Privacy Policy

Last updated: June 29, 2026

This Privacy Policy explains how BillSlash ("we", "us", "our") collects, uses, shares, and protects personal information when you use billslash.app and related applications (the "Service"). BillSlash is the data controller for personal information processed about you, except where we act as a processor on behalf of a Business or Enterprise customer.

1. Information we collect

• Account data — name, email, hashed password, display name, profile photo, language and theme preferences.
• Billing data — subscription tier, billing history, and tax identifiers (handled by Stripe; we never receive your full card number).
• Bill & financial data you provide — provider, category, amount, billing cycle, notes, account numbers you choose to enter, and bank-connection metadata via Plaid when you authorize it.
• Documents you upload — bill statements and receipts stored in our encrypted vault.
• Usage data — pages viewed, features used, device and browser identifiers, approximate location derived from IP, log timestamps, and crash diagnostics.
• Communications — in-app messages, support tickets, email correspondence.
• Cookies and similar technologies — see Section 9.

2. How we use it (purposes & legal bases)

• To provide the Service — create your account, sync bills, generate scripts and exports (contract).
• To process payments via Stripe (contract).
• To secure the Service — fraud, abuse, and threat prevention (legitimate interests; legal obligation).
• To improve the Service — analytics, debugging, product research (legitimate interests).
• To communicate — transactional emails and important notices (contract/legal obligation); marketing only with your consent.
• To comply with law — tax records, fraud investigations, lawful requests.

3. AI processing

When you generate a call script, summary, categorization, or savings plan, the minimum necessary bill information is sent to our AI providers for inference. We contractually prohibit our AI providers from using your data to train their models. We do not send your full document vault to AI by default.

4. Sharing & disclosure

• Service providers (processors) — cloud hosting, database, AI inference, email delivery, analytics, customer support, and error monitoring, all bound by data-processing agreements.
• Stripe, Inc. — payment processing, subscriptions, tax compliance, invoicing.
• Plaid Inc. — bank-connection services (only when you opt in). Plaid's own privacy practices are described in the Plaid End User Privacy Policy.
• Integrations you enable — QuickBooks, Xero, Gusto, Slack, Google, Apple, webhooks you configure.
• Professional advisers — legal, accounting, auditors, under confidentiality.
• Business transfers — in a merger, acquisition, financing, or asset sale (with continued protection).
• Authorities — when required by law, court order, or to protect rights and safety.

We do not sell your personal information for money, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA.

5. Retention

We keep account and bill data while your account is active. On deletion, we delete or anonymize within 30 days, except where retention is required for tax, fraud-prevention, or legal compliance (typically up to 7 years for financial records).

6. Your privacy rights

EEA, UK & Switzerland (GDPR / UK GDPR)

You have the right to access, rectify, erase, restrict, port, and object to processing, and to withdraw consent at any time. You may lodge a complaint with your local supervisory authority. International transfers rely on Standard Contractual Clauses or equivalent safeguards.

California (CCPA / CPRA)

California residents have the right to (a) know what personal information we collect, use, and disclose; (b) request deletion; (c) request correction; (d) opt out of sale or sharing (we do not sell or share); (e) limit use of sensitive personal information; and (f) be free from retaliation. To exercise rights, email privacy@billslash.app. We will verify your identity using your account email before responding. You may use an authorized agent.

Other US states (VA, CO, CT, UT, TX, etc.)

Where applicable state law grants rights similar to the above, those rights apply to you. Contact privacy@billslash.app.

We respond to verifiable requests within 30–45 days, as required by law.

7. Children

The Service is not directed to children under 18 and we do not knowingly collect data from them. If you believe a child has provided us data, contact us and we will delete it.

8. Security

We use encryption in transit (TLS 1.2+) and at rest, role-based access controls, least-privilege provisioning, Row-Level Security on our database, audit logging, and regular reviews. No system is perfectly secure, but we work hard to protect your data and will notify affected users of any breach as required by law.

9. Cookies & tracking

We use strictly necessary cookies to keep you signed in, remember preferences, and secure the Service. With your consent, we may use limited analytics cookies to understand usage. You can manage preferences via the in-app cookie banner or your browser settings. We honor Global Privacy Control (GPC) signals.

10. International transfers

Some of our service providers are located outside the EEA/UK/Switzerland. Where applicable, we rely on Standard Contractual Clauses, the UK Addendum, or adequacy decisions, and we implement supplementary measures where needed.

11. Automated decision-making

We do not make decisions producing legal or similarly significant effects about you solely through automated means. AI Output is a tool — you make the decisions.

12. Changes

We may update this Policy from time to time. Material changes will be communicated via email or in-app notice and will become effective on the date posted.

13. Contact

Privacy questions and rights requests: privacy@billslash.app. EU/UK representative requests: same address.