Legal
Privacy Policy
Last updated: 28 May 2026 · Effective immediately
This Privacy Policy explains how FlashBill collects, uses, stores, shares, and protects your personal data. It is written in plain language to ensure you understand your rights and our obligations. It has been prepared in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read it carefully before using the Service.
1. Who We Are & How to Contact Us
FlashBill is operated by an independent developer based in England and Wales, trading as a sole trader. We are the data controller in respect of personal data you provide when registering for and using the Service. As data controller, we determine the purposes and means by which your personal data is processed.
For all privacy-related enquiries, data subject access requests (DSARs), and complaints, please contact us at:
Email: admin@flashbill.co.uk (include "Privacy" or "DSAR" in the subject line)
This Privacy Policy applies to all personal data collected through our website at flashbill.co.uk, any subdomain of flashbill.co.uk, and the FlashBill web application. By using any part of our Service, you acknowledge that you have read and understood this policy.
ICO registration: FlashBill's registration with the Information Commissioner's Office (ICO) is currently in progress. Our ICO reference number will be published on this page upon completion. In the meantime, you may contact the ICO directly at ico.org.uk if you have a concern about how your data is being handled.
"Personal data" for the purposes of this policy means any information that relates to an identified or identifiable living individual. This includes obvious identifiers such as your name and email address, and also indirect identifiers such as IP addresses, device identifiers, and usage patterns that can be linked back to you.
2. Personal Data We Collect
We collect and process the following categories of personal data:
| Category | Data Collected | When Collected |
|---|---|---|
| Account Data | Full name, email address, password (stored as a bcrypt hash — never in plain text) | At registration |
| Business Profile Data | Trading name or company name, business address, VAT registration number (if applicable), Unique Taxpayer Reference (UTR), CIS registration status, logo | During account setup and settings |
| Bank Details | Sort code and account number (encrypted at rest using AES-256) | When added to account for invoice display |
| Invoice & Client Data | Client names, client addresses, client email addresses, invoice line items, amounts, payment terms, CIS and VAT details | When creating invoices and client records |
| Payment & Billing Data | Stripe customer ID, subscription plan, payment status, invoice references (no card numbers stored by FlashBill) | On subscription and payment events |
| Usage & Technical Data | IP address, browser type and version, operating system, pages visited, time and date of access, referring URLs, session duration | Automatically when you use the Service |
| Error & Diagnostic Data | Anonymised crash reports, stack traces, browser and OS version (collected via Sentry — no personally identifying data included) | Automatically when errors occur |
| Communication Data | Content of emails you send to us at admin@flashbill.co.uk | When you contact us |
| Consent Records | Cookie consent preference and timestamp, marketing consent and timestamp | When you interact with consent mechanisms |
We do not collect sensitive personal data (also known as "special category data" under UK GDPR Article 9), such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data. If you believe you have inadvertently submitted such data, please contact us immediately to arrange its deletion.
3. Legal Basis for Processing
We are required under UK GDPR Article 6 to identify a valid lawful basis for each type of processing we carry out. The table below sets out the lawful bases on which we rely:
| Processing Activity | Lawful Basis | UK GDPR Reference |
|---|---|---|
| Creating and managing your Account | Performance of a contract — processing is necessary to provide the Service you have signed up for | Article 6(1)(b) |
| Processing subscription payments via Stripe | Performance of a contract | Article 6(1)(b) |
| Storing and displaying your invoices and client data | Performance of a contract | Article 6(1)(b) |
| Encrypting and storing your bank details | Performance of a contract; appropriate technical measures under Article 32 | Article 6(1)(b) |
| Sending transactional emails (invoice delivery, password resets, account alerts) | Performance of a contract; legitimate interests (account security) | Articles 6(1)(b) and 6(1)(f) |
| Retaining invoice and financial data for 7 years | Legal obligation — HMRC record-keeping requirements under the Taxes Management Act 1970 | Article 6(1)(c) |
| Fraud detection, security monitoring, and abuse prevention | Legitimate interests — protecting the platform and other users from harm and misuse | Article 6(1)(f) |
| Service improvement and error monitoring via Sentry | Legitimate interests — maintaining and improving service quality and reliability | Article 6(1)(f) |
| Sending product update and marketing emails | Consent — you have explicitly opted in to receive such communications | Article 6(1)(a) |
| Responding to legal claims or regulatory requests | Legal obligation; legitimate interests (defending legal claims) | Articles 6(1)(c) and 6(1)(f) |
Where we rely on legitimate interests as our lawful basis, we have carried out a legitimate interests assessment to ensure that our interests are not overridden by your interests, rights, or freedoms. You have the right to object to processing based on legitimate interests (see clause 9).
Where we rely on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
4. How We Use Your Personal Data
We use your personal data only for the purposes described in this policy and only to the extent necessary for those purposes. Specifically, we use your personal data to:
- Create, manage, authenticate, and secure your Account;
- Provide, operate, and deliver the FlashBill Service, including generating and storing invoices, calculating CIS deductions and VAT, and managing client records;
- Generate PDF invoices and, where requested, send them to your clients by email on your behalf via Postmark;
- Process subscription payments and manage your billing relationship with us via Stripe;
- Send you transactional emails essential to the operation of your Account, including email verification, password reset instructions, invoice delivery confirmations, and subscription renewal reminders;
- Send you product updates, new feature announcements, and onboarding guidance, if you have consented to receive such communications;
- Monitor for and prevent fraudulent, abusive, or unauthorised use of the Service;
- Monitor service performance, diagnose errors, and improve the reliability of the platform using anonymised error data from Sentry;
- Comply with our legal and regulatory obligations, including responding to lawful requests from HMRC, courts, or other public authorities;
- Respond to your enquiries, support requests, and complaints;
- Enforce our Terms of Service and protect the rights and safety of FlashBill, our users, and third parties.
We will not use your personal data for any purpose that is incompatible with the purposes described above without providing you with prior notice and, where required, obtaining your consent.
5. Data Retention
We retain your personal data only for as long as is necessary for the purposes set out in this policy, or as required by applicable law. The following table sets out our standard retention periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (name, email, password hash) | Duration of account + 30 days after closure | Contract performance; sufficient time for you to reconsider closure |
| Business profile data (trading name, UTR, VAT number) | Duration of account + 30 days after closure | Contract performance |
| Bank details (sort code, account number) | Duration of account; deleted within 30 days of account closure | Contract performance; encrypted at rest |
| Invoice and client data | 7 years from the date of the invoice | HMRC record-keeping legal obligation (Taxes Management Act 1970) |
| Payment and billing references | 7 years | Tax and financial record-keeping legal obligation |
| Error and diagnostic logs (Sentry) | 90 days (anonymised; auto-purged by Sentry) | Legitimate interests — service reliability |
| Email delivery logs (Postmark) | 45 days | Legitimate interests — delivery troubleshooting |
| Server access and security logs (Railway) | 30 days (rolling) | Legitimate interests — security monitoring |
| Cookie consent record | 1 year | Demonstrating compliance with PECR consent requirements |
| Communication data (emails to us) | 3 years from date of communication | Legitimate interests — dispute resolution and legal defence |
| Backup data | 90-day rolling window; older backups automatically purged | Service resilience; data recovery |
Where retention is required by law (for example, the 7-year HMRC rule), we cannot delete your invoice data earlier even if you request erasure. In such cases, we will restrict active processing of the data to the minimum necessary to satisfy the legal obligation. We will notify you if a legal obligation prevents us from fulfilling an erasure request.
6. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, alteration, or disclosure, in accordance with UK GDPR Article 32.
Our key security measures include:
- Encryption at rest: Bank details (sort code and account number) are encrypted using AES-256 encryption before being stored in our database. No bank details are stored in plain text.
- Password hashing: All passwords are hashed using the bcrypt algorithm with an appropriate cost factor. Passwords are never stored in plain text or in reversible encrypted form.
- Encryption in transit: All data transmitted between your browser and the FlashBill platform is encrypted using HTTPS/TLS 1.2 or higher. Connections over plain HTTP are automatically redirected to HTTPS.
- Infrastructure security: FlashBill is hosted on Railway's EU/EEA region infrastructure with isolated PostgreSQL databases. Access to production systems is restricted to authorised personnel only and protected by strong credentials.
- Access controls: Access to production data is restricted to the operator on a least-privilege basis. No third-party personnel have standing access to your data.
- Error monitoring: Application errors are reported to Sentry using anonymisation measures that strip personally identifying data (such as email addresses and IP addresses) before transmission.
- Dependency management: We carry out regular reviews of software dependencies to identify and patch known security vulnerabilities.
- Two-factor authentication: We provide optional 2FA for your Account to add an extra layer of protection against unauthorised access.
While we take all reasonable steps to protect your data, no method of transmission over the internet and no method of electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to notifying you promptly in the event of a data breach that is likely to affect your rights and freedoms.
7. Third-Party Data Processors
We share your personal data with a limited number of trusted third-party service providers who act as our data processors — meaning they process your data only on our instructions and for the purposes we specify. We have entered, or are in the process of entering, into Data Processing Agreements (DPAs) with each processor in accordance with UK GDPR Article 28.
| Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Stripe, Inc. | Payment processing and subscription management. Stripe processes your billing details and subscription status. FlashBill does not store card numbers. | USA | Standard Contractual Clauses (UK Addendum) |
| Postmark (ActiveCampaign, LLC) | Transactional email delivery — invoice emails, password resets, account notifications. Postmark receives the recipient email address and email content. | USA | Standard Contractual Clauses (UK Addendum) |
| Railway Corporation | Cloud hosting, managed server infrastructure, and managed PostgreSQL database. All application data resides on Railway's EU/EEA region servers. | EU/EEA | Adequacy decision (EEA region) |
| Sentry (Functional Software, Inc.) | Application error monitoring and crash reporting. Sentry receives anonymised diagnostic data only — no email addresses, user IDs, or business data. | USA | Standard Contractual Clauses (UK Addendum) |
| Cloudflare, Inc. | DNS resolution, content delivery network (CDN), and DDoS protection. Cloudflare processes IP addresses and HTTP request metadata as traffic passes through its network. | USA / Global CDN | Standard Contractual Clauses (UK Addendum) |
We do not sell, rent, or trade your personal data to any third party for their own commercial purposes. We share data with the processors listed above only to the minimum extent necessary to deliver the Service. Your client data (i.e., your clients' personal details that you input into FlashBill) is not shared with third-party processors beyond what is technically necessary for the Service to function — for example, Postmark receives a client's email address only when you choose to send them an invoice by email.
We may also disclose your personal data: (a) if required to do so by a court order, regulatory authority, or applicable law; (b) to protect the vital interests of any person where there is a threat to life; (c) to enforce our Terms of Service or protect the rights, property, or safety of FlashBill, our users, or others. We will always seek to inform you of any such disclosure unless we are legally prohibited from doing so.
8. International Data Transfers
Your data is primarily processed and stored within the United Kingdom and the European Economic Area (EEA). Where personal data is transferred to processors based outside the UK/EEA (specifically Stripe, Postmark, Sentry, and Cloudflare, each of which is based in the United States), we rely on Standard Contractual Clauses (SCCs) as updated by the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs to ensure an adequate level of protection for your data.
These contractual safeguards require the receiving processor to: (a) process your data only for the specified purpose; (b) implement technical and organisational security measures equivalent to those required under UK GDPR; (c) not disclose your data to third parties without our prior authorisation; and (d) delete or return your data upon termination of the processing relationship.
You have the right to request a copy of the relevant transfer mechanism documentation by contacting us at admin@flashbill.co.uk.
9. Your Rights Under UK GDPR
Under UK GDPR, you have the following rights in respect of your personal data. To exercise any of these rights, please email admin@flashbill.co.uk with the subject line "Data Subject Request" and a clear description of your request. We will acknowledge your request within five (5) business days and provide a substantive response within thirty (30) calendar days. For complex or high-volume requests, we may extend this period by up to a further two months, in which case we will notify you within the initial 30-day period and explain the reason for the extension.
All data subject requests are free of charge, unless the request is manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable administrative fee or refuse to comply, and will explain our reasons.
Right of Access (Article 15)
You have the right to obtain confirmation from us as to whether we are processing your personal data, and if so, to receive a copy of that data along with supplementary information including: the purposes of processing; the categories of data involved; recipients or categories of recipients; the planned retention period; and information about your other rights. You can access much of your data directly from within your Account. For a full Subject Access Request covering all data we hold, email us with the subject line "DSAR".
Right to Rectification (Article 16)
You have the right to request that we correct inaccurate personal data about you without undue delay. You also have the right to have incomplete personal data completed. You can update most of your account and business profile data directly through Account Settings. For data you cannot update yourself, please contact us and we will correct it within 30 days.
Right to Erasure (Article 17)
You have the right to request that we delete your personal data where: (a) it is no longer necessary for the purposes for which it was collected; (b) you withdraw the consent on which processing was based and there is no other lawful basis; (c) you object to processing based on legitimate interests and there are no overriding legitimate grounds; (d) the data has been unlawfully processed; or (e) erasure is required to comply with a legal obligation. We will comply with a valid erasure request within 30 days. Please note that we cannot erase invoice data that we are legally required to retain for 7 years under HMRC rules — in this case, we will restrict active processing to the minimum necessary.
Right to Data Portability (Article 20)
Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (CSV or JSON) and to transmit it to another controller. You can export your invoice data directly from the FlashBill application. For a full data export, email us at admin@flashbill.co.uk.
Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while you contest the accuracy of data we hold, or while your objection to processing is being considered. During restriction, we may still store your data but will not process it for other purposes without your consent, unless required by law.
Right to Object (Article 21)
You have the right to object at any time to processing of your personal data that is based on legitimate interests (Article 6(1)(f)). On receipt of your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defence of legal claims. You also have an absolute right to object to processing for direct marketing purposes, including profiling related to direct marketing.
Right to Withdraw Consent (Article 7(3))
Where processing is based on your consent (for example, marketing emails), you have the right to withdraw that consent at any time by clicking the "Unsubscribe" link in any marketing email, or by emailing admin@flashbill.co.uk. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Withdrawing consent for marketing will not affect your ability to receive transactional emails essential to the operation of your Account.
Rights in relation to automated decision-making (Article 22)
You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Please see clause 10 of this policy for more information.
10. Automated Decision-Making & Profiling
FlashBill does not make automated decisions that have legal or similarly significant effects on individuals. We do not use your personal data for algorithmic profiling, credit scoring, automated hiring decisions, or any other automated decision-making that could significantly affect your rights or opportunities.
The enforcement of the Free Plan invoice limit (5 invoices per month) is carried out automatically by the platform. This is a purely contractual mechanism based on your selected Subscription Plan and does not involve any assessment of your individual characteristics or behaviour beyond counting invoice creation events. If you believe the limit has been applied incorrectly to your Account, contact us at admin@flashbill.co.uk and we will review the matter manually.
FlashBill does not sell, license, or otherwise transfer your personal data for profiling or targeted advertising purposes. We do not build audience profiles from your usage data.
11. Children's Privacy
The FlashBill Service is intended exclusively for use by individuals aged 18 and over. We do not knowingly collect, solicit, or process personal data from children under the age of 18.
If you are a parent or guardian and you believe that a child under the age of 18 has provided personal data to FlashBill without your consent, please contact us immediately at admin@flashbill.co.uk with the subject "Child Data Concern". We will promptly investigate and, if confirmed, delete the relevant data as quickly as practicable.
If we become aware that we have collected personal data from a child under 18 without verification of parental consent, we will take immediate steps to remove that data from our systems and close the relevant Account.
12. Cookies & Tracking Technologies
FlashBill uses only essential cookies — small text files stored on your device — that are strictly necessary for the operation of the Service. We do not use advertising cookies, analytics cookies (such as Google Analytics), social media tracking pixels, or any technology that tracks you across third-party websites.
For full details of the specific cookies we use, their purpose, duration, and how to control them, please see our Cookie Policy. Our cookie usage is governed by the UK Privacy and Electronic Communications Regulations 2003 (PECR) and the UK GDPR.
13. Marketing Communications
We will only send you marketing and product update emails if you have explicitly opted in to receive such communications. Consent to marketing is separate from acceptance of these Terms and is not a condition of using the Service.
Every marketing email we send includes a clearly visible and functional one-click unsubscribe link. You may also withdraw your marketing consent at any time by emailing admin@flashbill.co.uk with the subject "Unsubscribe". Unsubscribing from marketing communications will not affect your receipt of transactional emails (such as invoice delivery confirmations, password resets, subscription receipts, and account security alerts), which are necessary for the operation of your Account.
We do not share your email address or any other contact details with third parties for their marketing purposes.
14. Data Breach Notification
In the event that we discover a personal data breach, we will act in accordance with our obligations under UK GDPR Article 33 (notification to the supervisory authority) and Article 34 (communication to data subjects).
Specifically: (a) if a breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the ICO within 72 hours of becoming aware of the breach; (b) if a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify you, as an affected data subject, without undue delay, describing the nature of the breach, the likely consequences, the measures taken or proposed to address it, and providing contact details for further information.
We maintain an internal data breach register to record all actual and suspected breaches, the facts relating to each breach, its effects, and any remedial action taken. This register is maintained to demonstrate our accountability under UK GDPR Article 5(2).
If you suspect that your Account has been compromised or that your data has been accessed by an unauthorised party, please notify us immediately at admin@flashbill.co.uk. We will investigate and respond within 24 hours of receiving your report.
15. Changes to This Privacy Policy
We review this Privacy Policy periodically and may update it to reflect changes to our data processing practices, changes in the law, or improvements to the clarity of our disclosures. The "Last updated" date at the top of this page indicates when the policy was most recently revised.
Where changes are material — meaning they affect your rights or the way we use your data in a significant way — we will notify you by email to your registered address at least fourteen (14) days before the updated policy takes effect. This gives you the opportunity to review the changes and, if you do not agree, to close your Account and request deletion of your data before the new policy comes into force.
Non-material changes (such as typographical corrections, improved explanations of existing practices, or the addition of clarificatory text) may be made without prior notice and will take effect immediately upon posting. The current version of this policy is always available at flashbill.co.uk/privacy.
16. How to Contact Us & Lodge a Complaint
For any questions, concerns, data subject access requests, or requests to exercise your rights under this policy, please contact us at:
Email: admin@flashbill.co.uk
Please use the subject line "Privacy Query", "DSAR", or the name of the specific right you wish to exercise (e.g., "Erasure Request") to ensure your message reaches the right person quickly. We aim to acknowledge all privacy queries within two (2) business days and to provide a full response within thirty (30) calendar days.
If you are not satisfied with our response, or if you believe we have handled your personal data in a manner that does not comply with the UK GDPR or the Data Protection Act 2018, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection regulator:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We would, however, appreciate the opportunity to address any concern directly before you approach the ICO, and encourage you to contact us first so we can try to resolve the matter quickly.