Legal

Privacy Policy

Last updated: 11 March 2026 · Effective immediately

This Privacy Policy explains how FlashBill collects, uses, and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

FlashBill is operated as a sole trader business based in England. We are the data controller for personal data collected through our service at flashbill.co.uk.

For any privacy-related queries, contact us at admin@flashbill.co.uk.

2. Data We Collect

Data Type	What We Collect	Purpose
Account Data	Name, email address, password (hashed)	Account creation and authentication
Business Data	Company name, address, VAT number, UTR number, CIS status	Invoice generation and compliance
Bank Details	Sort code, account number (encrypted)	Bank transfer information on invoices
Invoice Data	Client names, addresses, invoice amounts, line items	Core invoicing functionality
Payment Data	Stripe payment references (no card numbers stored)	Payment processing
Usage Data	IP address, browser type, pages visited	Security and service improvement

3. Legal Basis for Processing

We process your personal data on the following legal bases:

Contract performance — to provide the FlashBill service you have signed up for
Legitimate interests — to improve our service, prevent fraud, and ensure security
Legal obligation — to comply with applicable UK laws and regulations
Consent — for marketing communications (you can withdraw at any time)

4. How We Use Your Data

To provide, maintain, and improve the FlashBill service
To generate invoices and process payments on your behalf
To send you service-related emails (account verification, password reset)
To send onboarding and product update emails (with your consent)
To detect and prevent fraudulent or unauthorised activity
To comply with our legal obligations

5. Data Security

We take security seriously. Your bank details (sort code and account number) are encrypted using industry-standard AES encryption before being stored in our database. Passwords are hashed using bcrypt and never stored in plain text.

Our infrastructure is hosted on Railway (EU region) with PostgreSQL databases. All data is transmitted over HTTPS/TLS.

We use two-factor authentication (2FA) options to help you protect your account.

6. Data Sharing

We do not sell your personal data. We share data only with trusted third-party service providers:

Stripe — payment processing (their Privacy Policy applies)
Postmark — transactional email delivery
Railway — cloud hosting and infrastructure
Sentry — error monitoring (anonymised)

We may disclose your data if required by law or to protect the rights and safety of FlashBill and its users.

7. Data Retention

We retain your account data for as long as your account is active. Invoice data is retained for 7 years to comply with HMRC record-keeping requirements for UK businesses.

If you close your account, we will delete your personal data within 30 days, except where we are required to retain it by law.

8. Your Rights (UK GDPR)

Under UK GDPR, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate data
Erasure — request deletion of your data ("right to be forgotten")
Portability — receive your data in a structured, machine-readable format
Restriction — ask us to restrict processing of your data
Objection — object to processing based on legitimate interests
Withdraw consent — at any time for consent-based processing

To exercise any of these rights, contact us at admin@flashbill.co.uk. We will respond within 30 days.

9. Cookies

We use cookies to maintain your session and for essential functionality. For full details, please see our Cookie Policy.

10. International Transfers

Your data is processed and stored within the UK and EEA. Where we use third-party services that may transfer data internationally, we ensure appropriate safeguards are in place.

11. Children's Privacy

FlashBill is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children.

12. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email of significant changes. The latest version is always available at flashbill.co.uk/privacy.

14. Contact

For any privacy questions or to exercise your rights, contact us at admin@flashbill.co.uk.