Privacy Policy
1. Introduction
NeoForge Labs Limited (“NeoForge Labs,” “Autobillr,” “we,” “us,” or “our”), a private limited company registered in the Republic of Kenya, operates the Autobillr platform, accessible at autobillr.dev and through our APIs and SDKs (the “Service”). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Service.
We are committed to protecting your privacy and complying with the Kenya Data Protection Act, 2019, the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CPRA”), and other applicable data protection laws.
This Privacy Policy applies to: (a) users who create an Account and use the Service (“Users”); (b) clients of our Users who receive invoices, view payment pages, or receive chase communications through the Service (“Invoice Recipients”); and (c) visitors to our website.
2. Data Controller Information
NeoForge Labs Limited
Nairobi, Kenya
Email: privacy@autobillr.dev
Data Protection Officer: privacy@autobillr.dev
For Users in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, NeoForge Labs Limited is the data controller for data collected directly from you. For personal data of Invoice Recipients processed on behalf of our Users, the User is the data controller and NeoForge Labs acts as a data processor.
3. Personal Data We Collect
3.1 Data You Provide Directly
Account Registration Data: Name, email address, password (hashed and salted — we never store plaintext passwords), business name, business address, phone number, business industry, and preferred currency.
Billing Data: Subscription tier, billing address, payment method details (processed and stored by our payment processor — we do not store full payment card numbers), transaction history.
Business Data: Invoices you create (including line items, amounts, currencies, due dates), client names and contact information, contracts you upload for parsing, payment records, and notes or communications you draft within the Service.
Communication Preferences: Preferred chase channels, chase automation settings, notification preferences, and timezone.
3.2 Data We Collect Automatically
Usage Data: Features used, pages visited, time spent, search queries, and interaction with AI-generated outputs.
Device and Technical Data: IP address, browser type, operating system, device type, screen resolution, language settings, and referring URL.
Communication Delivery Data: Email open tracking, link tracking, SMS delivery receipts, and WhatsApp read receipts for chase communications.
3.3 Data We Derive or Generate
Client Profiles: Behavioral profiles based on payment history, including average days to pay, on-time payment rate, and risk score.
Cash Flow Predictions: Predictions about when invoices are likely to be paid, based on historical patterns and industry benchmarks.
Contract Extracted Data: AI-extracted billing-relevant terms from uploaded contracts, stored as structured data.
Aggregated and Anonymized Data: Anonymized, de-identified datasets from platform-wide usage patterns, which cannot be linked back to you or your Clients.
3.4 Data We Do NOT Collect
We do not collect: full payment card numbers, biometric data, health information, genetic data, trade union membership, data about sex life or sexual orientation, or precise geolocation data. We do not knowingly collect personal data from children under 18.
4. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the Service (account management, invoicing, payments) | Performance of contract |
| Chase Automation (follow-up communications) | Performance of contract |
| Intelligence Features (contract parsing, cash flow prediction) | Performance of contract |
| AI model improvement (anonymized, aggregated data) | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Analytics and product improvement | Legitimate interest |
| Marketing communications | Consent |
| Compliance with legal obligations | Legal obligation |
4.3 AI and Automated Decision-Making
The Service uses AI and automated processing to parse contracts, generate chase messages, predict payment timelines, profile client behavior, and validate invoices. These produce recommendations for your review. No fully automated decisions with legal or similarly significant effects are made about you without human involvement.
5. How We Share Your Data
| Category | Provider(s) | Purpose |
|---|---|---|
| Cloud Infrastructure | Render | Hosting, database, compute |
| File Storage | Cloudflare R2 | Uploaded contracts, generated PDFs |
| Email Delivery | Resend | Sending chase and transactional emails |
| SMS Delivery (Africa) | Africa's Talking | Sending SMS chase messages |
| SMS/WhatsApp (Global) | Twilio | Sending SMS and WhatsApp messages |
| AI Model Providers | OpenRouter (Anthropic, OpenAI, Google) | Contract parsing, message generation |
| Payment Processing | Stripe | Subscription payments |
| Error Monitoring | Sentry | Application error tracking |
We do not sell your personal data. We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
6. International Data Transfers
Your personal data may be transferred to countries other than your country of residence, including the United States. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions. For transfers from Kenya, we comply with the Kenya DPA cross-border transfer requirements.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of Account + 30 days |
| Invoices, payment records, client data | Duration of Account + 90 days |
| Chase communication logs | 3 years from communication date |
| Billing and transaction records | 7 years from transaction date |
| Usage data and analytics | 2 years from collection |
| Server logs | 90 days |
| Aggregated, anonymized data | Indefinite |
8. Your Rights
8.1 Rights Under Kenya DPA
If you are located in Kenya, you have the right to: be informed, access your data, object to processing, correct inaccurate data, delete your data, restrict processing, and data portability.
8.2 Rights Under GDPR (EEA, UK, Switzerland)
You have the right to: access, rectification, erasure (“right to be forgotten”), restriction, data portability, object to processing, withdraw consent, and not be subject to solely automated decisions with significant effects.
8.3 Rights Under CCPA/CPRA (California)
California residents have the right to: know what data we collect, delete data, correct data, opt-out of sale/sharing (we do not sell your data), and not be discriminated against for exercising rights.
8.4 Exercising Your Rights
To exercise any of these rights, contact us at privacy@autobillr.dev. We will respond within 30 days.
9. Data Security
We implement technical and organizational measures including: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, row-level database security for tenant isolation, JWT-based authentication, bcrypt password hashing, real-time monitoring via Sentry, and a documented incident response plan with 72-hour breach notification.
10. Cookies and Tracking Technologies
We use essential, functional, and optional analytics cookies. We do not use third-party advertising tracking. For full details, see our Cookie Policy.
11. Children's Privacy
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email or notice within the Service.
13. Contact Information
NeoForge Labs Limited
Data Protection Inquiries: privacy@autobillr.dev
General Inquiries: support@autobillr.dev
Location: Nairobi, Kenya
By using Autobillr, you acknowledge that you have read and understood this Privacy Policy.