Cookie notice
We use cookies to enhance your experience. You control which ones.
◆ PRIVACY
Privacy Policy
How HoneyBill collects, uses, and protects personal data when you use honeybill.ai and our service.
Last updated: 29 April 2026
1. About this Policy
This Privacy Policy explains how HoneyBill collects, uses, shares, and protects personal data when you use our website at honeybill.ai or our service.
We take privacy seriously. This policy is written to be readable; we have avoided unnecessary legalese where we can. If anything is unclear, contact us at legals@honeybill.ai.
This policy applies to:
- Visitors to our website
- People who create an account on HoneyBill
- People who contact us via email
It does not cover the personal data of your clients or customers that you upload into HoneyBill. For that data, you act as the data controller and we act as the data processor on your behalf, governed by our Data Processing Addendum (available on request from legals@honeybill.ai).
2. Who We Are (Data Controller)
The data controller for personal data collected through HoneyBill is:
BIG GOFER LTD
Company number: 14561573
Registered office: 71-72 Shelton Street, London, WC2H 9JQ, United Kingdom
For privacy queries: legals@honeybill.ai
3. What Personal Data We Collect
We collect the following categories of personal data:
Information you provide when you create an account:
- Name
- Email address
- Business name (if applicable)
- Password (stored hashed)
- Profile preferences (currency, time zone, branding)
Information you provide when you use the service:
- Invoice content you create
- Customer details you upload (which we process on your behalf as data processor)
- Time entries, project notes, and contracts you upload
- Voice or text input to HoneyAI features
Information collected automatically:
- Usage data (pages visited, features used, errors encountered)
- Device and browser information
- IP address (for security and analytics)
- Cookie data (see Cookies Policy)
Information from third party integrations:
- When you connect Gmail or Outlook: account email, OAuth tokens, and the metadata required to send emails on your behalf
- When you connect Stripe: account identifier, payout configuration, and transaction data needed to display payments
Payment information:
For Subscription billing, payment data is handled by Stripe. We do not store your card details on our servers.
We do not knowingly collect special category data (such as health or biometric data) and ask that you do not upload it.
4. How We Collect Personal Data
- Directly from you when you create an account, send us an email, or use the service
- Automatically when you interact with our website or app
- From third parties when you authorise integrations (Gmail, Outlook, Stripe)
- From service providers (such as analytics or error monitoring tools)
5. Lawful Basis for Processing
Under the UK GDPR, we rely on the following lawful bases:
| Purpose | Lawful basis |
|---|---|
| Providing the Service to you | Performance of a contract |
| Billing and payment | Performance of a contract |
| Customer support | Performance of a contract / legitimate interests |
| Improving the Service | Legitimate interests |
| Marketing communications (only if you have opted in) | Consent |
| Security and fraud prevention | Legitimate interests / legal obligation |
| Compliance with legal obligations (tax, accounting) | Legal obligation |
Where we rely on legitimate interests, we have considered the impact on your rights and concluded that our interest in operating and improving the Service does not override your rights.
6. How We Use Your Personal Data
We use personal data to:
- Create and manage your account
- Provide and operate the Service
- Process payments and manage billing
- Send transactional emails (such as receipts, password resets, account notifications)
- Respond to support requests
- Improve and develop the Service
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
We do not sell your personal data. We do not use the content of your invoices or AI prompts to train any AI model.
7. Sharing and Subprocessors
We share personal data only with the following categories of recipients:
Subprocessors (service providers operating on our behalf)
| Provider | Purpose | Data location |
|---|---|---|
| Hetzner Online GmbH | Service hosting and storage | Nuremberg, Germany (EU) |
| Stripe Payments Europe Ltd | Payment processing | Ireland (EU) primary, with US transfers under SCCs |
| OpenAI, L.L.C. | HoneyAI features (invoice generation) | United States, with EU SCCs in place |
| Google LLC | HoneyAI features (Gemini model) | United States / EU, with SCCs in place |
| Resend Inc. | Transactional email delivery | Ireland (EU), eu-west-1 region |
We have data processing agreements in place with each subprocessor and only share the minimum data necessary for them to perform their service.
If we add new subprocessors in future (such as analytics or error monitoring tools), we will update this list.
Other recipients
- Authorities: where required by law, court order, or to protect our rights or those of others
- Acquirers: in the event of a merger, acquisition, or sale of assets, with appropriate confidentiality protections
8. International Transfers
Our primary infrastructure is hosted in Germany (EU), and we aim to keep your personal data within the UK or EEA wherever possible.
Some of our subprocessors process data outside the UK and EEA, including in the United States. Where personal data is transferred outside the UK or EEA, we use one or more of the following safeguards:
- The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) with the UK Addendum
- A country with an adequacy decision by the UK government or European Commission
- Other lawful transfer mechanisms permitted under UK GDPR
For more information about our transfer mechanisms, contact legals@honeybill.ai.
9. Data Retention
We retain personal data for as long as needed to provide the Service and to comply with our legal and regulatory obligations.
| Data type | Retention period |
|---|---|
| Account data (while account is active) | Until account is deleted |
| Account data (after account deletion) | Up to 30 days, then permanently deleted (other than what we are required to retain) |
| Billing and tax records | 6 years (UK statutory requirement) |
| Support correspondence | 3 years |
| Anonymised usage data | Indefinitely (no longer personal data) |
You can request earlier deletion at any time, subject to our legal retention obligations.
10. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Access: request a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate or incomplete data
- Erasure ("right to be forgotten"): ask us to delete your personal data, subject to limits set by law
- Restriction: ask us to limit how we process your data in certain circumstances
- Portability: receive your data in a structured, machine-readable format and transmit it to another controller
- Objection: object to processing based on legitimate interests, including for direct marketing
- Withdraw consent: where we rely on consent, you can withdraw it at any time
- Lodge a complaint: with the Information Commissioner's Office (ICO) at ico.org.uk
To exercise any of these rights, contact us at legals@honeybill.ai. We will respond within one month.
11. Marketing Communications
We will only send you marketing emails if you have opted in. You can unsubscribe at any time using the link in our emails or by contacting us.
We may send you transactional emails (account notifications, billing receipts, security alerts) regardless of marketing preferences, as these are necessary for providing the Service.
12. Children's Data
HoneyBill is not intended for use by anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at legals@honeybill.ai and we will delete it.
13. Security
We take reasonable measures to protect personal data against loss, misuse, and unauthorised access. These measures include:
- Encryption of data in transit (TLS) and at rest
- Access controls and authentication
- Regular security reviews and patching
- Vetting of subprocessors
No security measure is perfect. We cannot guarantee absolute security and you use the Service at your own risk.
14. Data Breaches
If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the ICO within 72 hours where required
- Notify affected users without undue delay where the breach is high risk
You can report a suspected breach to legals@honeybill.ai.
15. Cookies
We use cookies and similar technologies on our website. For details, see our Cookies Policy (honeybill.ai/cookie).
16. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you (such as by email or in-app notice). The "last updated" date at the top will reflect the most recent change.
17. Contact and Complaints
For privacy queries, requests, or complaints:
Email: legals@honeybill.ai
Post: BIG GOFER LTD, 71-72 Shelton Street, London, WC2H 9JQ, United Kingdom
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: https://ico.org.uk
Also see our Cookies Policy and Terms of Service.