← Back to home

Privacy Policy

Last updated: February 12, 2026

1. Introduction

BillMint ("we", "our", or "us") operates the BillMint.io website and platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you visit our website, create an account, or use our Service.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with these practices, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, and password when you create an account, or your Google account profile information if you sign in with Google
  • Billing information: payment card details and billing address, processed securely by our payment provider Stripe. We do not store your full card number on our servers.
  • Business data: client names, contact information, project details, time tracking entries, invoices, hourly rates, and reports you create within the Service
  • Communications: information you provide when contacting us for support or feedback

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect:

  • Device information: browser type and version, operating system, device type, screen resolution, and language preferences
  • Usage data: pages visited, features used, buttons clicked, time spent on pages, navigation patterns, and referring URLs
  • Session recordings: we may record your interactions with the Service (such as mouse movements, clicks, scrolls, and page content) to understand how users interact with our product and to improve the user experience. Sensitive form fields (such as passwords and payment details) are automatically masked and are not captured in recordings.
  • Log data: IP address, request timestamps, API response codes, and error information for debugging and security purposes
  • Location data: approximate geographic location derived from your IP address and timezone settings

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including time tracking, invoicing, and payment processing
  • Create and manage your account, authenticate your identity, and maintain session security
  • Process subscription payments, manage billing cycles, and send transaction-related communications
  • Send you service-related emails including account verification, password reset, invoice delivery, and subscription notifications
  • Analyze usage patterns and user behavior to improve the Service's features, performance, and user experience
  • Monitor and debug technical issues using structured logs and error tracking
  • Detect, prevent, and address fraud, abuse, security incidents, and technical problems
  • Comply with legal obligations and enforce our Terms of Service

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information when you use the Service. Cookies are small data files placed on your device by your web browser.

4.1 Types of Cookies We Use

  • Essential cookies (strictly necessary): required for basic functionality such as authentication, session management, and security. These cannot be disabled without breaking core features.
  • Analytics cookies: used by our analytics provider (PostHog) to understand how visitors interact with the Service. These cookies track page views, feature usage, and user journeys across sessions. They help us identify which features are most used and where users encounter issues.
  • Session replay cookies: used to record and replay user sessions to understand user interactions. These cookies enable us to see how users navigate the Service so we can improve the experience.

4.2 Managing Cookies

Most web browsers allow you to control cookies through their settings preferences. You can configure your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you disable essential cookies, some parts of the Service may not function properly. You may also opt out of PostHog tracking by enabling your browser's "Do Not Track" setting or by using a browser-based opt-out mechanism.

4.3 Do Not Track Signals

We honor Do Not Track (DNT) browser signals. When DNT is enabled, our analytics tools will not track your activity.

5. Third-Party Service Providers

We use trusted third-party service providers to operate the Service. These providers may have access to your personal information only to perform specific tasks on our behalf and are obligated to protect it.

  • Supabase: authentication and database services. Stores your account data, business data, and application data. Data is encrypted at rest and in transit.
  • Stripe: payment processing. Handles all credit card and subscription billing securely. Stripe is PCI-DSS Level 1 compliant. See Stripe's Privacy Policy.
  • PostHog: product analytics and session recording. Collects usage data, behavioral events, and session recordings to help us improve the product. PostHog may create user profiles based on your activity. See PostHog's Privacy Policy.
  • Axiom: application logging and monitoring. Receives structured log data for debugging and performance monitoring. Logs are sanitized to remove personally identifiable information (PII) before transmission.
  • Vercel: hosting and content delivery. Serves the application and may process request metadata (IP addresses, headers) as part of normal web hosting. See Vercel's Privacy Policy.
  • Google: OAuth authentication. If you choose to sign in with Google, we receive your name, email address, and profile picture from Google. See Google's Privacy Policy.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:

  • Service providers: with the third-party vendors listed in Section 5, solely for the purpose of providing the Service
  • Legal requirements: when required by applicable law, regulation, subpoena, court order, or other legal process
  • Safety and protection: to protect the rights, property, or safety of BillMint, our users, or the public, including to enforce our Terms of Service and prevent fraud
  • Business transfers: in connection with a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, in which case your personal information may be transferred to the acquiring entity
  • With your consent: when you have given us explicit permission to share your information for a specific purpose

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption of data in transit using TLS/SSL
  • Encryption of data at rest in our database systems
  • PII sanitization in application logs to prevent accidental exposure
  • Secure authentication with hashed passwords and session management
  • Regular security monitoring through structured logging and error tracking
  • Payment information handled exclusively by PCI-DSS Level 1 compliant Stripe

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

  • Account data: retained while your account is active and for 30 days after account deletion to allow for recovery
  • Business data: time entries, invoices, clients, and projects are deleted when you delete your account
  • Payment records: transaction records may be retained as required by financial regulations and tax law
  • Analytics data: aggregated and anonymized usage data may be retained indefinitely for product improvement purposes
  • Log data: application logs are retained for up to 30 days for debugging purposes and are then automatically purged

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention).

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate or incomplete data
  • Right to erasure: request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing: request that we limit the processing of your data in certain circumstances
  • Right to data portability: request a copy of your data in a structured, commonly used, machine-readable format
  • Right to object: object to the processing of your personal data for certain purposes, including direct marketing and profiling
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at privacy@billmint.com. We will respond to your request within 30 days.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our service providers (including Supabase, Stripe, PostHog, Axiom, and Vercel) may store and process data in the United States or other jurisdictions. By using the Service, you consent to the transfer of your information to these countries, which may have different data protection laws than your jurisdiction.

Where required by applicable law, we ensure appropriate safeguards are in place for international data transfers, such as Standard Contractual Clauses approved by the European Commission.

11. Legal Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal basis for processing your personal information includes:

  • Performance of a contract: processing necessary to provide the Service you requested (account management, time tracking, invoicing, payment processing)
  • Legitimate interests: processing necessary for our legitimate business interests, such as product analytics, fraud prevention, security monitoring, and improving the Service, where these interests are not overridden by your rights
  • Consent: where you have given specific consent for a particular purpose, such as receiving marketing communications
  • Legal obligation: processing necessary to comply with applicable laws and regulations

12. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take immediate steps to delete that information. If you believe we have inadvertently collected information from a child under 16, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date at the top. For significant changes, we may also send you a notification via email. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: