Last updated on June 15, 2026
Effective Date: June 15, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement between Billable Hub (“Billable Hub,” “we,” “our,” or “us”) and the customer or organization using the Services (“Customer,” “you,” or “your”).
This DPA applies when Billable Hub processes Customer Personal Data on behalf of Customer in connection with the Services, including AI-assisted features. Capitalized terms not defined in this DPA have the meanings given in the Terms of Service.
For Customer Personal Data, Customer is the controller, business, or equivalent party that determines the purposes and means of processing. Billable Hub is the processor, service provider, or equivalent party that processes Customer Personal Data on Customer’s behalf.
Billable Hub may separately act as a controller for account administration, billing, security, support, website operations, legal compliance, fraud prevention, and service improvement data as described in our Privacy Policy.
“Applicable Data Protection Laws” means privacy, data protection, and data security laws that apply to the processing of Customer Personal Data, including, where applicable, the GDPR, UK GDPR, Swiss data protection law, and applicable U.S. state privacy laws.
“Customer Personal Data” means personal data, personal information, or similar regulated information contained in Customer Data that Billable Hub processes on behalf of Customer through the Services.
“Data Subject” means an identified or identifiable person whose Customer Personal Data is processed through the Services.
“Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Billable Hub’s possession or control.
“Subprocessor” means a third party engaged by Billable Hub to process Customer Personal Data on Billable Hub’s behalf to provide the Services.
Customer instructs Billable Hub to process Customer Personal Data as needed to:
Billable Hub will not process Customer Personal Data for purposes outside these instructions unless required by law. If Billable Hub believes an instruction violates Applicable Data Protection Laws, we will inform Customer unless prohibited by law.
Customer is responsible for:
Customer should not submit special categories of personal data, sensitive personal information, health information, full payment card numbers, government identity documents, or other highly sensitive information unless Customer has determined that doing so is lawful and necessary. Customer should not submit such information to AI-assisted features unless it is lawful, necessary, and appropriate for the specific use case.
Billable Hub will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations or are otherwise bound by appropriate duties of confidentiality.
Billable Hub will maintain reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data against unauthorized access, loss, misuse, alteration, and disclosure. Current measures are summarized in Schedule 2.
Customer acknowledges that no service can guarantee absolute security and that Customer is responsible for using the Services securely, including protecting credentials, limiting permissions, reviewing document recipients, and safeguarding exported files.
Customer authorizes Billable Hub to use Subprocessors to provide the Services. Current Subprocessors are listed in Schedule 3.
Billable Hub will require Subprocessors to process Customer Personal Data only as needed to provide their services to Billable Hub and to protect Customer Personal Data using appropriate contractual and security obligations.
Billable Hub may update its Subprocessors from time to time. Customer may object to a new Subprocessor by contacting support@billablehub.com within 30 days after the update if Customer has a reasonable data protection concern. Billable Hub will work in good faith to address the concern. If the concern cannot reasonably be resolved, Customer’s sole remedy is to stop using the affected part of the Services or terminate the Services as allowed by the Terms.
Customer Personal Data may be processed in the United States and other countries where Billable Hub, its infrastructure providers, or Subprocessors operate.
Where Applicable Data Protection Laws require a transfer mechanism for Customer Personal Data, Billable Hub will use an appropriate mechanism, such as a data processing agreement, Standard Contractual Clauses, the UK International Data Transfer Addendum, an adequacy decision, or another valid transfer mechanism.
If Billable Hub receives a request from a Data Subject relating to Customer Personal Data for which Customer is responsible, Billable Hub may direct the requester to Customer or notify Customer when appropriate and legally permitted.
Billable Hub will provide reasonable assistance to Customer in responding to Data Subject requests, taking into account the nature of the Services and information available to Billable Hub. The Services may include self-service tools for account deletion, organization data export, client-facing access, and deletion workflows.
Billable Hub will notify Customer without undue delay after confirming a Security Incident affecting Customer Personal Data. The notice will include information reasonably available to Billable Hub, such as the nature of the incident, affected data categories, likely consequences, mitigation steps, and contact information for follow-up.
Customer is responsible for determining whether a Security Incident requires notice to regulators, Data Subjects, customers, or others, unless Applicable Data Protection Laws require Billable Hub to provide a specific notice directly.
Unsuccessful security events, routine scans, blocked attacks, spam, phishing attempts, rate-limit events, and other events that do not result in unauthorized access to Customer Personal Data are not Security Incidents under this DPA.
During the term, Customer may use available export features to retrieve Customer Data. After termination, account deletion, or organization deletion, Billable Hub will delete or anonymize Customer Personal Data in accordance with the Services, the Terms, the Privacy Policy, and Billable Hub’s retention practices.
Some information may be retained where reasonably necessary for legal, tax, accounting, billing, security, fraud prevention, abuse reporting, audit log, dispute resolution, backup, or compliance purposes. Organization deletion may include a soft-deletion period before final cleanup so authorized users can export data and recover from accidental deletion.
Taking into account the nature of the processing and information available to Billable Hub, Billable Hub will provide reasonable assistance to Customer with:
Billable Hub may charge reasonable fees for assistance that is not available through standard self-service tools or ordinary support.
Billable Hub will make available information reasonably necessary to demonstrate compliance with this DPA, such as this DPA, the Privacy Policy, Subprocessor information, and security summaries.
If Applicable Data Protection Laws require additional audit rights, Customer may request an audit no more than once per year, on reasonable written notice, during normal business hours, and subject to reasonable confidentiality, security, and scope limits. Audits may not disrupt the Services or expose other customers’ data, trade secrets, confidential security information, or systems beyond what is required by law.
If Billable Hub receives a legally binding request for Customer Personal Data from a government, court, law enforcement agency, or similar authority, Billable Hub will notify Customer unless legally prohibited. Billable Hub may comply with legally valid requests and may challenge requests where appropriate.
Where Customer Personal Data is subject to U.S. state privacy laws, Billable Hub will process Customer Personal Data as a service provider, processor, contractor, or equivalent role. Billable Hub will not sell Customer Personal Data or share Customer Personal Data for cross-context behavioral advertising as those terms are defined by applicable U.S. state privacy laws.
If there is a conflict between this DPA and the Terms, this DPA controls only for the processing of Customer Personal Data. The Terms control for all other matters. If Customer has a separately signed agreement with Billable Hub, that signed agreement controls to the extent it expressly conflicts with this DPA.
Customer instructs Billable Hub to process Customer Personal Data through AI-assisted features when Customer or Customer’s users invoke, configure, or use those features. AI-assisted processing may include AI Input such as help questions, AI Context, time-entry notes, expense descriptions, invoice or estimate notes and footers, balance-update messages, dispute replies, estimate question replies, custom notification HTML, client/project/organization context, line items, document metadata, and other Customer Data relevant to the feature.
AI-assisted features may be routed through Vercel AI Gateway and selected third-party AI model providers. Billable Hub does not use Customer Personal Data to train its own general-purpose AI models. Third-party AI provider handling of AI Input and AI Output, including retention, logging, abuse monitoring, and training, depends on the provider, model, route, plan, contract, and Gateway configuration. Billable Hub may use available Gateway or provider settings intended to limit prompt retention or prompt training where supported.
AI Output may be inaccurate, incomplete, outdated, offensive, duplicative, non-unique, or unsuitable for Customer’s purpose. Customer remains responsible for human review and for determining whether AI Output is appropriate for Customer’s business, legal, tax, accounting, billing, compliance, or client communications needs.
Privacy and data processing questions: support@billablehub.com
General support: support@billablehub.com
Mail: Billable Hub, Weatherford, TX
Billable Hub provides business software for time tracking, project and job tracking, client management, expenses, estimates, invoicing, recurring billing workflows, reporting, exports, organization permissions, secure document access, AI-assisted writing and review, help assistance, and related operations.
Billable Hub processes Customer Personal Data for the term of Customer’s use of the Services and for any additional period described in the Terms, Privacy Policy, product deletion workflows, backup cycles, legal retention requirements, or this DPA.
The processing includes collection, recording, organization, structuring, storage, hosting, transmission, retrieval, viewing, use, disclosure to configured recipients, restriction, export, deletion, anonymization, AI Gateway routing, AI model inference, AI usage reporting, and related operations needed to provide and secure the Services.
Customer Personal Data may relate to:
Customer Personal Data may include:
The Services are not designed for processing special categories of personal data or highly sensitive information. Customer may choose to include sensitive information in free-text fields, notes, attachments, support messages, uploaded files, or AI prompts, and Customer is responsible for ensuring that this processing is lawful and appropriate.
Billable Hub’s current safeguards may include:
Billable Hub currently uses the following Subprocessors and service providers to provide the Services:
| Subprocessor or category | Purpose | Customer Personal Data processed | Location/transfer basis |
|---|---|---|---|
| Clerk | Authentication, account identity, profile, session, email verification, MFA, passkeys, and social sign-in where enabled | User identity, email address, profile information, authentication identifiers, session metadata, profile image data | United States/global infrastructure; provider DPA and transfer mechanisms where applicable |
| Vercel | Application hosting, serverless runtime, static site hosting, logging, Vercel Analytics, BotID/security services, Workflows, Vercel Blob file storage, AI Gateway routing, and AI usage reporting | Application data, files, attachments, logs, IP addresses, user agents, diagnostics, website analytics, AI Input and AI Output routed through Gateway, AI usage metrics | United States/global infrastructure; provider DPA and transfer mechanisms where applicable |
| Vercel AI Gateway model providers, including OpenAI when configured | AI model inference for Smart Rewrite, Tone Monitor, Smart Review, Help Assistant, and related AI-assisted features | Prompts, selected Customer Data, AI Context, AI Output, feature metadata, model/provider metadata, usage metadata | Provider and location depend on the configured model and Gateway route; legal should confirm current production model providers and provider-specific terms |
| Neon or configured PostgreSQL provider | PostgreSQL database hosting | Application database records, including Customer Data stored in the Services | Region depends on database configuration; provider DPA and transfer mechanisms where applicable |
| Stripe | Payment processing, subscription billing, checkout, customer portal, invoicing-related billing metadata, refunds, fraud prevention, and payment-related compliance | Billing contact data, customer identifiers, subscription metadata, transaction metadata, payment method metadata; full card numbers are handled by Stripe | United States/global infrastructure; provider DPA and transfer mechanisms where applicable; Stripe may also act as an independent controller for some payment activities |
| Amazon Web Services / SES SMTP | Transactional email delivery and related email infrastructure | Email addresses, invoice and estimate email content, OTP and notification messages, support or system emails, delivery metadata | United States/global infrastructure; provider DPA and transfer mechanisms where applicable |
| Slack / Salesforce | Internal support, help, abuse-report, and operational notifications where used | Support request metadata, help request content, abuse report metadata, operational alerts, limited account or organization context included in notifications | United States/global infrastructure; provider DPA and transfer mechanisms where applicable |
| Google or other social identity providers selected through Clerk | Optional OAuth or social sign-in | Identity provider profile data, email, avatar, authentication metadata | User-selected third-party service; provider terms and privacy notices may apply |
Billable Hub may add, replace, or remove Subprocessors as the Services evolve. Material updates will be reflected on this page or another public legal page.