Billable Hub

Privacy Policy

Last updated on June 15, 2026

Effective Date: June 15, 2026

This Privacy Policy explains how Billable Hub (“Company,” “we,” “our,” or “us”) collects, uses, discloses, and protects personal information when you use Billable Hub, including our websites, applications, client portal, support channels, billing workflows, and related services (including AI-assisted features, collectively, the “Services”).

This Policy applies to visitors, account users, organization owners and team members, invited users, client contacts who receive or view invoices or estimates, support requesters, abuse-report submitters, and other people who interact with the Services.

1. Our Role

For some personal information, we act as a controller or business, such as when we process account, subscription, security, support, marketing, website, and product operations data.

For customer-entered business records, we generally process information on behalf of the organization or account owner that uses the Services. This may include client contacts, invoice and estimate content, time entries, expense records, attachments, notes, and related workflow records (“Customer Data”). Organization owners and administrators are responsible for ensuring they have the right to provide Customer Data to the Services and to invite users or send client-facing documents.

2. Information We Collect

We collect personal information depending on how you interact with the Services, including:

  1. Account and profile information:
  1. Organization and billing profile information:
  1. Client and contact information:
  1. Work, time tracking, and project information:
  1. Invoice, estimate, payment, and accounting workflow information:
  1. Expense and file information:
  1. Support, abuse-report, and communications information:
  1. Subscription and payment metadata:
  1. Usage, device, log, and security information:
  1. AI-assisted feature information:

3. How We Use Information

We use personal information to:

If GDPR/UK GDPR applies, our legal bases include:

5. How We Collect Information

We collect information:

6. Time Tracking, Invoice, and Client Portal Data

Because Billable Hub is a time tracking and invoicing service, Customer Data may reveal business relationships, client contact details, project activity, work schedules, services performed, expense details, payment history, document status, and other billing or operational context.

Organization users control the Customer Data they enter and the client contacts they send documents to. Client contacts may see information included in invoices, estimates, secure links, client portal views, questions, disputes, approvals, and related email notices. Organization owners and administrators may see user activity, time entries, audit logs, billing records, exports, and other workspace records according to their permissions and plan features.

7. Sharing of Information

We may share personal information with:

We do not sell personal information for money. We do not knowingly share personal information for cross-context behavioral advertising. If our practices change, we will update this Policy and provide any required choices.

8. Subprocessors

We use subprocessors and service providers to provide the Services. Current providers include:

Provider or categoryPurposeData involvedLocation/transfer basis and notes
ClerkAuthentication, account identity, profile, session, email verification, MFA, passkeys, and social sign-in where enabledUser identity, email, profile data, authentication identifiers, session metadata, profile image dataUS/global infrastructure; provider DPA/SCCs where applicable
VercelApplication hosting, serverless runtime, deployment platform, Vercel Analytics, BotID/security services, Workflows, Vercel Blob file storage, AI Gateway routing, and AI usage reportingApplication data, files, attachments, logs, IP addresses, user agents, diagnostics, website analytics, AI Input and AI Output routed through Gateway, AI usage metricsUS/global infrastructure; provider DPA/SCCs where applicable
Vercel AI Gateway model providers, including OpenAI when configuredAI model inference for Smart Rewrite, Tone Monitor, Smart Review, Help Assistant, and related AI-assisted featuresPrompts, selected Customer Data, AI Context, AI Output, feature metadata, model/provider metadata, usage metadataProvider and location depend on the configured model and Gateway route; legal should confirm current production model providers and provider-specific terms
Neon or configured PostgreSQL providerDatabase hostingApplication database records, including Customer Data stored in the ServicesRegion depends on database configuration; provider DPA/SCCs where applicable
StripePayments, subscriptions, checkout, billing portal, refunds, fraud prevention, and payment-related complianceBilling/customer/payment metadata, billing contact details, customer identifiers, subscription metadata, transaction metadata; full card numbers are handled by StripeStripe may act as processor and independent controller depending on activity; provider DPA/SCCs where applicable
Amazon Web Services / Amazon SES SMTPTransactional email delivery and related email infrastructureEmail addresses, sender data, invoice/support/OTP/document notification email content, delivery metadataUS/global infrastructure; provider DPA/SCCs where applicable
Slack / SalesforceInternal support, help, abuse-report, and operational notifications where usedSupport request metadata, help request content, abuse report metadata, operational alerts, limited account or organization context included in notificationsUS/global infrastructure; provider DPA/SCCs where applicable
Google or other social identity providers selected through ClerkOptional OAuth or social sign-inIdentity provider profile data, email, avatar, authentication metadataUser-selected third-party service; provider terms and privacy notices may apply

Subprocessors may process personal information only as needed to provide contracted services to us and are not authorized to use Customer Data for their own marketing.

Customers that need processor terms for Customer Data can review our Data Processing Agreement: /dpa.

9. Cookies and Similar Technologies

We use cookies and similar technologies for:

We use Vercel Web Analytics to understand aggregated page views and service usage. Vercel Web Analytics is designed to provide aggregate statistics without using third-party cookies or identifying individual visitors across websites.

We do not currently use cookie banners, marketing trackers, or advertising pixels on our websites. If we add non-essential tracking technologies in the future, such as advertising pixels or marketing analytics tools, we will update this Policy and request consent where required.

Where required by law, we request consent before setting non-essential cookies or using non-essential tracking technologies. You can control cookies through your browser settings, but some features may not work without essential cookies.

10. Data Retention, Export, and Deletion

We retain personal information for as long as reasonably necessary for the purposes in this Policy, including to provide the Services, maintain business records, resolve disputes, enforce agreements, meet legal, accounting, tax, and compliance obligations, and protect the Services.

Retention periods vary based on the type of information, account status, organization settings, legal requirements, backup cycles, security needs, and whether information is Customer Data controlled by an organization. Our current retention schedule is:

CategoryExamplesTypical retention periodDeletion or review process
Account and profile recordsName, email address, phone number, profile settings, communication preferences, account status, organization membershipsWhile the account is active; after account deletion, personal profile data is deleted or anonymized except limited records needed for security, audit, legal, or enforcement purposesUsers may delete their account in the product, subject to organization-owner transfer or deletion requirements
Organization workspace dataClients, contacts, projects, jobs, services, time entries, expenses, notes, invoice and estimate records, attachments, branding, and settingsWhile the organization is active; after organization deletion, the organization is held for a 90-day recovery/export period before final cleanupAuthorized users may export data before deletion; final cleanup runs through the organization deletion workflow
Invoice, estimate, payment, tax, and accounting recordsIssued invoices, estimates, payment history, ledger entries, tax settings, billing addresses, tax IDs, subscription and Stripe metadataWhile needed to provide the Services, process payments, support active organizations, resolve disputes, handle chargebacks, maintain security, or comply with our legal obligationsReviewed for service, payment, chargeback, dispute, security, audit, and legal needs before deletion or anonymization
Generated organization data exportsExport job metadata, export files, attachment packages, and download recordsExport download availability expires after 7 days; export records are otherwise retained with the organization until deleted or cleaned upExpired exports are no longer downloadable; organization deletion removes export records during final cleanup
AI-assisted feature recordsAI Input, AI Output that users save or apply, AI review findings, prompt metadata, feature tags, model/provider metadata, token or request counts, errors, latency, spend metrics, and user actions on AI resultsSaved AI Output is retained with the related Customer Data; AI usage metadata and review findings are retained as needed for billing, limits, security, troubleshooting, product operations, and audit history; third-party provider retention depends on provider/model/Gateway configurationUsers should not submit sensitive personal information to AI-assisted features unless lawful, necessary, and appropriate
Uploaded files and attachmentsReceipts, invoice attachments, estimate attachments, organization logos, banners, profile images, and support screenshotsWhile the related account, organization, invoice, estimate, expense, or support matter is active; after deletion according to the related record’s workflowUsers may delete supported files in the product where deletion is available; some files may be retained if tied to finalized business records
Support, privacy, and abuse-report recordsSupport messages, privacy requests, screenshots, abuse reports, investigation notes, and operational follow-upWhile needed to respond and generally up to 3 years after the last interaction, unless a longer period is needed for legal, security, or dispute reasonsReviewed when a matter closes or when a valid privacy request is received
Security, anti-abuse, and rate-limit recordsIP addresses, user agents, security events, rate-limit events, abuse-limit counted events, and denied-action audit recordsAbuse-limit counted events are retained for 30 days; abuse-limit denial audit records are retained for 180 days; other security records are retained as needed to protect the ServicesAutomated cleanup removes expired abuse-limit records; other security records are reviewed based on risk and operational need
Audit logs and workflow historyOrganization, billing, export, deletion, permission, status, invoice, estimate, and payment historyWhile the organization is active and for any additional period needed for audit, dispute, compliance, security, or legal purposesDeleted or anonymized when no longer needed, unless retained for legal, accounting, tax, security, or dispute purposes
Short-lived access and verification recordsOTP codes, invitation links, email-change tokens, share links, session and security tokensTokens, codes, and links expire according to product settings, typically within minutes to days depending on the workflowExpired, used, revoked, or superseded records may be deleted, invalidated, or retained briefly for security auditing
Website analytics and diagnosticsAggregated page views, usage diagnostics, logs, and performance informationRetained while useful for product operations, reliability, security, and service improvementReviewed periodically and deleted or aggregated when no longer needed
Backups and provider logsDatabase backups, infrastructure logs, email delivery logs, storage provider logs, and subprocessor operational recordsRetained according to our operational needs and provider backup/log cyclesRemoved through provider retention cycles; restored backups remain subject to this Policy and applicable deletion workflows

Customers are responsible for exporting and retaining copies of their own invoices, estimates, accounting records, tax records, and related business records for their tax, accounting, legal, and recordkeeping needs. We may retain information longer only if needed for our legal obligations, security investigations, fraud prevention, abuse investigations, dispute resolution, chargebacks, enforcement of agreements, or legal holds. When we no longer need personal information, we delete, anonymize, or otherwise place it beyond active use where appropriate.

11. Security

We use reasonable administrative, technical, and physical safeguards designed to protect personal information. These safeguards may include authentication controls, organization permissions, private file handling, secure document links, OTP flows, audit logs, monitoring, rate limits, and access controls. No method of transmission or storage is completely secure.

12. Automated Processing and Artificial Intelligence

We use automated processing to operate and protect the Services, including authentication checks, workspace permission checks, subscription entitlement enforcement, rate limits, abuse detection, document access controls, security suspensions, audit logging, reminders, recurring invoice workflows, and data export/deletion task queues.

We also provide AI-assisted features that may draft, rewrite, summarize, review, or analyze business content and product-help questions. These features may include Smart Rewrite, Tone Monitor, Smart Review, Help Assistant, AI Context, and similar features. Depending on the feature, AI processing may include invoice or estimate text, time entries, expenses, client/project/organization context, dispute replies, estimate question replies, custom notification HTML, selected records, help questions, and related metadata.

AI requests may be routed through Vercel AI Gateway and configured third-party AI model providers. Billable Hub does not use Customer Data to train its own general-purpose AI models. Third-party AI provider handling of AI Input and AI Output, including retention, logging, abuse monitoring, and training, depends on the provider, model, route, plan, contract, and Gateway configuration. We may use available Gateway or provider settings intended to limit prompt retention or prompt training where supported.

AI output may be inaccurate, incomplete, outdated, offensive, duplicative, non-unique, or unsuitable for your purpose. Users are responsible for reviewing AI output before using, sending, publishing, saving, or relying on it. AI output is not legal, tax, accounting, financial, collection, compliance, security, or other professional advice.

We do not use automated processing or AI-assisted features to make legal or similarly significant decisions about you without appropriate review where required by law.

13. International Transfers

Your information may be processed in countries other than your own. Where required, we use appropriate safeguards for cross-border transfers, such as data processing agreements, Standard Contractual Clauses, and similar transfer mechanisms.

14. Your Rights

Depending on your location, you may have rights to:

15. Privacy Requests

To exercise privacy rights, submit a privacy request through our contact form: /contact?topic=privacy.

You may also email support@billablehub.com with the subject line “Privacy Request.” We may need to verify your identity before completing a request. If your request concerns Customer Data controlled by an organization, we may direct you to that organization or work with the organization to respond.

We aim to respond to privacy requests without undue delay and, where GDPR or UK GDPR applies, within 1 month unless an extension is permitted by law.

16. U.S. State Privacy Notices

If you are a resident of a U.S. state with privacy laws (for example, California, Colorado, Virginia, Connecticut, or Utah), you may have additional rights under applicable law. We will honor verified requests as required.

For California residents, this may include the right to know/access, delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and non-discrimination for exercising privacy rights. We do not sell personal information for money or knowingly share personal information for cross-context behavioral advertising.

The categories of personal information we collect, sources, purposes, disclosures, and retention criteria are described in this Policy.

17. Sensitive Personal Information

Some information entered into the Services may be considered sensitive personal information under applicable law, such as account login information, tax identifiers, payment metadata, precise content of communications, or information users choose to include in attachments, notes, invoice comments, support requests, disputes, or AI prompts. We use sensitive personal information only as reasonably necessary to provide, secure, support, and improve the Services, comply with law, prevent abuse, and fulfill other purposes described in this Policy. Do not submit sensitive personal information to AI-assisted features unless it is lawful, necessary, and appropriate for your use of the Services.

18. Communications

We may send transactional and service communications, such as account notices, OTP codes, invitations, invoice and estimate emails, reminders, support replies, billing notices, security alerts, and legal updates. You may be able to manage some communication preferences in the Services. Essential transactional, security, and legal notices may still be sent where necessary.

19. Aggregated or De-Identified Information

We may create aggregated or de-identified information from Service usage and Customer Data. We may use this information for analytics, product improvement, security, reporting, and other lawful business purposes, provided it does not identify you.

20. Children’s Privacy

The Services are not directed to children under 13 (or older age where required by local law). We do not knowingly collect personal information from children.

The Services may contain links to third-party websites or tools. We are not responsible for their privacy practices.

22. Changes to This Policy

We may update this Privacy Policy periodically. The updated version is effective when posted with a revised Effective Date.

23. Contact

Privacy questions or requests: /contact?topic=privacy
General support: support@billablehub.com
Mail: Billable Hub, Weatherford, TX