Privacy Policy

1. Who We Are

SoarBill is an invoicing and time-tracking platform for freelancers and contractors, accessible at app.soarbill.com. The Service is operated by Greenycode ("Greenycode", "we", "us", or "our"), a company registered in Sofia, Bulgaria.

Greenycode acts as the data controller for personal data collected directly through the SoarBill platform (such as account information, usage data, and billing data). Where you store your own clients' personal data within SoarBill (for example, client names and addresses on invoices), Greenycode acts as a data processor on your behalf — see Section 4 for details.

For any privacy-related questions, contact us at support@soarbill.com.

2. What Data We Collect and Why

We collect only the minimum data necessary to provide our services (data minimisation principle, GDPR Article 5(1)(c)):

• Account information: name, email address, country. Required to create and identify your account.
• Google account data (when signing in with Google): your name, email address, and a unique Google account identifier, received from Google during the OAuth sign-in flow. We do not receive your Google password, contacts, calendar, Google Drive contents, or any other Google account data.
• Business information: company name, address, tax ID, VAT number, registration number. Required to generate invoices on your behalf.
• Financial data: bank account details (IBAN / BIC), Stripe customer and subscription identifiers. Required to manage billing and subscription.
• Your client and work data: invoices, time entries, client contact details, and project information that you create and manage within the platform. You are the data controller of this data — see Section 4.
• Gmail access token (Pro plan, optional): when you voluntarily connect your Gmail account to send invoices, we store an OAuth access token with the sole permission to send emails (gmail.send) on your behalf. We do not access, read, index, or store the content of any email in your Gmail inbox. You may revoke this access at any time.
• Usage data: technical log data (IP address, browser type, timestamps) collected for security and operational purposes.

Children: SoarBill is a professional tool intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us at support@soarbill.com and we will delete it promptly.

3. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases as defined in GDPR Article 6:

• Article 6(1)(b) — Contract performance: Processing is necessary to perform the service you have signed up for (account management, invoice generation, time tracking, Google Sign-In authentication).
• Article 6(1)(a) — Consent: Where you voluntarily connect optional third-party integrations, such as linking your Gmail account for invoice sending. You may withdraw consent at any time.
• Article 6(1)(c) — Legal obligation: Where we are required to retain or process data by applicable law (e.g. financial record-keeping obligations).
• Article 6(1)(f) — Legitimate interests: Security monitoring, fraud prevention, and service improvement, where these interests are not overridden by your rights.

4. Data Roles: Controller and Processor

4.1 Greenycode as Data Controller

Greenycode determines the purposes and means of processing your personal account data (name, email, billing details, usage logs). For this data, Greenycode is the data controller and this Privacy Policy describes how we handle it.

4.2 You as Data Controller — Your Clients' Data

When you use SoarBill to store and process personal data belonging to your own clients (for example, their names, email addresses, and postal addresses on invoices), you are the data controller of that data. Greenycode acts solely as a data processor on your instructions.

As data controller, you are responsible for ensuring you have a lawful basis to process your clients' personal data, that you provide them with any required privacy notices, and that you comply with applicable data protection law in relation to that data.

4.3 Data Processing Agreement

For the purposes of GDPR Article 28, these Terms of Service (together with the Privacy Policy) constitute the data processing agreement between you (controller) and Greenycode (processor) for the processing of your clients' personal data. In summary:

• Greenycode processes your clients' data only on your documented instructions (i.e. the actions you take within the Service).
• We implement appropriate technical and organisational security measures as described in Section 11.
• We will assist you in responding to data subject rights requests relating to your clients' data, to the extent reasonably possible.
• We will notify you without undue delay if we become aware of a security incident affecting your clients' data.
• We will delete or return your clients' data upon account deletion, subject to the retention periods in Section 5.
• We engage sub-processors as listed in Section 5. By using the Service, you authorise their engagement. We will inform you of any intended changes to sub-processors and provide you the opportunity to object.

5. Sub-Processors and Data Storage

We engage the following sub-processors to operate the Service. All personal data is stored within the European Economic Area (EEA) unless otherwise noted. Where data is transferred outside the EEA, appropriate safeguards — specifically Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c) — are in place:

We do not sell your personal data to any third party. We have Data Processing Agreements (DPAs) in place with all sub-processors as required by GDPR Article 28. You may request a full list of named sub-processors by emailing support@soarbill.com.

6. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy (GDPR Article 5(1)(e) — storage limitation).

• Your account data is retained for as long as your account is active.
• When you request account deletion, your account is flagged. All your data is permanently deleted from our systems after a 30-day grace period.
• Server logs are retained for up to 90 days. Database backups are retained for up to 30 days after the deletion grace period expires.
• Gmail access tokens are deleted immediately upon disconnection of your Gmail account or deletion of your SoarBill account.
• Stripe retains payment records according to their own policy and applicable financial regulations.
• Anonymised or aggregated usage logs may be retained longer for security and operational analysis.

7. Your Rights Under GDPR

If you are located in the European Economic Area (or where equivalent rights apply under local law), you have the following rights regarding your personal data held by Greenycode:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right of rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): Where processing is based on your consent (e.g. Gmail integration), you may withdraw it at any time without affecting the lawfulness of prior processing.

You can exercise these rights via Settings → Account within the app, or by emailing support@soarbill.com. We will respond within 30 days as required by GDPR Article 12. Where a request is complex or numerous, we may extend this by a further 60 days and will notify you accordingly.

You also have the right to lodge a complaint with your local supervisory authority. In Bulgaria, this is the Commission for Personal Data Protection (cpdp.bg).

8. Email Communication

We send transactional emails only. These include:

• Account verification and password reset emails
• Invoice delivery emails sent to your clients on your behalf
• Material service or policy change notifications

We do not send marketing or promotional emails. Transactional emails are essential to the service and cannot be opted out of while your account is active.

9. Google Sign-In and Gmail Integration

9.1 Google Sign-In

You may create a SoarBill account or sign in using your Google account via OAuth 2.0. When you do so, Google shares with us only your name, email address, and a unique Google account identifier. This information is used solely to create or authenticate your SoarBill account.

We do not receive your Google password, contacts, calendar, Google Drive contents, search history, or any other Google account data.

9.2 Gmail Integration (Pro plan)

If you choose to connect your Gmail account to send invoice emails directly from your own address, we request only the gmail.send permission via Google OAuth 2.0.

• We do not read, access, index, or store the content of any emails in your Gmail inbox or sent folder.
• We do not access your Gmail contacts, labels, or any other Gmail data.
• The access token is stored securely and used exclusively to send invoice emails that you explicitly trigger within SoarBill.
• You can disconnect your Gmail account at any time from Settings → Email Provider. Upon disconnection, the access token is immediately and permanently deleted.

9.3 Google API Services User Data Policy

SoarBill's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is used only for the purposes described in this Privacy Policy. It is not used for advertising, not shared with third parties for their independent use, and not used in any way that is incompatible with providing the SoarBill service.

10. Cookies and Local Storage

SoarBill stores only essential session tokens in your browser's localStorage to keep you logged in. We do not use tracking cookies, advertising cookies, or analytics tools that profile your behaviour.

No cookie consent banner is required because we do not use non-essential cookies.

Error monitoring via Sentry may capture anonymised technical data (stack traces, error context). No personal profile is built from this data.

11. Security

Greenycode implements appropriate technical and organisational measures to protect your data, including:

• Encrypted data transmission (HTTPS/TLS) for all communications
• Bcrypt hashing for password storage
• Short-lived access tokens and rotating refresh tokens
• Strict access controls limiting data access to authorised personnel
• All data at rest stored within EU data centres

No system is entirely immune to risk and we cannot guarantee absolute security. We recommend you use a strong, unique password and keep your account credentials confidential.

12. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Article 22).

13. Data Breaches

In the event of a personal data breach that poses a risk to your rights and freedoms, Greenycode will notify you without undue delay and will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Articles 33–34.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above. For material changes affecting how we process your personal data, we will notify you via email or an in-app notification at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

15. Contact

For privacy-related inquiries, contact Greenycode at: support@soarbill.com