Billora
Request Demo

Privacy Policy

Last updated: May 11, 2026

1. Who we are

Billora (“we”, “us”, “our”) provides an online service that helps organizations collect, organise, and understand supplier invoices and related documents. This Privacy Policy explains how we handle personal information when you use our website, create an account, join an organisation workspace, connect an email account for ingestion, or otherwise interact with Billora.

For data protection purposes, the controller of personal information relating to Billora’s customers and their users is Billora. You can contact us about privacy at hello@billora.com.

2. What personal information we collect

We collect information in the following categories:

  • Account and profile data. When you sign up or sign in, we process your email address, password (stored using industry-standard hashing), and optional profile details such as your name. We use django-allauth-compatible authentication, and may support multi-factor authentication where enabled.
  • Organisation and member data. Billora is built for teams. We process organisation names, membership roles, invitations, and activity needed to operate multi-tenant workspaces and access control.
  • Invoice and document content. When you upload files or connect an email account, we process message metadata, attachments, and extracted fields (for example vendor name, amounts, due dates, invoice numbers) so you can view and manage payables. This may include personal data that appears on invoices or in supplier correspondence.
  • Email connection data. If you connect Google or Microsoft email through our integration, we use Nylas to obtain and maintain a technical authorisation (“grant”) tied to your mailbox so we can read messages and attachments you choose to process. We store identifiers needed for that connection (for example grant IDs and connected email addresses).
  • Billing data. Subscription and payment flows are handled by Paddle (our payment provider). Paddle processes payment details and billing contact information as an independent controller or processor under its own terms and privacy notice. We receive limited billing status, transaction references, and plan information needed to enable or restrict features.
  • Technical and security data. We collect server logs, IP addresses, device and browser signals where needed for security, debugging, and abuse prevention. We also record certain actions in an audit trail (for example who performed an action, when, and for which organisation) to support accountability and investigations.
  • Support and communications. If you email us or use in-product messaging, we retain those communications and related metadata to respond and improve the service.

3. How we use personal information

We use personal information to:

  • Provide, host, and operate Billora (including ingestion, storage, search, and dashboards).
  • Authenticate users, enforce organisation boundaries, and apply subscription or feature limits.
  • Process documents using automated means (for example optical character recognition and structured extraction via AWS Textract) to populate invoice records.
  • Send transactional emails (for example invitations, security notices, billing receipts) using our email delivery provider (for example Resend via Anymail).
  • Maintain security, detect fraud and misuse, and comply with law.
  • Analyse aggregate or de-identified usage to improve reliability and product quality.

4. Legal bases (UK / EEA visitors)

Where UK GDPR or EU GDPR applies, we rely on appropriate legal bases such as: performance of a contract with you or your organisation; our legitimate interests in operating a secure multi-tenant SaaS product (balanced against your rights); consent where we ask for it (for example optional marketing, where offered); and legal obligations.

5. Where we store and process data

Our application and database run on cloud infrastructure you deploy (for example a managed platform and database region you select). Attachments and files are stored in Amazon Web Services S3 in the region configured for your deployment. Some processing (including Textract and related AWS APIs) runs in the AWS region associated with your configuration. Email connectivity may involve processing in the United States or other regions as described in Nylas’s documentation. By using Billora, you acknowledge that limited personal data may be transferred to countries outside your own, where we or our vendors maintain safeguards such as standard contractual clauses where required.

6. Subprocessors and sharing

We share personal information with service providers that help us run Billora, under contractual terms that require them to protect data and use it only on our instructions. These currently include, as applicable to your deployment:

  • Nylas — email connectivity, message and attachment access for ingestion.
  • Amazon Web Services — object storage (S3) and document analysis (Textract).
  • Paddle — checkout, subscriptions, tax, and payment compliance.
  • Resend (or another provider configured via Anymail) — transactional email delivery.
  • Hosting provider — application runtime and database (for example Railway, or your chosen cloud).

We may also disclose information if required by law, to protect rights and safety, or as part of a merger or asset sale (with notice where appropriate).

7. Retention

We keep personal information only as long as needed for the purposes above, including legal, accounting, and dispute-resolution needs. Organisation owners can request deletion workflows consistent with our product capabilities; some records may be retained in backups for a limited period before automatic expiry. Aggregated statistics may be retained without identifying you.

8. Security

We use administrative, technical, and organisational measures appropriate to the sensitivity of invoice and account data, including encryption in transit (HTTPS), access controls for staff and systems, tenant isolation in the application layer, and audit logging for significant actions. No method of transmission or storage is 100% secure; if you believe your account is compromised, contact us promptly.

9. Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or export personal information, and to object to certain processing. You may withdraw consent where processing is consent-based. You may lodge a complaint with your local supervisory authority.

To exercise rights, contact hello@billora.com. We may need to verify your identity and, where data is controlled by your organisation, route certain requests through an administrator.

10. Children

Billora is not directed at children under 16. We do not knowingly collect personal information from children.

11. Changes

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “Last updated” date. Where changes are material, we will provide additional notice as appropriate (for example by email or in-product notice).

12. Contact

Questions about this policy: hello@billora.com