, where necessary, notification to the supervisory authority and the individuals concerned in accordance with the GDPR.

Recommendation: do not upload documents containing data that is unnecessary for the processing (e.g. sensitive information) if you are able to redact or anonymise it beforehand.

9. Automated decisions

The Services use automated processing (OCR/structuring). Billify does not make, on the basis of this processing, any decision producing legal effects with respect to you (within the meaning of Article 22 of the GDPR), without human intervention by the Organisation.

10. Your rights (GDPR)

You have the following rights, subject to the conditions provided for by applicable regulations:

• right of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to object (including to direct marketing);
• right to data portability;
• right to define post-mortem instructions (French law).

11. Exercising your rights & complaints

For Billify Data: contact us at contact@exemple.com or by post to: to be completed.

For Client Data: please contact your Organisation first (data controller). You may also write to us; we will handle the request in coordination with the Organisation and in accordance with its instructions.

You also have the right to lodge a complaint with the CNIL (French data protection authority): www.cnil.fr.

12. Cookies

Billify uses strictly necessary cookies for the website to function (session, security, preferences). Other cookies (e.g. audience measurement) may be used only where required and in accordance with your choices.

To find out more and manage your preferences: Cookie management.

13. Changes to this policy

We may update this policy to reflect changes in the Services, our practices, or applicable regulations. The version in force is the one published on this page. In the event of a material change, we will inform you by an appropriate means (notification, email, information banner).