Privacy Policy

Last Updated: January 28, 2026

1. Introduction

Thicle Sarl-S ("we," "us," or "our"), a company registered in Luxembourg, operates Billzy, a SaaS invoice tracking platform accessible at billzy.io.

This Privacy Policy explains:

What personal data we collect
How we use your data
Your rights under GDPR
How we protect your data
How to contact us

By using Billzy, you consent to the data practices described in this policy.

2. Data Controller

Data Controller:

Thicle Sarl-S
Luxembourg
Email: info@billzy.io

3. What Data We Collect

3.1 Personal Data You Provide

When you create an account, we collect:

Data Type	Purpose	Legal Basis (GDPR)
Full Name	Account identification, personalization	Contract performance (Art. 6(1)(b))
Email Address	Authentication, communication, support	Contract performance (Art. 6(1)(b))
Password (encrypted)	Account security	Contract performance (Art. 6(1)(b))
Invoice Data	Providing invoice tracking services	Contract performance (Art. 6(1)(b))
Client Names & Details	Invoice management features	Contract performance (Art. 6(1)(b))
Payment Information	Processing Pro Plan subscriptions	Contract performance (Art. 6(1)(b))

3.2 Data We Collect Automatically

When you use Billzy, we automatically collect:

Technical Data: IP address, browser type, device type, operating system
Usage Data: Pages visited, features used, time spent, actions taken
Authentication Data: Login timestamps, session duration
Analytics Data: Collected via Google Analytics 4 (GA4) - page views, events, user interactions

Legal Basis: Legitimate interests (Art. 6(1)(f)) - security, fraud prevention, service improvement

Google Analytics 4: We use GA4 to analyze how users interact with Billzy. GA4 collects anonymized usage data with IP anonymization enabled. GA4's privacy policy: https://policies.google.com/privacy

3.3 Cookies and Tracking

We use the following cookies:

Cookie Name	Purpose	Duration	Type
token	Authentication (keeps you logged in)	7 days	Essential
user	Store user profile data locally	7 days	Essential
_ga	Google Analytics 4 - Distinguish users	2 years	Analytics
_ga_*	Google Analytics 4 - Maintain session state	2 years	Analytics

Analytics Cookies: We use Google Analytics 4 (GA4) with IP anonymization enabled to understand how users interact with Billzy. These cookies help us improve the service but are not essential for functionality.

Managing Cookies: You can control or disable cookies through your browser settings. Note that disabling essential cookies may affect functionality. To opt out of Google Analytics: https://tools.google.com/dlpage/gaoptout

Note: We do NOT use advertising cookies or sell your data to third parties.

3.4 Data We Do NOT Collect

Social security numbers or tax IDs
Bank account details (payment handled by Stripe)
Sensitive personal data (health, religion, political views)
Location data beyond IP-based country detection
Biometric data

4. How We Use Your Data

4.1 Service Provision

We use your data to:

Create and manage your account
Provide invoice tracking features
Store and display your invoices and client data
Generate reminder templates and late fee calculations
Predict cash flow based on your invoices

4.2 Communication

We may email you for:

Transactional emails: Account confirmations, password resets, payment receipts
Service emails: Feature updates, service changes, security alerts
Marketing emails: Product updates, tips (with opt-out option)

You can unsubscribe from marketing emails at any time.

4.3 Payment Processing

Pro Plan subscriptions (€19/month) are processed by Stripe, a PCI-DSS Level 1 certified payment processor.

What Stripe Collects: Name, email, billing address, payment card information, VAT number (if applicable)
What We Store: Stripe customer ID, subscription ID, subscription status - we do NOT store your credit card details
Automatic Tax: Stripe Tax automatically calculates and collects VAT where required
Refunds: You can request a full refund within 14 days of subscription start (GDPR right of withdrawal)

Stripe's privacy policy: https://stripe.com/privacy

4.4 Security and Fraud Prevention

We use data to:

Detect and prevent fraud
Identify security threats
Monitor for unauthorized access
Enforce our Terms and Conditions

4.5 Service Improvement

We analyze anonymized, aggregated usage data to:

Understand how users interact with Billzy
Identify bugs and performance issues
Improve features and user experience
Make product decisions

Note: Aggregated data contains NO personally identifiable information.

5. How We Share Your Data

5.1 Third-Party Service Providers

We share data with trusted third parties who help us operate Billzy:

Provider	Purpose	Data Shared	Location
Vercel	Hosting (frontend & backend)	All application data	EU/US (GDPR-compliant)
Neon	Database hosting	All database records	EU (GDPR-compliant)
Stripe	Payment processing	Name, email, payment info	US (Privacy Shield certified)
Google Analytics 4	Usage analytics	Anonymized usage data, page views	US (GDPR-compliant, IP anonymization)
Resend	Email delivery	Name, email, message content	US (GDPR-compliant)

All third-party providers:

Are GDPR-compliant or Privacy Shield certified
Have Data Processing Agreements (DPAs) with us
Are contractually obligated to protect your data
May only use data to provide services to us

5.2 Legal Requirements

We may disclose data if required by law:

To comply with legal obligations (court orders, subpoenas)
To protect our rights, property, or safety
To prevent fraud or illegal activity
In connection with investigations by authorities

5.3 Business Transfers

If Thicle Sarl-S is acquired or merged, your data may be transferred to the new owner. You will be notified 30 days before any transfer.

5.4 What We Do NOT Do

We do NOT sell your data to third parties
We do NOT share your data with advertisers
We do NOT use your data for purposes beyond those stated in this policy

6. Your Rights Under GDPR

As an EU data subject, you have the following rights:

6.1 Right to Access (Art. 15)

You can request a copy of all personal data we hold about you.

How: Email info@billzy.io with subject "Data Access Request"

6.2 Right to Rectification (Art. 16)

You can correct inaccurate or incomplete data.

How: Update your profile in dashboard settings or email us

6.3 Right to Erasure ("Right to be Forgotten") (Art. 17)

You can request deletion of your personal data.

How: Email info@billzy.io with subject "Data Deletion Request"

Timeline: Deleted within 30 days (backups may persist up to 90 days)

6.4 Right to Restrict Processing (Art. 18)

You can request that we stop processing your data temporarily.

How: Email info@billzy.io with subject "Restrict Processing"

6.5 Right to Data Portability (Art. 20)

You can export your data in a machine-readable format (CSV or JSON).

How: Use the "Export Data" feature in your dashboard or email us

6.6 Right to Object (Art. 21)

You can object to processing based on legitimate interests.

How: Email info@billzy.io with subject "Object to Processing"

6.7 Right to Withdraw Consent (Art. 7(3))

You can withdraw consent for marketing emails or optional data processing.

How: Click "Unsubscribe" in any email or update preferences in dashboard

6.8 Right to Lodge a Complaint

You can file a complaint with your local data protection authority:

Luxembourg: Commission Nationale pour la Protection des Données (CNPD) - https://cnpd.public.lu
Other EU countries: Contact your national supervisory authority

6.9 Response Time

We will respond to all GDPR requests within 30 days of receipt. Complex requests may take up to 60 days (we'll notify you).

7. Data Security

7.1 Technical Safeguards

We protect your data with:

Encryption: HTTPS/TLS for all data in transit
Password Security: Bcrypt hashing (industry standard)
Database Security: SSL connections, access controls
Authentication: JWT tokens with expiration
Backups: Daily automated backups, encrypted

7.2 Organizational Safeguards

Access to data is restricted to authorized personnel only
Regular security audits and vulnerability assessments
Incident response plan for data breaches
Secure development practices (code reviews, testing)

7.3 Data Breach Notification

In the event of a data breach:

We will notify affected users within 72 hours
We will notify Luxembourg CNPD within 72 hours (GDPR requirement)
Notification will include: nature of breach, data affected, mitigation steps

8. Data Retention

8.1 Active Accounts

Account data: Retained while account is active
Invoice data: Retained while account is active
Payment records: Retained for 7 years (Luxembourg tax law)

8.2 Inactive Accounts

Accounts inactive for 12 months: Warning email sent
Accounts inactive for 24 months: Data deleted automatically

8.3 Deleted Accounts

Personal data deleted within 30 days of account deletion
Backup copies may persist for up to 90 days
Anonymized usage statistics retained indefinitely

8.4 Legal Obligations

We may retain data longer if required by law (e.g., tax records, legal disputes).

9. International Data Transfers

9.1 EU Data Storage

Your data is primarily stored in EU data centers (Neon database, Vercel EU region).

9.2 US Service Providers

Some data may be processed in the US by:

Stripe: Privacy Shield certified, EU-US Data Privacy Framework compliant
Vercel: GDPR-compliant, Standard Contractual Clauses (SCCs)

9.3 Safeguards

All international transfers are protected by:

Standard Contractual Clauses (SCCs) approved by EU Commission
GDPR-compliant Data Processing Agreements
Equivalent level of protection as in the EU

10. Children's Privacy

Billzy is not intended for users under 18 years old. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately at info@billzy.io.

11. Marketing Communications

11.1 Opt-In

We will only send marketing emails if you:

Opt in during registration, OR
Have an existing customer relationship with us

11.2 Opt-Out

You can unsubscribe anytime by:

Clicking "Unsubscribe" in any marketing email
Updating preferences in your dashboard
Emailing info@billzy.io

11.3 Transactional Emails

You cannot opt out of transactional emails (e.g., password resets, payment confirmations) as they are necessary for the Service.

12. Third-Party Links

Billzy may contain links to third-party websites (e.g., Stripe, payment processors). We are not responsible for the privacy practices of these sites. Please review their privacy policies.

13. Changes to This Privacy Policy

13.1 Updates

We may update this Privacy Policy from time to time. Changes will be effective:

Immediately: For clarifications or non-material changes
30 days after notification: For material changes

13.2 Notification

We will notify you of material changes via:

Email to your registered address
In-app notification
Notice on billzy.io homepage

13.3 Review

We recommend reviewing this Privacy Policy periodically. The "Last Updated" date at the top indicates the most recent revision.

14. Contact Us

Data Protection Contact:

Thicle Sarl-S
Luxembourg
Email: info@billzy.io

For privacy-related requests:

Data access: info@billzy.io (subject: "Data Access Request")
Data deletion: info@billzy.io (subject: "Data Deletion Request")
Data portability: info@billzy.io (subject: "Data Export Request")
Other inquiries: info@billzy.io

Response time: Within 30 days (GDPR requirement)

15. Supervisory Authority

If you have concerns about how we handle your data, you can contact Luxembourg's data protection authority:

Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux
Luxembourg
Website: https://cnpd.public.lu
Email: info@cnpd.lu

16. Acknowledgment

BY USING BILLZY, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR PERSONAL DATA AS DESCRIBED HEREIN.

Last Updated: January 28, 2026 | Version 1.0 | GDPR Compliant