Last updated on June 15, 2026
Effective Date: June 15, 2026
This Privacy Policy explains how Billable Hub (“Company,” “we,” “our,” or “us”) collects, uses, discloses, and protects personal information when you use Billable Hub, including our websites, applications, client portal, support channels, billing workflows, and related services (including AI-assisted features, collectively, the “Services”).
This Policy applies to visitors, account users, organization owners and team members, invited users, client contacts who receive or view invoices or estimates, support requesters, abuse-report submitters, and other people who interact with the Services.
For some personal information, we act as a controller or business, such as when we process account, subscription, security, support, marketing, website, and product operations data.
For customer-entered business records, we generally process information on behalf of the organization or account owner that uses the Services. This may include client contacts, invoice and estimate content, time entries, expense records, attachments, notes, and related workflow records (“Customer Data”). Organization owners and administrators are responsible for ensuring they have the right to provide Customer Data to the Services and to invite users or send client-facing documents.
We collect personal information depending on how you interact with the Services, including:
We use personal information to:
If GDPR/UK GDPR applies, our legal bases include:
We collect information:
Because Billable Hub is a time tracking and invoicing service, Customer Data may reveal business relationships, client contact details, project activity, work schedules, services performed, expense details, payment history, document status, and other billing or operational context.
Organization users control the Customer Data they enter and the client contacts they send documents to. Client contacts may see information included in invoices, estimates, secure links, client portal views, questions, disputes, approvals, and related email notices. Organization owners and administrators may see user activity, time entries, audit logs, billing records, exports, and other workspace records according to their permissions and plan features.
We may share personal information with:
We do not sell personal information for money. We do not knowingly share personal information for cross-context behavioral advertising. If our practices change, we will update this Policy and provide any required choices.
We use subprocessors and service providers to provide the Services. Current providers include:
| Provider or category | Purpose | Data involved | Location/transfer basis and notes |
|---|---|---|---|
| Clerk | Authentication, account identity, profile, session, email verification, MFA, passkeys, and social sign-in where enabled | User identity, email, profile data, authentication identifiers, session metadata, profile image data | US/global infrastructure; provider DPA/SCCs where applicable |
| Vercel | Application hosting, serverless runtime, deployment platform, Vercel Analytics, BotID/security services, Workflows, Vercel Blob file storage, AI Gateway routing, and AI usage reporting | Application data, files, attachments, logs, IP addresses, user agents, diagnostics, website analytics, AI Input and AI Output routed through Gateway, AI usage metrics | US/global infrastructure; provider DPA/SCCs where applicable |
| Vercel AI Gateway model providers, including OpenAI when configured | AI model inference for Smart Rewrite, Tone Monitor, Smart Review, Help Assistant, and related AI-assisted features | Prompts, selected Customer Data, AI Context, AI Output, feature metadata, model/provider metadata, usage metadata | Provider and location depend on the configured model and Gateway route; legal should confirm current production model providers and provider-specific terms |
| Neon or configured PostgreSQL provider | Database hosting | Application database records, including Customer Data stored in the Services | Region depends on database configuration; provider DPA/SCCs where applicable |
| Stripe | Payments, subscriptions, checkout, billing portal, refunds, fraud prevention, and payment-related compliance | Billing/customer/payment metadata, billing contact details, customer identifiers, subscription metadata, transaction metadata; full card numbers are handled by Stripe | Stripe may act as processor and independent controller depending on activity; provider DPA/SCCs where applicable |
| Amazon Web Services / Amazon SES SMTP | Transactional email delivery and related email infrastructure | Email addresses, sender data, invoice/support/OTP/document notification email content, delivery metadata | US/global infrastructure; provider DPA/SCCs where applicable |
| Slack / Salesforce | Internal support, help, abuse-report, and operational notifications where used | Support request metadata, help request content, abuse report metadata, operational alerts, limited account or organization context included in notifications | US/global infrastructure; provider DPA/SCCs where applicable |
| Google or other social identity providers selected through Clerk | Optional OAuth or social sign-in | Identity provider profile data, email, avatar, authentication metadata | User-selected third-party service; provider terms and privacy notices may apply |
Subprocessors may process personal information only as needed to provide contracted services to us and are not authorized to use Customer Data for their own marketing.
Customers that need processor terms for Customer Data can review our Data Processing Agreement: /dpa.
We use cookies and similar technologies for:
We use Vercel Web Analytics to understand aggregated page views and service usage. Vercel Web Analytics is designed to provide aggregate statistics without using third-party cookies or identifying individual visitors across websites.
We do not currently use cookie banners, marketing trackers, or advertising pixels on our websites. If we add non-essential tracking technologies in the future, such as advertising pixels or marketing analytics tools, we will update this Policy and request consent where required.
Where required by law, we request consent before setting non-essential cookies or using non-essential tracking technologies. You can control cookies through your browser settings, but some features may not work without essential cookies.
We retain personal information for as long as reasonably necessary for the purposes in this Policy, including to provide the Services, maintain business records, resolve disputes, enforce agreements, meet legal, accounting, tax, and compliance obligations, and protect the Services.
Retention periods vary based on the type of information, account status, organization settings, legal requirements, backup cycles, security needs, and whether information is Customer Data controlled by an organization. Our current retention schedule is:
| Category | Examples | Typical retention period | Deletion or review process |
|---|---|---|---|
| Account and profile records | Name, email address, phone number, profile settings, communication preferences, account status, organization memberships | While the account is active; after account deletion, personal profile data is deleted or anonymized except limited records needed for security, audit, legal, or enforcement purposes | Users may delete their account in the product, subject to organization-owner transfer or deletion requirements |
| Organization workspace data | Clients, contacts, projects, jobs, services, time entries, expenses, notes, invoice and estimate records, attachments, branding, and settings | While the organization is active; after organization deletion, the organization is held for a 90-day recovery/export period before final cleanup | Authorized users may export data before deletion; final cleanup runs through the organization deletion workflow |
| Invoice, estimate, payment, tax, and accounting records | Issued invoices, estimates, payment history, ledger entries, tax settings, billing addresses, tax IDs, subscription and Stripe metadata | While needed to provide the Services, process payments, support active organizations, resolve disputes, handle chargebacks, maintain security, or comply with our legal obligations | Reviewed for service, payment, chargeback, dispute, security, audit, and legal needs before deletion or anonymization |
| Generated organization data exports | Export job metadata, export files, attachment packages, and download records | Export download availability expires after 7 days; export records are otherwise retained with the organization until deleted or cleaned up | Expired exports are no longer downloadable; organization deletion removes export records during final cleanup |
| AI-assisted feature records | AI Input, AI Output that users save or apply, AI review findings, prompt metadata, feature tags, model/provider metadata, token or request counts, errors, latency, spend metrics, and user actions on AI results | Saved AI Output is retained with the related Customer Data; AI usage metadata and review findings are retained as needed for billing, limits, security, troubleshooting, product operations, and audit history; third-party provider retention depends on provider/model/Gateway configuration | Users should not submit sensitive personal information to AI-assisted features unless lawful, necessary, and appropriate |
| Uploaded files and attachments | Receipts, invoice attachments, estimate attachments, organization logos, banners, profile images, and support screenshots | While the related account, organization, invoice, estimate, expense, or support matter is active; after deletion according to the related record’s workflow | Users may delete supported files in the product where deletion is available; some files may be retained if tied to finalized business records |
| Support, privacy, and abuse-report records | Support messages, privacy requests, screenshots, abuse reports, investigation notes, and operational follow-up | While needed to respond and generally up to 3 years after the last interaction, unless a longer period is needed for legal, security, or dispute reasons | Reviewed when a matter closes or when a valid privacy request is received |
| Security, anti-abuse, and rate-limit records | IP addresses, user agents, security events, rate-limit events, abuse-limit counted events, and denied-action audit records | Abuse-limit counted events are retained for 30 days; abuse-limit denial audit records are retained for 180 days; other security records are retained as needed to protect the Services | Automated cleanup removes expired abuse-limit records; other security records are reviewed based on risk and operational need |
| Audit logs and workflow history | Organization, billing, export, deletion, permission, status, invoice, estimate, and payment history | While the organization is active and for any additional period needed for audit, dispute, compliance, security, or legal purposes | Deleted or anonymized when no longer needed, unless retained for legal, accounting, tax, security, or dispute purposes |
| Short-lived access and verification records | OTP codes, invitation links, email-change tokens, share links, session and security tokens | Tokens, codes, and links expire according to product settings, typically within minutes to days depending on the workflow | Expired, used, revoked, or superseded records may be deleted, invalidated, or retained briefly for security auditing |
| Website analytics and diagnostics | Aggregated page views, usage diagnostics, logs, and performance information | Retained while useful for product operations, reliability, security, and service improvement | Reviewed periodically and deleted or aggregated when no longer needed |
| Backups and provider logs | Database backups, infrastructure logs, email delivery logs, storage provider logs, and subprocessor operational records | Retained according to our operational needs and provider backup/log cycles | Removed through provider retention cycles; restored backups remain subject to this Policy and applicable deletion workflows |
Customers are responsible for exporting and retaining copies of their own invoices, estimates, accounting records, tax records, and related business records for their tax, accounting, legal, and recordkeeping needs. We may retain information longer only if needed for our legal obligations, security investigations, fraud prevention, abuse investigations, dispute resolution, chargebacks, enforcement of agreements, or legal holds. When we no longer need personal information, we delete, anonymize, or otherwise place it beyond active use where appropriate.
We use reasonable administrative, technical, and physical safeguards designed to protect personal information. These safeguards may include authentication controls, organization permissions, private file handling, secure document links, OTP flows, audit logs, monitoring, rate limits, and access controls. No method of transmission or storage is completely secure.
We use automated processing to operate and protect the Services, including authentication checks, workspace permission checks, subscription entitlement enforcement, rate limits, abuse detection, document access controls, security suspensions, audit logging, reminders, recurring invoice workflows, and data export/deletion task queues.
We also provide AI-assisted features that may draft, rewrite, summarize, review, or analyze business content and product-help questions. These features may include Smart Rewrite, Tone Monitor, Smart Review, Help Assistant, AI Context, and similar features. Depending on the feature, AI processing may include invoice or estimate text, time entries, expenses, client/project/organization context, dispute replies, estimate question replies, custom notification HTML, selected records, help questions, and related metadata.
AI requests may be routed through Vercel AI Gateway and configured third-party AI model providers. Billable Hub does not use Customer Data to train its own general-purpose AI models. Third-party AI provider handling of AI Input and AI Output, including retention, logging, abuse monitoring, and training, depends on the provider, model, route, plan, contract, and Gateway configuration. We may use available Gateway or provider settings intended to limit prompt retention or prompt training where supported.
AI output may be inaccurate, incomplete, outdated, offensive, duplicative, non-unique, or unsuitable for your purpose. Users are responsible for reviewing AI output before using, sending, publishing, saving, or relying on it. AI output is not legal, tax, accounting, financial, collection, compliance, security, or other professional advice.
We do not use automated processing or AI-assisted features to make legal or similarly significant decisions about you without appropriate review where required by law.
Your information may be processed in countries other than your own. Where required, we use appropriate safeguards for cross-border transfers, such as data processing agreements, Standard Contractual Clauses, and similar transfer mechanisms.
Depending on your location, you may have rights to:
To exercise privacy rights, submit a privacy request through our contact form: /contact?topic=privacy.
You may also email support@billablehub.com with the subject line “Privacy Request.” We may need to verify your identity before completing a request. If your request concerns Customer Data controlled by an organization, we may direct you to that organization or work with the organization to respond.
We aim to respond to privacy requests without undue delay and, where GDPR or UK GDPR applies, within 1 month unless an extension is permitted by law.
If you are a resident of a U.S. state with privacy laws (for example, California, Colorado, Virginia, Connecticut, or Utah), you may have additional rights under applicable law. We will honor verified requests as required.
For California residents, this may include the right to know/access, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and non-discrimination for exercising privacy rights. We do not sell personal information for money or knowingly share personal information for cross-context behavioral advertising.
The categories of personal information we collect, sources, purposes, disclosures, and retention criteria are described in this Policy.
Some information entered into the Services may be considered sensitive personal information under applicable law, such as account login information, tax identifiers, payment metadata, precise content of communications, or information users choose to include in attachments, notes, invoice comments, support requests, disputes, or AI prompts. We use sensitive personal information only as reasonably necessary to provide, secure, support, and improve the Services, comply with law, prevent abuse, and fulfill other purposes described in this Policy. Do not submit sensitive personal information to AI-assisted features unless it is lawful, necessary, and appropriate for your use of the Services.
We may send transactional and service communications, such as account notices, OTP codes, invitations, invoice and estimate emails, reminders, support replies, billing notices, security alerts, and legal updates. You may be able to manage some communication preferences in the Services. Essential transactional, security, and legal notices may still be sent where necessary.
We may create aggregated or de-identified information from Service usage and Customer Data. We may use this information for analytics, product improvement, security, reporting, and other lawful business purposes, provided it does not identify you.
The Services are not directed to children under 13 (or older age where required by local law). We do not knowingly collect personal information from children.
The Services may contain links to third-party websites or tools. We are not responsible for their privacy practices.
We may update this Privacy Policy periodically. The updated version is effective when posted with a revised Effective Date.
Privacy questions or requests: /contact?topic=privacy
General support: support@billablehub.com
Mail: Billable Hub, Weatherford, TX