# 1. Introduction
Billinox ("Billinox", "we", "our", or "us") provides an offline-first invoicing and billing platform for small and medium businesses. This Privacy Policy explains what information we collect, how we use it, the legal bases we rely on, and the rights you have over your data.
# 2. Data We Collect
To deliver and improve Billinox, we may collect the following categories of data:
- Account data: name, email address, password hash, and preferred language.
- Business information: company name, tax ID, logo, and contact details you choose to add.
- Billing details: subscription plan, invoices issued to you by Billinox, and payment metadata processed by our payment partners.
- Device information: device model, operating system, browser, and language for compatibility and security.
- Usage analytics: aggregated, pseudonymous events used to improve performance and detect crashes.
- Customer & invoice data (local): records you create about your customers, invoices, quotations, and payments. This data lives on your device.
- Backup metadata: when cloud backups are enabled, we store encrypted backup blobs and metadata such as timestamps and device IDs.
# 3. Legal Basis for Processing (GDPR)
Under the GDPR, we rely on the following lawful bases:
- Consent — for optional features such as cloud backups, marketing emails, and non-essential analytics.
- Contract — to provide the Billinox service, process subscriptions, and deliver support.
- Legal obligation — to comply with tax, accounting, and regulatory requirements.
- Legitimate interests — to secure our service, prevent fraud, and improve product quality, balanced against your rights.
# 4. Your Rights
You have the following rights regarding your personal data:
- Right to access your personal data.
- Right to rectification of inaccurate data.
- Right to erasure (the right to be forgotten).
- Right to data portability in a structured, machine-readable format.
- Right to object to certain forms of processing.
- Right to restrict processing while a request is reviewed.
- Right to withdraw consent at any time, without affecting prior processing.
You can exercise these rights from your account settings or by contacting privacy@billinox.com . We respond within 30 days.
# 5. Nigeria NDPA Compliance
Billinox complies with the Nigeria Data Protection Act 2023 (NDPA) and applicable guidance from the Nigeria Data Protection Commission (NDPC).
- Data subjects in Nigeria have rights equivalent to those described above.
- Cross-border transfers are performed only to jurisdictions with adequate protection or under appropriate safeguards such as standard contractual clauses.
- We apply technical and organizational security measures proportionate to risk.
- You may file a complaint with the NDPC if you believe your rights are violated.
# 6. EU Digital Services Act Transparency
In line with the EU Digital Services Act (DSA), Billinox provides the following transparency commitments:
- We do not use automated decision-making that produces legal effects on users without human review.
- Where automated systems are used (e.g. fraud detection), users may request human review.
- Users can report illegal content or abuse via abuse@billinox.com.
- Complaints are acknowledged within 48 hours and resolved within a reasonable timeframe.
# 7. Security
We protect your data with layered safeguards:
- Local-first architecture: business data stays on your device by default.
- Encryption in transit (TLS 1.2+) and at rest for cloud backups (AES-256).
- Authentication protections including hashed passwords, optional 2FA, and session controls.
- Backup integrity checks and per-device key derivation for cloud sync.
- Continuous monitoring, vulnerability scanning, and least-privilege access for staff.
# 8. Data Retention
We retain personal data only for as long as necessary to provide the service and meet legal obligations.
- Account data: retained while your account is active and 90 days after closure.
- Cloud backups: retained based on your plan; typically 30–365 days unless deleted earlier.
- Billing records: retained for up to 7 years to meet tax and accounting requirements.
- Analytics events: aggregated and retained for up to 24 months.
# 9. Third-Party Processors
We work with vetted sub-processors for hosting, payments, email, and analytics. A current list is available on request. All processors are bound by data processing agreements and, where applicable, standard contractual clauses.
# 10. Children's Data
Billinox is intended for businesses and is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, please contact us so we can remove it.
# 11. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be announced in the app and via email at least 14 days before they take effect.
# 12. Contact Us
For privacy questions, requests, or complaints, please contact our DPO:
- Email: privacy@billinox.com
- Postal: Billinox Legal, Attn: Data Protection Officer
- Response time: within 30 days for GDPR / NDPA requests.