Privacy Policy

Last updated: [DATE TO BE COMPLETED BY SOLICITOR] · Effective: [DATE]

Billstead ("[YOUR NAME / TRADING NAME]", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, and what rights you have under the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

⚠️ This document is a structural placeholder. All sections marked [PLACEHOLDER] must be completed by a qualified Irish solicitor before this policy is published. Do not display this to users until it has been reviewed and finalised.

1. Data Controller

The data controller responsible for your personal data is:
[FULL NAME / BUSINESS NAME]
[ADDRESS]
Ireland
Email: privacy@billstead.app

2. What Data We Collect

We collect and process the following categories of personal data:

Account data: your name and email address, provided at registration.
Property data: property names and addresses you enter.
Financial data: bill amounts, descriptions, due dates, payment status, and shared expense splits you record.
Document uploads: PDF or image files you upload as bill attachments (Pro plan).
Usage data: server logs including IP address, browser type, pages visited, and request timestamps.
Subscription data: your plan (Free or Pro), trial status, and billing dates (no card data — handled by Stripe).

3. Legal Basis for Processing

[PLACEHOLDER — solicitor to confirm legal bases: contract performance (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), legal obligation (Art. 6(1)(c)) for financial records]

4. How We Use Your Data

To provide and operate the Billstead service.
To send you daily balance summaries and bill payment reminders (you can opt out in Settings).
To parse bill documents using AI assistance (uploaded documents are sent to OpenAI for text extraction — see Section 6).
To process subscription payments via Stripe.
To respond to your support requests.
To comply with our legal obligations (e.g. tax record retention).

5. Cookies

Billstead uses only strictly necessary cookies — session authentication tokens required to keep you logged in. No analytics cookies, advertising cookies, or third-party tracking scripts are used. No cookie consent banner is required for strictly necessary cookies under the EU ePrivacy Directive.

6. Sub-Processors (Third Parties)

We share data with the following sub-processors who act as data processors on our behalf:

Supabase — database, authentication, and file storage. EU region. DPA.
Resend — transactional email delivery (balance digests, reminders, invitations). DPA.
OpenAI — AI-assisted bill parsing (Pro plan only). Bill content is sent to OpenAI's API for text extraction. US-based; Standard Contractual Clauses apply. DPA.
Stripe — payment processing and subscription management. DPA.
Fly.io — backend hosting (Frankfurt region). Privacy Policy.
Vercel / Cloudflare Pages — frontend hosting and CDN. DPA.

We do not sell your data to third parties.

7. International Data Transfers

OpenAI is based in the United States. Data transfers to OpenAI are protected by Standard Contractual Clauses (SCCs) as provided in OpenAI's Data Processing Addendum. All other sub-processors process data within the EU/EEA or under equivalent safeguards.

8. Data Retention

[PLACEHOLDER — solicitor to confirm retention periods. Proposed: transaction data retained for 7 years for tax compliance (Irish Revenue requirement); account data deleted within 30 days of account deletion; notification logs retained for 12 months.]

9. Your Rights

Under GDPR you have the following rights:

Access: request a copy of your personal data (Settings → Download my data).
Rectification: update your name and preferences in Settings.
Erasure: delete your account and all associated data (Settings → Delete account).
Restriction: request we restrict processing of your data.
Portability: download your data in JSON format (Settings → Download my data).
Objection: object to processing based on legitimate interests.
Withdraw consent: opt out of email notifications at any time (Settings → Notifications).

To exercise any right, email privacy@billstead.app. We will respond within 30 days.

10. Right to Complain

You have the right to lodge a complaint with the Irish Data Protection Commission (DPC):
dataprotection.ie
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email and update the "Last updated" date above. Continued use of Billstead after changes constitutes acceptance.

12. Contact

For any data protection questions or requests:
privacy@billstead.app