Privacy Policy

1. Introduction

KlarBill ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered invoice processing and data extraction service ("Service").

This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws. By using the Service, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Information You Provide

Account Information:

• Name and email address
• Password (encrypted using industry-standard bcrypt hashing)
• Language preference (English, German, French, Spanish)
• Company information (optional)
• Business tax identification number (optional)

Invoice Data:

• Invoice documents uploaded in various formats (PDF, JPEG, PNG, TIFF, BMP, GIF)
• Extracted invoice information (vendor names, amounts, dates, line items, tax details)
• Manual corrections and edits you make to extracted data
• Invoice categories, tags, and custom fields
• Invoice approval status and payment tracking information

Payment Information:

• Payment information is processed securely by Paddle (our payment processor)
• We do not store your credit card details on our servers
• We receive transaction confirmations, subscription status, and billing history from Paddle
• Billing address and tax information for invoice generation

2.2 Automatically Collected Information

Usage Data:

• Number of invoices processed and extraction success rates
• AI confidence scores and data quality metrics
• Feature usage statistics and workflow patterns
• Export activities and accounting software integrations
• Session duration and interaction frequency
• Login timestamps and access history

Technical Data:

• IP address and approximate geographic location
• Browser type, version, and language settings
• Device information (type, operating system, screen resolution)
• Referring URLs and navigation patterns within the Service
• Performance metrics and error logs
• Connection information and network data

Cookies and Tracking Technologies:

• Essential session cookies (required for functionality)
• Authentication and security tokens
• User preference cookies (language, theme, dashboard layout)
• Analytics cookies (optional, requires your explicit consent)
• CSRF protection tokens

3. How We Use Your Information

3.1 Service Provision

• Process invoice documents using Google Cloud Document AI for automated data extraction
• Validate, categorize, and organize extracted invoice data
• Store invoice documents securely in Google Cloud Storage
• Generate analytics, insights, and financial reports
• Enable export functionality to accounting software (QuickBooks, Xero, CSV)
• Provide search, filtering, and document management capabilities
• Support multi-currency conversions and tax calculations

3.2 Account Management

• Create and maintain your user account
• Authenticate your identity and secure your sessions
• Manage subscription plans and billing operations
• Send service-related notifications (processing updates, system alerts)
• Provide customer support and technical assistance
• Enable password resets and account recovery
• Manage user preferences and settings

3.3 Service Improvement

• Analyze usage patterns to enhance features and user experience
• Monitor system performance, reliability, and processing accuracy
• Detect and prevent fraud, abuse, and security threats
• Improve AI model accuracy using aggregated, anonymized data
• Conduct internal research and development
• Test new features and optimizations
• Identify and fix bugs and technical issues

3.4 Communication

• Send transactional emails (invoice processing confirmations, password resets, billing updates)
• Notify you of service changes, new features, or scheduled maintenance
• Send marketing communications (with your explicit consent, unsubscribe option always available)
• Respond to your support requests, inquiries, and feedback
• Conduct user surveys and request product feedback
• Provide educational content and usage tips

3.5 Legal Compliance and Protection

• Comply with applicable laws, regulations, and legal obligations
• Enforce our Terms of Service and other agreements
• Protect our rights, property, and safety
• Protect the rights and safety of our users and the public
• Respond to lawful requests from authorities and legal processes
• Resolve disputes and investigate complaints
• Maintain records required by tax and accounting regulations

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you've subscribed to, including invoice processing, data extraction, and account management
• Consent: Where you've given explicit consent (e.g., marketing emails, optional analytics cookies, newsletter subscriptions)
• Legitimate Interests: For service improvement, fraud prevention, system security, business analytics, and customer support
• Legal Obligation: To comply with applicable laws, regulations, tax requirements, and lawful requests from authorities

You may withdraw consent at any time through your account settings without affecting the lawfulness of processing based on consent before withdrawal.

5. How We Share Your Information

5.1 Third-Party Service Providers

We share data only with trusted third parties who help us provide and improve the Service:

5.2 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information, invoice data, or business information to third parties for marketing or any other purposes. Your business data remains confidential and is used solely to provide the Service to you.

5.3 Legal Requirements and Protection

We may disclose your information when required by law, court order, government request, or legal process, or when necessary to:

• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and other agreements
• Protect our rights, property, and safety
• Protect the rights, property, and safety of our users and the public
• Detect, prevent, or address fraud, security incidents, or technical issues
• Respond to emergency situations involving danger of death or serious physical injury

5.4 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will:

• Provide notice before your data is transferred
• Inform you if your data becomes subject to a different privacy policy
• Give you options regarding your data if applicable under law
• Ensure the acquiring entity honors the commitments in this policy

6. Data Security

We implement comprehensive security measures to protect your data:

6.1 Technical Safeguards

• Encryption: All data transmitted using HTTPS/TLS 1.3 encryption protocols
• Secure Storage: Invoice files stored in private Google Cloud Storage buckets with encryption at rest
• User Isolation: Each user's data is isolated with unique access paths and permissions
• Password Protection: Passwords hashed using bcrypt with individual salts (never stored in plain text)
• Two-Factor Authentication: Optional 2FA available for enhanced account security
• Session Management: Secure session tokens with automatic expiration and refresh mechanisms
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• API Security: Rate limiting, authentication, and authorization for all API endpoints

6.2 Organizational Safeguards

• Limited access to personal data on a strict need-to-know basis
• Regular security audits and vulnerability assessments
• Incident response and breach notification procedures
• Security awareness and data protection training
• Secure development practices and code reviews
• Continuous monitoring for suspicious activities and threats
• Backup and disaster recovery procedures

6.3 Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours as required by GDPR
• Provide detailed information about the nature and scope of the breach
• Inform you of the types of data potentially compromised
• Explain steps taken to address the breach and prevent future incidents
• Offer guidance on protecting your account and information
• Report the breach to relevant supervisory authorities where required by law
• Provide ongoing updates as the situation develops

7. Data Retention and Deletion

7.1 Active Accounts

We retain your account information and invoice data for as long as your account remains active and you continue to use the Service. This allows you to access your historical data and maintain business continuity.

7.2 Deleted Invoices

• Soft Deletion: When you delete an invoice, it is soft-deleted (marked as deleted but retained)
• Recovery Period: Soft-deleted invoices are retained for 30 days to allow recovery in case of accidental deletion
• Permanent Deletion: After 30 days, deleted invoices are permanently removed from active databases
• Backup Retention: Deleted invoices may remain in encrypted backups for up to 90 days before complete removal

7.3 Account Closure

When you close your account or we terminate your access, we will:

• Delete your invoice files from Google Cloud Storage within 30 days
• Permanently remove invoice documents and extracted data from active systems
• Anonymize your account data (name, email replaced with generic identifiers like "User_12345")
• Retain anonymized, aggregated usage statistics for service improvement and analytics
• Retain billing records and transaction history as required by law (typically 7 years for tax and accounting compliance)
• Remove your email address from marketing lists and communications

7.4 Legal and Compliance Requirements

We may retain certain data longer if:

• Required by applicable law or regulation
• Necessary for tax, accounting, or financial reporting purposes
• Needed to resolve disputes, enforce agreements, or establish legal defenses
• Subject to legal hold or ongoing legal proceedings
• Required to comply with data retention obligations in our jurisdiction

You can request information about specific retention periods by contacting us at inquiries@klarbill.com.

8. Your Privacy Rights

8.1 Rights Under GDPR (EU Residents)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:

Right to Access:

You can request a copy of all personal data we hold about you. Access your data anytime through your account settings, or contact us at inquiries@klarbill.com for a complete export in machine-readable format (JSON, CSV).

Right to Rectification:

You can update your account information and correct inaccuracies at any time through the Service interface. For data you cannot edit directly, contact us for assistance.

Right to Erasure ("Right to be Forgotten"):

You can request deletion of your personal data by closing your account or contacting us directly. We will delete your data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, maintaining records for tax compliance).

Right to Data Portability:

You can export your invoice data in standard formats (CSV, JSON, QuickBooks, Xero) at any time through the Service. Contact us for a complete data export including all account information.

Right to Restrict Processing:

You can request that we limit how we use your data while we investigate a complaint, dispute, or verification request.

Right to Object:

You can object to processing based on legitimate interests. You can opt out of marketing communications at any time using the unsubscribe link in emails or through your account settings.

Right to Withdraw Consent:

Where processing is based on consent (e.g., marketing emails, analytics cookies), you can withdraw consent at any time through your account settings. This will not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint:

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights. For Zambia residents, you may contact the Zambia Information and Communications Technology Authority (ZICTA).

8.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

Right to Know:

Request disclosure of personal information collected, used, disclosed, or sold in the past 12 months, including categories and specific pieces of information.

Right to Delete:

Request deletion of personal information we have collected, subject to certain exceptions (e.g., completing transactions, legal compliance, security purposes).

Right to Opt-Out of Sale:

We do not sell personal information. If this practice changes, we will update this policy and provide a clear opt-out mechanism.

Right to Non-Discrimination:

We will not discriminate against you for exercising your privacy rights (e.g., denying service, charging different prices, providing different quality of service).

Authorized Agent:

You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority.

8.3 Exercising Your Rights

9. International Data Transfers

9.1 Data Processing Locations

Your data may be transferred to and processed in countries outside your country of residence, including:

• United States: Where Google Cloud Platform and other service providers operate
• European Union: Where some infrastructure and services are located
• Zambia: Where our business operations are based

9.2 Safeguards for International Transfers

We ensure adequate protection for international data transfers through:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms with service providers for transfers from EEA to other countries
• Data Privacy Frameworks: Service providers certified under EU-U.S. Data Privacy Framework where applicable
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission (e.g., UK, Switzerland)
• Additional Safeguards: Technical and organizational measures including encryption, access controls, and security monitoring
• Service Provider Agreements: Contractual commitments from providers to protect data according to applicable standards

9.3 Your Rights Regarding International Transfers

You have the right to:

• Obtain information about the safeguards we use for international transfers
• Request copies of Standard Contractual Clauses (with confidential business information redacted)
• Object to transfers that you believe do not have adequate safeguards

Contact inquiries@klarbill.com for information about specific transfer mechanisms and safeguards.

10. Cookies and Tracking Technologies

10.1 Essential Cookies (Always Active)

Required for the Service to function properly. These cookies cannot be disabled without affecting functionality:

• Session Cookies: Maintain your logged-in state during your visit to the Service
• Authentication Tokens: Verify your identity and protect against unauthorized access
• Security Cookies: CSRF protection tokens and security features to prevent attacks
• Preference Cookies: Remember your language selection, theme preference, and interface settings
• Load Balancing Cookies: Ensure consistent experience and performance

Duration: Most essential cookies expire when you close your browser (session cookies) or after a defined period (typically 30 days for preference cookies).

10.2 Analytics Cookies (Optional - Requires Consent)

Used to understand how you use the Service and improve user experience. These are only activated with your explicit consent:

• Usage Analytics: Track feature usage, navigation patterns, and user interactions
• Performance Monitoring: Measure page load times, identify bottlenecks, and optimize performance
• Conversion Tracking: Understand which features drive value and engagement
• A/B Testing: Test new features and improvements with user segments

Data Collected: Page views, click events, time on page, feature interactions (all anonymized where possible)

Duration: Typically 1-2 years, depending on the specific analytics cookie

10.3 Managing Cookies

Account Settings: Manage optional analytics cookies in your account preferences under "Privacy & Cookies." You can:

• Enable or disable analytics cookies at any time
• View which cookies are currently active
• Clear all non-essential cookies

Browser Settings: You can control cookies through your browser settings:

• Block all cookies (may affect Service functionality)
• Delete existing cookies
• Set preferences for third-party cookies
• Receive notifications when cookies are set

Do Not Track (DNT): We respect Do Not Track (DNT) browser signals where technically feasible. When DNT is enabled, we limit data collection to essential functionality only.

10.4 Cookie List

Essential Cookies:

• session_id - Maintains user session (Session duration)
• csrf_token - CSRF protection (Session duration)
• locale - Language preference (1 year)
• theme - Interface theme (1 year)

Analytics Cookies (Optional):

• _ga - Google Analytics identifier (2 years)
• _gid - Google Analytics session (24 hours)
• _gat - Google Analytics throttling (1 minute)

11. Children's Privacy

Age Restriction: The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16.

Parental Notice: If you are a parent or guardian and believe we have collected information from a child under 16, please contact us immediately at inquiries@klarbill.com.

Our Response: Upon notification, we will:

• Verify the age of the account holder
• Promptly delete the child's information from our systems
• Terminate the account if applicable
• Take steps to prevent future underage registrations

12. AI and Automated Processing

12.1 AI-Powered Invoice Processing

Our Service uses artificial intelligence, machine learning, and optical character recognition (OCR) to extract data from invoice documents. This processing:

• Is Automated: AI models process invoice images and PDFs without human intervention
• Requires Review: You should always review extracted data for accuracy before use
• Improves Over Time: AI accuracy improves through machine learning (using aggregated, anonymized data)
• Is Transparent: We display confidence scores to indicate AI certainty about extracted data

12.2 How AI Processing Works

1. Document Upload: You upload invoice documents to our Service
2. Google Cloud Document AI: Invoice sent to Google's AI service for processing
3. Data Extraction: AI identifies and extracts key fields (vendor, amount, date, line items, etc.)
4. Validation: Extracted data validated against business rules and patterns
5. Confidence Scoring: Each extracted field receives a confidence score (0-100%)
6. Human Review: You review and correct extracted data as needed
7. Learning: Aggregated patterns (not your specific data) may inform AI improvements

12.3 Your Control Over AI Processing

You have complete control over:

• Which invoices to process: You decide which documents to upload and process
• Data corrections: Edit and correct any extracted data
• Approval decisions: Choose whether to accept or reject AI-extracted data
• Export decisions: Control when and how to export data to accounting systems

12.4 AI Model Training

What we DO:

• Use aggregated, anonymized data patterns to improve AI accuracy
• Analyze extraction success rates and common error types
• Improve field recognition and data validation rules

What we DO NOT do:

• Use your specific invoice content to train AI models
• Share your invoice data with other users or third parties
• Train AI models on your vendor names, amounts, or business relationships
• Use your data for purposes beyond providing the Service to you

12.5 No Automated Decision-Making with Legal Effect

We do not use automated processing or AI to make decisions that significantly affect you (such as creditworthiness, employment eligibility, or legal rights) without human oversight.

13. Third-Party Links and Integrations

13.1 External Links

Our Service may contain links to third-party websites, services, or resources (e.g., accounting software, payment processors). This Privacy Policy does not apply to those external sites or services.

Your Responsibility:

• Review the privacy policies of any third-party services you access
• Understand how external sites collect and use your information
• Make informed decisions about sharing information with third parties

Our Disclaimer: We are not responsible for the privacy practices, content, or security of third-party websites and services.

13.2 Accounting Software Integrations

When you export data to accounting software (QuickBooks, Xero, etc.):

• Data is transmitted directly to the accounting platform
• The receiving platform's privacy policy and terms apply
• We do not control how the accounting software uses your data
• Integration connections can be revoked at any time in your account settings

14. Changes to This Privacy Policy

14.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices or service features
• Legal or regulatory requirements
• Security or technical improvements
• User feedback and industry best practices
• Changes in third-party services we use

14.2 Notification of Changes

For material changes affecting your rights or data use:

• Email notification to your registered email address at least 30 days in advance
• Prominent notice on the Service homepage or dashboard
• In-app notification upon login
• Update to the "Last Updated" date at the top of this policy

For non-material changes (clarifications, formatting, contact updates):

• Update to the "Last Updated" date
• Changes may be implemented without additional notice
• Always available at https://klarbill.com/privacy

14.3 Review and Acceptance

Your Options:

• Accept: Continue using the Service after receiving notice (constitutes acceptance)
• Reject: Cancel your subscription before changes take effect if you disagree
• Review: Contact us at inquiries@klarbill.com with questions or concerns

Effective Date: Changes become effective 30 days after notification for existing users, or immediately upon acceptance for new users.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

16. Additional Information for Specific Regions

16.1 European Economic Area (EEA) and United Kingdom

Our legal basis for processing, your rights, and international transfer safeguards are detailed in Sections 4, 8, and 9 of this policy.

Data Controller: KlarBill is the data controller for your personal information.

EU Representative: For data protection matters in the EU, contact us at inquiries@klarbill.com.

16.2 California (United States)

Additional rights for California residents are detailed in Section 8.2 of this policy.

Shine the Light Law: California residents may request information about sharing personal information with third parties for their marketing purposes. We do not share such information.

California Privacy Rights Act (CPRA): Effective 2023, provides additional rights similar to GDPR.

16.3 Zambia

KlarBill operates under Zambian law and complies with data protection requirements in Zambia.

Local Regulations: We comply with the Electronic Communications and Transactions Act and regulations from the Zambia Information and Communications Technology Authority (ZICTA).

16.4 Other Jurisdictions

We comply with applicable data protection laws in all jurisdictions where we operate. If you have specific questions about compliance in your region, please contact us at inquiries@klarbill.com.