Privacy Policy
Last updated: 14 April 2026
Who we are
Billbook is a multi-user bookkeeping web application for small businesses and companies, operated by VAWIDEA Inc. For privacy enquiries, contact us at i@billbook.me.
What data we process
Account data
- Email address (required to create an account)
- Hashed password
- Session tokens
Application data
- Transactions you create — title, amount, type, category, optional note, timestamps
- Categories and tag prefixes you define
- Per-user settings (language, theme)
Technical data
- Cookies:
bb_geo(your detected region for consent banner display) and Supabase authentication cookies (essential) - Local browser storage — a copy of your transactions and settings for offline use, plus sync metadata
- IP address — used by Vercel to route requests; not stored by us
- Device / browser info collected by Google Analytics (only if you consent — see Cookies below)
Why we process it
| Data | Purpose | Legal basis (GDPR Art 6) |
|---|---|---|
| Email, password | Authenticate you, deliver service | Contract (b) |
| Transactions, categories | Provide the bookkeeping service | Contract (b) |
| Subscription / payment | Bill you for paid plans | Contract (b) |
| Geo cookie (bb_geo) | Decide whether to show consent banner | Legitimate interest (f) — strictly necessary for compliance |
| Google Analytics | Understand usage, improve product | Consent (a) — only after you accept |
| Cleanup of trashed items >60 days | Free storage, reduce data exposure | Legitimate interest (f) |
Who we share data with (processors)
We use the following service providers to operate Billbook. Each processes your data only on our instructions, under their respective data processing agreements.
| Processor | Service | Location |
|---|---|---|
| Supabase Inc. | Database, authentication | US / region of your project |
| Vercel Inc. | Hosting, edge network | Global edge |
| Google LLC | Google Analytics 4 (only with consent) | US / EU |
| Paddle | Subscription billing (if you upgrade) | UK / US |
| Resend | Transactional email | US / EU |
We do not sell your data and do not share it with third parties for advertising.
International data transfers
Some of our processors are based outside the EEA. Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (or equivalent safeguards under UK / CH law) to ensure an adequate level of protection.
Data retention
- Active transactions: kept until you delete them
- Trashed transactions: hard-deleted 60 days after deletion
- Account data: kept until you close your account
- Session cookies: per Supabase defaults
- Consent decision (bb_consent): 12 months (then re-prompted)
- Geo cookie (bb_geo): 7 days, refreshed on each visit
- Google Analytics data: 14 months (GA4 default)
Your rights (EU / EEA / UK / CH residents)
Under GDPR / UK GDPR / Swiss FADP, you have the right to:
- Access the data we hold about you
- Rectify inaccurate data
- Erase your account and data (export first if you want a copy)
- Restrict or object to processing
- Data portability — export your transactions as CSV from Settings
- Withdraw consent at any time — clear your cookie preference in your browser to be re-prompted
- Lodge a complaint with your local supervisory authority (e.g. ICO in the UK, CNIL in France, BfDI in Germany)
To exercise any of these rights, contact i@billbook.me. We will respond within 30 days.
Cookies and similar technologies
| Cookie / storage | Purpose | Essential? | Set by |
|---|---|---|---|
| Supabase auth cookies | Keep you signed in | Yes | Supabase |
| bb_geo | Region detection for consent banner | Yes (compliance) | Billbook |
| bb_consent (localStorage) | Remember your consent choice | Yes (compliance) | Billbook |
| bb_transactions, bb_categories, bb_settings (localStorage) | Offline copy of your data | Yes (functionality) | Billbook |
| _ga, _ga_* | Google Analytics tracking | No — only with consent |
Children
Billbook is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
Changes to this policy
We will update the "Last updated" date when this policy changes. Material changes will be announced in-app before they take effect.
This policy is provided as a starting point and does not constitute legal advice. Consult a qualified lawyer to confirm it meets your obligations in every jurisdiction where you operate.