Privacy Policy
Last updated: 4 May 2026
Billu SRL ("we", "the Controller") is committed to protecting your personal data and processing it in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (GDPR) and applicable national legislation. This policy describes what data we collect, why, how we use it, and what rights you have.
1. Who we are
- Name: Billu SRL
- Address: Str. Cluj nr. 7, Timisoara, Romania
- Registration: J35/1283/27.03.2024 / VAT 49842834
- Email: suport@billyou.ro
- Phone: +40 732 333 399
2. What data we collect
We collect personal data for the following purposes, with the legal bases and recipients listed below:
| Purpose | Data categories | Legal basis (GDPR art. 6) | Recipients |
|---|---|---|---|
| Providing the invoicing service | First name, last name, email, company data (CUI, J), invoice data | Art. 6(1)(b) - performance of contract | Internal team, ANAF (via SPV) |
| Subscription billing | Billing data, tokenized card data, transactions | Art. 6(1)(b) - performance of contract | Payment processor (Stripe / Netopia) |
| Service communications and support | Email, name, request history | Art. 6(1)(b) - performance of contract | Internal support platform |
| Marketing and promotional communications | Email, in-app behavior | Art. 6(1)(a) - consent | Email marketing platform (with your consent) |
| Product analytics and improvement | Anonymized usage data, in-app events | Art. 6(1)(f) - legitimate interest | Analytics tooling (anonymized) |
| Legal and tax compliance | Accounting data, invoices, financial documents | Art. 6(1)(c) - legal obligation | Tax authorities (on request) |
3. Retention periods
We keep your data only for as long as necessary for the processing purpose or as required by law:
| Data category | Retention period |
|---|---|
| Account and profile data | 3 years from account closure |
| Tax documents (invoices, receipts) | 5 years |
| Marketing data (with consent) | Until consent is withdrawn |
| Anonymized analytics data | 24 months |
| Security logs | 12 months |
4. International transfers
Some of our service providers (e.g. payment processors, analytics tooling) may be located outside the European Economic Area. In those cases we ensure transfers happen with appropriate safeguards (Standard Contractual Clauses approved by the European Commission or equivalent), in line with art. 46 GDPR.
5. Data security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, modification, disclosure, or destruction. These include encryption in transit and at rest (TLS 1.2+, AES-256), two-factor authentication, continuous infrastructure monitoring, and automated daily backups stored redundantly.
6. AI Assistant Connectors (Claude, ChatGPT)
Billyou offers an optional Connector that lets you query your Billyou data from inside an AI assistant: currently Anthropic's Claude (claude.ai, Claude Desktop, Claude API) and OpenAI's ChatGPT. The connector is built on the open Model Context Protocol (MCP) and is opt-in: it does nothing until you connect it from the AI assistant's settings.
What gets sent to the AI assistant. When you ask the assistant a question that requires Billyou data, it calls one of our defined tools (e.g. list invoices, find invoice by serial number) and we return the requested data. Only the data needed to answer your specific question is returned, scoped to the single Billyou organization you authorized. The assistant then includes that data in its reply to you.
What we send. Tool responses contain the same data you would see in the Billyou dashboard for the requested view: invoice fields (serial number, client, line items, totals, payment status, e-factura status), client records (name, CUI/CNP, address, contact details), payment records, and configured invoice numbering series. Nothing is sent on your behalf without an explicit request from the assistant in response to a prompt you typed.
What is NOT sent.
- Other organizations you belong to are never queryable from a single connector instance. The connector binds to exactly one organization at the moment you authorize it (using the standard OAuth 2.0 authorization code flow with PKCE, against our identity provider Kinde). To use Billyou data from a second organization, you must connect the connector a second time with that organization's credentials.
- Sensitive system fields are stripped from responses: API keys, internal user IDs not tied to your account, and other operator-only metadata.
- The connector is read-only at launch. It cannot create, edit, send, cancel, or delete invoices, payments, expenses, or e-factura submissions. Future write capabilities will be opt-in per organization, behind a paid-tier feature flag, and will require explicit confirmation in the assistant for destructive operations.
Data the AI provider receives. When the assistant calls a tool, the request is routed through the AI provider's infrastructure (Anthropic for Claude, OpenAI for ChatGPT). How these providers handle the data once they receive it, including whether it is used for model training, how long it is retained, and the conditions under which it may be disclosed, is governed by your plan with that provider (Free, Pro, Team, Enterprise, API) and your account settings, per Anthropic's or OpenAI's official privacy policy. On business plans, both providers publicly state that customer data is not used for training by default; on consumer plans there are settings you can review in your account. Billyou does not control and cannot guarantee how the data is handled once it leaves our infrastructure. We recommend reviewing the AI provider's privacy policy and your account settings before using the connector.
Audit log.
Every connector tool invocation is logged on our side to a dedicated
mcp_tool_traces collection. We record: the connector instance (one row per
organization), the user identifier from your Kinde session, the tool name, the parsed
parameters (with secrets redacted, see below), the timing, the outcome (success or
specific error class), and a request correlation identifier. We retain this log for
90 days, then auto-delete it. The retention is the minimum we believe necessary to
debug operational issues and respond to incident-response queries. You can review your
organization's last 50 connector actions in Settings, MCP Activity, in the Billyou
dashboard.
Argument redaction.
Before any tool argument is logged, we apply the following redaction rules: any field
whose name matches password, secret, token, or
apiKey (case-insensitive) is replaced with <redacted>;
any string longer than 2 KB is truncated; idempotency keys are replaced with
<redacted>. These rules are applied at two layers (the MCP server
and the storage layer) as defense in depth.
Disconnecting the connector. You can revoke connector access at any time:
- Inside Claude or ChatGPT, remove the Billyou connector from your assistant settings. The OAuth refresh token is invalidated immediately.
- Inside Billyou (Settings, Active Sessions, MCP), revoke the session at the source. After revocation the assistant will be challenged for fresh authentication on the next call and will fail until you re-authorize.
Disconnecting does not delete the audit log entries from the past 90 days; those auto-delete on the standard schedule.
Subprocessors specific to the connector. In addition to our regular subprocessors listed above:
- Anthropic PBC (USA): receives tool inputs and outputs to generate Claude assistant replies, when you connect via Claude.
- OpenAI (USA): receives tool inputs and outputs to generate ChatGPT assistant replies, when you connect via ChatGPT.
Both providers are bound by their respective Data Processing Agreements with you, accepted at the moment you signed up for their service. Billu SRL does not have a contractual relationship with the AI provider on your behalf; your existing Anthropic / OpenAI account governs the AI-side data handling.
Your rights. All rights described elsewhere in this policy (access, rectification, erasure, restriction, portability, objection, withdrawal of consent) apply equally to data flowing through the connector. To exercise them, contact suport@billyou.ro.
7. Your rights
As a data subject, you have the following rights under GDPR:
- Right of access: you can request a copy of the personal data we hold about you.
- Right to rectification: you can request correction of inaccurate or incomplete data.
- Right to erasure: you can request deletion of your data, under the conditions set by GDPR.
- Right to restriction of processing: you can request limited processing in certain situations.
- Right to portability: you can receive your data in a structured, machine-readable format.
- Right to object: you can object to processing based on legitimate interest or for direct marketing.
- Right to lodge a complaint: you can complain to the National Supervisory Authority for Personal Data Processing (ANSPDCP) at anspdcp.eu.ro.
To exercise any of these rights, send a written request to suport@billyou.ro. We respond within 30 calendar days.
8. Cookies and similar technologies
We use technical cookies necessary for the Platform to function (session, authentication, preferences). Optionally, with your consent, we use analytics cookies to understand how the Platform is used. You can manage cookie preferences in your browser settings or via the consent banner shown on first visit.
9. Changes to this policy
We reserve the right to amend this Privacy Policy. In case of significant changes, you will be notified by email or through a visible announcement on the Platform, at least 15 days before the changes take effect. We encourage you to review this page periodically.
10. Contact
For any question about how we process your data, you can contact us:
- Email: suport@billyou.ro
- Phone: +40 732 333 399
- Address: Billu SRL, Str. Cluj nr. 7, Timisoara, Romania