This Privacy Policy describes how BillBird Holdings ("BillBird", "we", "us", "our"), a company registered under the laws of Poland with registered office at Warsaw, Poland, operates the BillBird subscription-tracking service available at www.billbird.io (the "Service").
| Data Controller | BillBird Holdings, Warsaw, Poland |
| Contact Email | hello@billbird.io |
| DPO | Not required under GDPR Art. 37(1) — small business exemption applies. Privacy queries: hello@billbird.io |
BillBird is an intelligent subscription management platform that gives you complete visibility and control over your software spending. By securely connecting to your email account via IMAP, BillBird automatically identifies recurring-payment and subscription emails, extracts key billing details — merchant name, amount, currency, billing frequency, and renewal dates — and presents them in a single, unified dashboard.
Beyond simple extraction, BillBird analyses your subscription portfolio to provide meaningful financial insights: spending breakdowns by software category, total monthly and annual cost summaries, and trends over time. This helps individuals and teams understand exactly where their budget is going and identify redundant or underused tools.
BillBird also goes a step further by surfacing market intelligence: for each subscription category, the platform analyses available alternatives and provides data-driven recommendations on the best tools based on features, pricing, and value. Whether you are overpaying for a tool that has a better-priced equivalent, or using multiple overlapping services that could be consolidated, BillBird helps you make smarter software decisions.
In short, BillBird is an all-in-one subscription intelligence tool — combining automated discovery, spend analysis, and AI-assisted alternative recommendations — designed to save you money and reduce the complexity of managing modern software stacks. Because the core service requires access to your email, we handle sensitive personal data and we take that responsibility seriously.
This Policy applies to all personal data processed through www.billbird.io, the BillBird application, and any related services, for all users globally, with heightened protections for EU/EEA residents under GDPR.
Material changes will be communicated by email at least 30 days before taking effect and by a prominent notice in the Service. Minor changes (wording clarifications, broken-link fixes) take effect on the updated date shown above. Continued use constitutes acceptance.
Collected at registration:
Legal basis: Contract performance (GDPR Art. 6(1)(b))
High-Sensitivity Data
IMAP credentials give access to a user's email account. This is the highest-risk data category we handle. Users must be informed clearly and we must justify why we use IMAP rather than OAuth where available.
To connect an email account, we collect:
Why IMAP, not OAuth?
OAuth is limited to specific providers (Google, Microsoft). IMAP lets users connect any email service — Gmail, ProtonMail, custom business domains, older providers — without us being gated by provider approval programmes. This is a technical compatibility decision, not a data-collection choice. We access only the minimum email data needed for subscription detection. You can disconnect your email account at any time, which immediately deletes your stored credentials.
Legal basis: Contract performance (GDPR Art. 6(1)(b)) — necessary to deliver the core service
When scanning connected accounts we process:
What We Do NOT Collect
Full email content beyond subscription emails · Personal correspondence · Attachments (except invoice links in subscription emails) · Emails unrelated to subscriptions · Full card numbers · Passwords found in emails · Government IDs or SSNs
Once subscription data is extracted we do not retain the raw email content. We adhere strictly to the GDPR data-minimisation principle (Art. 5(1)(c)).
Legal basis: Contract performance (GDPR Art. 6(1)(b))
For paid plans, processed via Stripe:
We never see or store complete card numbers. Full payment details are handled by Stripe (PCI-DSS Level 1 certified).
Legal basis: Contract performance (Art. 6(1)(b)) and legal obligation — tax/accounting records (Art. 6(1)(c))
Automatically collected:
Legal basis: Legitimate interests (Art. 6(1)(f)) — service improvement, security, fraud prevention
When you contact us:
Legal basis: Consent (Art. 6(1)(a)) for marketing; legitimate interests (Art. 6(1)(f)) for support
We use minimal cookies:
We Do NOT Use
Third-party advertising cookies · Social media tracking pixels · Cross-site tracking cookies · Behavioural profiling cookies
Legal basis: Consent (Art. 6(1)(a)) for non-essential cookies; legitimate interests (Art. 6(1)(f)) for essential cookies
We use personal data to: create and manage your account; authenticate your identity; connect to email via IMAP; scan for subscription emails; extract and display subscription data; send renewal reminders; and provide customer support. Legal basis: contract performance (Art. 6(1)(b)).
We send: transactional emails (account confirmation, password reset, subscription changes); service update notices; support responses; renewal reminders; and policy-change notifications. Promotional / marketing emails are sent only with your explicit opt-in consent (Art. 6(1)(a)) and you may unsubscribe at any time via the link in each email.
We use anonymised and aggregated data to analyse usage patterns, improve detection accuracy, develop features, fix bugs, and conduct internal R&D. Legal basis: legitimate interests (Art. 6(1)(f)).
We process data to detect and prevent fraud, abuse, and security incidents; monitor for suspicious activity; enforce our Terms of Service; and comply with legal obligations. Legal basis: legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)).
We process data to comply with tax, accounting, and regulatory obligations; respond to lawful authority requests; and protect against legal claims. Legal basis: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).
Your data is primarily stored on Supabase infrastructure hosted on AWS us-east-1 (United States). EU user data is transferred to and stored in the US under Standard Contractual Clauses (SCCs). If you wish to request EU-region storage, contact hello@billbird.io — we are actively reviewing data localisation options.
Several processors are US-headquartered or store data in the US. Specifically: Supabase stores data in AWS us-east-1 (US); Vercel executes IMAP extraction on US servers; Cloudflare is US-headquartered though EU traffic is processed on EU edge nodes; Stripe and Resend operate in the US with EU operations. N8N processes data exclusively on EU servers (Azure West Central, Frankfurt). Safeguards in place:
Transfer Impact Assessments (TIAs) have been conducted for all US-based processors as required under GDPR Chapter V and the Schrems II framework. N8N processes data exclusively in the EU and does not require a TIA. Cloudflare and Resend are EU-US Data Privacy Framework certified, providing additional transfer protections. Copies of transfer safeguards are available on request by emailing hello@billbird.io.
Users are responsible for: using strong unique passwords; enabling two-factor authentication; using app-specific passwords (not main account passwords) for IMAP; logging out from shared devices; and reporting suspicious activity to hello@billbird.io immediately.
In the event of a personal data breach we will: notify the relevant supervisory authority within 72 hours of discovery (GDPR Art. 33); notify affected users without undue delay via email (Art. 34); provide details of the breach, its impact, and remedial steps taken.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account information | Duration of account | Contract |
| IMAP credentials | Until email disconnected or account deleted (immediate deletion) | Contract / security |
| Extracted subscription data | While account active; 30 days post-deletion | Contract |
| Usage logs | 12 months | Legitimate interest |
| Support communications | 24 months after resolution | Legitimate interest |
| Billing records | 7 years | Legal obligation (tax/accounting) |
| Marketing consent records | Duration of consent + 3 years | Legal (proof of consent) |
| Aggregated analytics (anonymised) | Indefinite | No personal data |
When retention periods expire or deletion is requested: personal data deleted from production systems within 30 days; backup copies purged within 90 days; secure deletion methods ensuring data is unrecoverable; only anonymised aggregated data may be retained.
EU/EEA residents have the following rights. All requests should be sent to hello@billbird.io with the relevant subject line. We respond within 30 days (extendable by 60 days for complex requests, with notification). All rights exercised free of charge for the first request.
| Right | What It Means | How to Exercise |
|---|---|---|
| Access (Art. 15) | Confirm whether we process your data; obtain a copy | Email: "Access Request" |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Account settings or email |
| Erasure (Art. 17) | Delete your data (subject to legal exceptions) | Account > Delete, or email |
| Restriction (Art. 18) | Pause processing while a dispute is resolved | Email: "Restriction Request" |
| Portability (Art. 20) | Receive data as JSON/CSV for transfer | Account > Export, or email |
| Object (Art. 21) | Object to legitimate-interest processing; absolute right to stop direct marketing | Email or unsubscribe link |
| Withdraw consent (Art. 7(3)) | Withdraw consent at any time (doesn't affect prior lawful processing) | Account settings or email |
| Complaint (Art. 77) | Lodge a complaint with your supervisory authority | See Section 8.1 below |
Your lead supervisory authority is the data protection authority of the EU country in which BillBird is incorporated: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl. A full list of EU supervisory authorities: edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.
| Data Type | Legal Basis | GDPR Article |
|---|---|---|
| Account information | Contract performance | Art. 6(1)(b) |
| IMAP credentials | Contract performance | Art. 6(1)(b) |
| Email content (subscription scanning) | Contract performance | Art. 6(1)(b) |
| Payment data | Contract + Legal obligation | Art. 6(1)(b) + (c) |
| Usage & analytics data | Legitimate interests | Art. 6(1)(f) |
| Marketing communications | Consent | Art. 6(1)(a) |
| Security & fraud prevention | Legitimate interests | Art. 6(1)(f) |
| Tax/accounting records | Legal obligation | Art. 6(1)(c) |
The Service is not intended for users under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a child, contact hello@billbird.io immediately and we will delete it and terminate the account promptly.
We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on users (GDPR Art. 22). Our subscription-detection algorithms scan emails to extract billing data — this is a purely functional service process, not profiling. You retain full control and can review, correct, or delete any extracted data at any time.
We have conducted a Data Protection Impact Assessment (DPIA) under GDPR Art. 35, using the EDPB DPIA Template v1.0 (March 2026). The DPIA covers collection and storage of IMAP credentials, automated email content processing, and subscription data extraction. It concludes that all identified risks are mitigated to an acceptable level through encryption, data minimisation, strict purpose limitation, and full user control. The DPIA is available on request by contacting hello@billbird.io.
California residents have rights to: know what personal information is collected and for what purpose; know whether personal information is sold or disclosed (we do not sell); opt out of sale (not applicable — we do not sell); delete personal information; and non-discrimination for exercising rights. Submit California privacy rights requests to hello@billbird.io.
UK residents have the same rights as EU residents under UK GDPR. Our UK supervisory authority is the Information Commissioner's Office (ICO): ico.org.uk.
We comply with applicable data-protection laws in all jurisdictions where we operate. Contact hello@billbird.io with jurisdiction-specific questions.
BillBird commits to: being transparent about all data practices; collecting only the minimum data necessary; using data only for the purposes stated in this Policy; protecting data with industry-leading security; respecting and facilitating all user rights promptly; notifying users of breaches without undue delay; and never selling personal data — ever.
We will maintain a security page at www.billbird.io/security covering best practices, vulnerability disclosure, and security contact information.
Acknowledgment
By using the BillBird Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal data as described herein. If you do not agree, please do not use the Service.