Privacy Policy
Last updated: 9 March 2026
1. Who We Are
QuickBill is a trading name of Cloud Pi Consulting Ltd, a company registered in England and Wales (Company No. 12260282). QuickBill is an invoicing platform for UK freelancers and small businesses. We are the data controller responsible for your personal data.
For data protection enquiries, contact us at: privacy@quick-bill.co.uk
2. What Data We Collect
We collect the following categories of personal data:
Account data
- Full name and email address (provided on registration)
- Password (stored as a one-way bcrypt hash — we cannot see your password)
- Subscription plan and Stripe customer/subscription IDs
Business data
- Business name, address, and VAT number (optional — used on your invoices)
- Logo URL and accent colour (Business plan only)
- Your terms & conditions text
Client data
- Client names, companies, email addresses, and postal addresses that you enter
- You are the data controller for your clients' data; we process it on your behalf as a data processor
Invoice data
- Invoice numbers, line items, amounts, dates, and payment status
- Timestamps of when invoices were created and sent
Technical data
- Session tokens (stored as secure, HTTP-only cookies)
- IP address and browser information (retained in server logs for up to 30 days)
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing the invoicing service | Performance of contract (Art. 6(1)(b) UK GDPR) |
| Processing subscription payments via Stripe | Performance of contract (Art. 6(1)(b) UK GDPR) |
| Sending invoice emails to your clients on your instruction | Legitimate interests — acting on your explicit instruction (Art. 6(1)(f) UK GDPR) |
| Sending invoice payment reminder emails | Legitimate interests — acting on your explicit instruction (Art. 6(1)(f) UK GDPR) |
| Account security and fraud prevention | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| Complying with financial and legal obligations | Legal obligation (Art. 6(1)(c) UK GDPR) |
| Service improvement and debugging (aggregated, anonymised) | Legitimate interests (Art. 6(1)(f) UK GDPR) |
4. Cookies
We use the following cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| next-auth.session-token | Keeps you logged in to QuickBill | Session / 30 days | Strictly necessary |
| next-auth.csrf-token | Protects against cross-site request forgery | Session | Strictly necessary |
| qb-cookie-consent | Remembers your cookie notice dismissal | 1 year | Functional |
We do not use advertising, tracking, or analytics cookies. The cookies we use are strictly necessary for the service to function and therefore do not require your consent under UK PECR.
5. Data Sharing & Third Parties
We share your data only with the following third parties, and only as necessary:
- Stripe, Inc. — Payment processing. Stripe is PCI-DSS compliant. See Stripe's Privacy Policy. Stripe may transfer data to the United States; they rely on Standard Contractual Clauses (SCCs) for these transfers.
- Your SMTP email provider — Invoice emails and reminders are sent via the SMTP credentials you or your administrator configure. We do not share your data with any email marketing platforms.
We do not sell, rent, or share your personal data with any third parties for marketing purposes.
6. International Transfers
We store your data on servers located in the United Kingdom and/or the European Economic Area. Where we use third-party services that transfer data outside the UK/EEA (such as Stripe), we ensure adequate safeguards are in place, including Standard Contractual Clauses approved by the ICO or the European Commission.
7. Data Retention
| Data | Retention Period |
|---|---|
| Account and profile data | Until account deletion, then immediately purged |
| Invoices and client data | Until account deletion, then immediately purged |
| Payment records (Stripe) | Up to 7 years for tax and legal compliance (held by Stripe) |
| Server access logs | 30 days, then automatically deleted |
| Backups | Up to 30 days after deletion, then overwritten |
8. Your Rights Under UK GDPR
As a data subject, you have the following rights. To exercise any of them, email us at privacy@quick-bill.co.uk or use the self-service tools in Settings → Privacy. We will respond within 30 days.
- Right of access — Request a copy of all personal data we hold about you. Available instantly via Settings → Privacy → Export My Data.
- Right to rectification — Correct inaccurate data via Settings → Profile or Settings → Business.
- Right to erasure — Delete your account and all associated data permanently. Available via Settings → Privacy → Delete Account.
- Right to restriction — Ask us to stop processing your data in certain circumstances while a dispute is resolved.
- Right to data portability — Receive your data in a structured, machine-readable format (JSON). Available via Settings → Privacy → Export My Data.
- Right to object — Object to processing based on legitimate interests. We will stop unless we have compelling grounds to continue.
- Rights related to automated decision-making — We do not use automated decision-making or profiling.
9. Client Data — Your Responsibilities as Data Controller
When you enter your clients' personal data (names, emails, addresses) into QuickBill, you act as the data controller for that data and we act as your data processor. You are responsible for:
- Having a lawful basis to process your clients' personal data
- Notifying your clients about how their data is used, if required
- Responding to your clients' data subject rights requests
- Ensuring you only store data that is adequate, relevant, and limited to what is necessary
Our Data Processing Agreement (DPA) is incorporated into our Terms of Service.
10. Security
We take reasonable steps to protect your data, including:
- Passwords are hashed with bcrypt (one-way, salted)
- Session tokens are stored in HTTP-only, Secure cookies
- All data is transmitted over TLS (HTTPS)
- The database is not publicly accessible
- Access to production systems is restricted to authorised personnel only
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay, as required by UK GDPR Article 33/34.
11. Children
QuickBill is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the application. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the service after changes constitutes acceptance of the revised policy.
13. Complaints
If you have concerns about how we handle your data, please contact us first at privacy@quick-bill.co.uk. If we cannot resolve your concern, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
ico.org.uk