Privacy Policy
This Privacy Policy explains how Billstead collects, uses, shares, and protects your personal data when you use our website and services (together, the "Service"). It also sets out the rights you have under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Irish Data Protection Act 2018.
The Service is operated by Marco Bacer, a sole trader based in Ireland and trading under the registered business name Billstead (Business Name Registration Number 782119, registered with the Companies Registration Office on 20 March 2026 under the Registration of Business Names Act 1963) ("Billstead", "we", "us", "our"). For the purposes of the GDPR, the data controller is Marco Bacer (trading as Billstead) — the business name itself has no separate legal personality.
1. Data Controller and Contact
Marco Bacer trading as Billstead
Business Name Registration No. 782119
Dublin 18, D18 C1XC, Ireland
Email: [email protected]
A full postal address is available on request by emailing [email protected], and is also recorded on the public register at the Irish Companies Registration Office (core.cro.ie) under Business Name Registration No. 782119.
We have not appointed a Data Protection Officer because our processing does not meet the statutory thresholds in Article 37 GDPR. You can still contact us on any privacy matter at the address above.
2. Personal Data We Collect
We collect and process the following categories of personal data:
- Account data: name, email address, hashed password (managed by Supabase Auth), and account preferences.
- Property and household data: property names, addresses, and the email addresses of people you invite to share a property.
- Financial data: bill and expense amounts, currencies, descriptions, due dates, payment status, split configurations, and pairwise balances you record.
- Documents: PDFs or images you upload as bill attachments (Pro plan) and the text extracted from them.
- Inbound email data (Pro): emails you forward to your Billstead address, including sender, subject, body, and attachments, used to create transactions.
- Subscription data: plan (Free or Pro), trial status, and billing dates. Card details are processed directly by Stripe — we never see or store them.
- Technical and usage data: IP address, device and browser type, pages visited, request timestamps, and a per-request identifier, recorded in server logs.
- Support data: the contents of any emails or messages you send us.
We do not knowingly collect special category data (Article 9 GDPR). Please do not upload documents containing health, biometric, political, or other special category data.
3. Legal Bases for Processing
We only process personal data where we have a lawful basis under Article 6 GDPR. The table below summarises our bases by purpose.
| Purpose | Legal basis |
|---|---|
| Creating and operating your account; providing the core Billstead service; managing invitations, memberships, and shared balances. | Performance of a contract — Article 6(1)(b). |
| Processing subscription payments and managing your Pro plan. | Performance of a contract — Article 6(1)(b). |
| Sending transactional emails (invitations, balance digests, due-date reminders, verification). | Performance of a contract — Article 6(1)(b); preferences can be adjusted in Settings on the basis of our legitimate interest in respecting your choices — Article 6(1)(f). |
| Parsing uploaded documents and forwarded emails with AI assistance (Pro). | Performance of a contract — Article 6(1)(b); you request this processing each time you upload or forward. |
| Securing the Service, detecting abuse, and maintaining audit logs. | Legitimate interests — Article 6(1)(f) (operating a secure service). |
| Keeping accounting and tax records. | Legal obligation — Article 6(1)(c) (Irish tax and company law). |
| Responding to data subject requests, complaints, or legal claims. | Legal obligation — Article 6(1)(c); legitimate interests — Article 6(1)(f). |
Where we rely on legitimate interests, we have carried out a balancing test and concluded that these interests are not overridden by your rights. You can ask for details of that assessment at any time.
4. How We Use AI
On the Pro plan, when you upload a bill document or forward an email to your Billstead inbound address, we send the document text and attachments to a third-party large language model provider — currently OpenAI and/or Anthropic — to extract structured fields (payee, amount, due date, line items). The extracted values are saved as a pending-review transaction — they are never committed to your records without your confirmation. AI parsing is not automated decision-making with legal or similarly significant effects under Article 22 GDPR, because a human (you) always reviews and approves the result.
Under the commercial API terms we rely on, OpenAI and Anthropic do not use content submitted through their APIs to train their models. Each provider may retain content for a limited period to provide the service and monitor for abuse, in line with their published policies at the time of processing, after which it is deleted.
5. Cookies and Similar Technologies
Billstead uses only strictly necessary cookies and local storage — specifically, the authentication tokens required to keep you signed in and to remember your theme preference. We do not use analytics cookies, advertising cookies, or third-party tracking scripts. Under Regulation 5 of the Irish ePrivacy Regulations 2011 (SI 336/2011) no consent banner is required for strictly necessary cookies.
6. Sub-Processors
We share personal data with the following sub-processors, each of which acts on our documented instructions under a written data processing agreement (DPA).
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase (DPA) | Managed PostgreSQL database, authentication, and file storage. | EU (Frankfurt) |
| Fly.io (Privacy Policy) | Backend application hosting. | EU (Frankfurt) |
| Vercel / Cloudflare (DPA) | Frontend hosting and content delivery (CDN). | Global edge; data-at-rest in EU where configurable. |
| Resend (DPA) | Outbound transactional email delivery and inbound email receipt. | USA; SCCs apply. |
| OpenAI (DPA) | AI-assisted bill parsing (Pro plan only). | USA; SCCs apply. |
| Anthropic (Commercial Terms / DPA) | AI-assisted bill parsing (Pro plan only). | USA; SCCs apply. |
| Stripe (DPA) | Subscription billing and payment processing (acts as independent controller for card data). | Ireland / USA; SCCs apply. |
We never sell your personal data. We will update this list if we appoint a new sub-processor and give you a reasonable opportunity to object.
7. International Transfers
Where a sub-processor is based outside the EU/EEA (currently OpenAI, Anthropic, Resend, and parts of Stripe's infrastructure), transfers take place under the European Commission's Standard Contractual Clauses (2021/914) as incorporated in each provider's DPA, together with supplementary measures such as encryption in transit and at rest and strict access controls. A copy of the clauses is available on request.
8. Data Retention
We retain personal data only for as long as we need it:
| Data | Retention |
|---|---|
| Account profile (name, email, preferences) | For the life of the account; deleted within 30 days of account deletion, subject to the exceptions below. |
| Properties, transactions, splits, and ledger entries | For the life of the property and the account, so long as the account remains active. Deleted within 30 days of account deletion. If you need to keep your records for your own tax or accounting purposes, export them before deleting your account. |
| Uploaded documents and inbound email attachments | Until you delete them, or within 30 days of account deletion. |
| Notification and email delivery logs | 12 months. |
| Authentication and security logs, request logs | 90 days. |
| Support correspondence | 24 months after the last interaction. |
| Billing and invoicing records | 6 years, as required by Irish tax law. |
After the applicable period, data is either deleted or irreversibly anonymised. Residual copies in encrypted backups are purged on our providers' standard backup rotation schedule and are not restored to live systems.
9. Security
We apply appropriate technical and organisational measures to protect your data, including:
- TLS encryption for all traffic between your browser and our servers.
- Industry-standard encryption at rest for the database and file storage, as provided by our infrastructure partners.
- Role-based access control enforced at the application layer; all access to sensitive tables is mediated by our backend under the principle of least privilege.
- Hashed, salted passwords handled by Supabase Auth; we never see plaintext passwords.
- Request-level audit logging with a unique request identifier for traceability.
- Regular dependency updates and security review of material changes.
- Breach response procedures designed to meet the 72-hour notification requirement in Article 33 GDPR.
10. Your Rights
Under the GDPR you have the following rights, free of charge:
- Access — Settings → "Download my data" returns a JSON export of the personal data we hold about you.
- Rectification — edit your name and preferences in Settings, or email us for anything you cannot self-serve.
- Erasure ("right to be forgotten") — Settings → "Delete account" removes your account and associated data, subject to the retention exceptions in Section 8.
- Restriction — ask us to pause processing while a dispute is resolved.
- Portability — the data export is provided in a structured, machine-readable JSON format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where we rely on consent, you can withdraw it at any time. Withdrawal does not affect processing carried out before withdrawal.
To exercise any right, email [email protected]. We will respond within one month of receiving a verifiable request, as required by Article 12 GDPR. We may extend this by a further two months for complex requests and will tell you if we do.
11. Right to Complain
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Irish Data Protection Commission:
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
dataprotection.ie
You may also complain to the supervisory authority in your EU member state of habitual residence.
12. Children
Billstead is intended for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
13. Shared Properties and Joint Use
When you invite someone to a property, their email address and the transactions you record become visible to the other members of that property in line with their role. If you are a member of a property, remember that the property owner and other members may see the bills, expenses, and balances you create. Do not record information you are not comfortable sharing with the other members.
14. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email at least 14 days before the change takes effect and will update the "Last updated" date at the top of this page. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact
For any question, request, or complaint about this policy or our handling of your personal data, contact [email protected].