Privacy & cookies

Last updated: 9 May 2026 (2026-05-09). This page combines our privacy policy (B2B SaaS product and public website) with our cookie notice. Replace placeholders (legal entity name, address, DPO) with your own details and have qualified counsel review before production use.

1. Introduction

Cloud Billing (“we”, “us”) provides a multi-tenant billing and operations platform (“Service”). This policy explains how we handle personal data when you visit our website, create an account, or use the Service as a customer, vendor, or end user acting on behalf of an organisation.

Where the Service is offered to your company or organisation, that organisation is typically the controller of personal data entered into workspaces, and we act as a processor according to our data processing terms. See our Data processing addendum for more detail.

2. Data controller

For website visitors and for the account relationship with us as platform operator, the controller is [Your legal entity name], registered at [Registered address]. Align this with the fields in Site settings (Impressum) where you publish the same entity. You can reach our privacy team at the address on our Contact page.

For registered office and regulatory details, see also our Impressum.

If you have appointed a data protection officer or EU/UK representative, insert their contact details here once confirmed.

3. Personal data we process

Depending on how you interact with us, we may process:

Account and identity: name, email address, organisation name, role, authentication identifiers (e.g. user ID from Supabase Auth), and profile preferences.
Service content: data you choose to store in the product (e.g. customers, invoices, inventory, attendance, shop or warehouse records). This may include third-party personal data for which your organisation is responsible.
Technical and usage: IP address, approximate location derived from IP, device and browser type, timestamps, pages viewed, API usage, diagnostic logs, and security signals.
Billing: payment-related metadata processed by our payment service provider (e.g. Stripe), such as billing contact, subscription state, and transaction references—not full card numbers, which are handled by the payment provider.
Support and enquiries: messages you send via contact forms, email, or in-product support, including attachments you provide.

4. Purposes and legal bases (EEA/UK)

Where European data protection law applies, we rely on the following bases:

Contract: operating the Service, authenticating users, processing subscriptions, and providing support you request.
Legitimate interests: securing the platform, detecting abuse, improving reliability and performance, analysing aggregated usage, and direct B2B communications where allowed (balanced against your rights).
Legal obligation: tax, accounting, and regulatory requirements where applicable.
Consent: where we expressly ask for it (for example non-essential cookies—see our Cookie notice below).

6. International transfers

Your data may be processed in countries outside where you live, including the United States. Where required, we use appropriate safeguards such as Standard Contractual Clauses (EU Commission 2021/914), the UK International Data Transfer Agreement or Addendum, or other mechanisms recognised by applicable law. You may request a copy of relevant transfer mechanisms from the contact above.

7. Retention

We retain personal data only as long as necessary for the purposes above, including legal, tax, and dispute resolution needs. Workspace content is retained according to your subscription, backups configured in Supabase or your host, and your written off-boarding instructions. When an account ends, you should export data you need; we delete or anonymise in line with our retention schedule and the DPA.

8. Security

We implement administrative, technical, and organisational measures appropriate to the risk, including encryption in transit, access controls, tenant isolation at the database layer (e.g. row-level security), and monitoring. No method of transmission or storage is completely secure; report suspected vulnerabilities responsibly via our Security page.

9. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, port, or object to processing of your personal data, and to withdraw consent where processing is consent-based. You may lodge a complaint with a supervisory authority. To exercise rights, contact us via Contact. If we process data solely on instructions from your employer, we may refer your request to them where appropriate.

10. Automated decisions

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects within the meaning of the GDPR. If that changes, we will update this policy and explain any available rights.

11. Children

The Service is intended for business use and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we have, contact us and we will delete it promptly.

12. Changes to this policy

We may revise this policy to reflect product, legal, or regulatory changes. We will post the updated version with a new “last updated” date and, where appropriate, notify account administrators by email or in-product notice.

Cookie notice

This notice describes cookies and similar technologies we use today. Update it when you add analytics, advertising pixels, chat widgets, or embedded media.

What are cookies?

Cookies are small text files stored on your device. “Similar technologies” include local storage and session storage. We use them to keep sessions secure, remember preferences, and (if you add them) measure usage or deliver marketing.

How we use them

Category	Purpose	Examples / notes	Typical duration
Strictly necessary	Authentication, session continuity, CSRF protection, load balancing, security hardening.	Cookies or storage set by Supabase Auth and your application host (e.g. session refresh tokens, SSR cookie names as configured).	Session or up to 1 year depending on “remember me”.
Preferences	Remember display choices such as light/dark theme.	Theme preference via `localStorage` ( next-themes) where implemented.	Persistent until cleared.
Analytics (optional)	Understand traffic and product usage—only if you enable a provider.	Not used in this starter. If you add Plausible, PostHog, GA4, etc., name them here with opt-out links.	Per vendor policy.
Marketing (optional)	Advertising or remarketing.	Not used in this starter. Disclose any Meta, LinkedIn, or Google Ads pixels if added.	Per vendor policy.

Third parties

When you authenticate or load assets from third parties, those providers may set their own cookies under their policies. Review Supabase, Stripe Checkout, and any support or status embeds you integrate.

Your choices

You can block or delete cookies in your browser settings. Blocking strictly necessary cookies may prevent sign-in or workspace access. For EU/UK users, non-essential cookies are shown only after you accept them via the site banner where we deploy consent tooling; keep this notice aligned with the categories you present.

Do Not Track

There is no consistent industry response to DNT signals. We treat analytics and marketing as opt-in where we implement consent tooling.

Contact and updates

For privacy rights and controller details, see the Introduction and Data controller sections above. Questions: Contact.