Privacy Policy and Personal Data Management

Effective date: October 1, 2023

Last updated: March 11, 2026

Article 1. Purpose of this Charter

The purpose of this charter is to inform you about the means we implement to collect your personal data, in the strictest respect of your rights.

Billabex complies, in the collection and management of your personal data, with Law No. 78-17 of January 6, 1978 relative to information technology, files and freedoms, in its current version, known as “Informatique et Libertés”, and Regulation (EU) 2016/679 of April 27, 2016, as soon as it comes into application (hereinafter: “GDPR”).

Article 2. Identity of the Data Collection Controller

The controller for the collection of your personal data is the company Billabex, a SAS registered in the Paris Trade and Companies Register under No. 984 298 505, with its registered office at 26 RUE BOSQUET, 75007 PARIS France (referred to herein as: “We”).

Article 3. Data Protection Officer

We have appointed a data protection officer, whom you can contact via our contact form: (for the attention of the dpo).

Article 4. Our Collection Methods

The personal data we collect and process depend on how you interact with us among which:

  • a “User”, meaning you have an account on the Billabex platform;
  • a “Client”, meaning you are the holder of a subscription contract for the Billabex platform;
  • a “Visitor” when you visit the site https://www.billabex.com, participate in our webinars and other digital events, contact us directly (through our forms on the site, by email or during physical events for example), download a white paper or interact with us in any way without being a User or a Client;
  • an “Account Contact” (or “Third-Party Contact”), meaning you are a contact person for a debtor account managed by a Billabex User for payment follow-up purposes.

Article 5. What We Collect

Depending on how you interact with us, the data we are likely to collect are as follows.

Users

When you are a User, the following categories of personal data may be collected:

  • Identification data, for example your last name, first name, email address;
  • User Content, namely the content you transmit to Billabex, including invoices, emails, and financial data (invoice amounts, payment status, credit notes, outstanding balances);
  • Connection data, for example your login identifier and password as well as any data necessary to maintain your connection to the platform;
  • Device data, for example, the model of the device used, the version of the browser used, the screen resolution;
  • your IP address;
  • Usage data, for example, application logs, technical logs and any other data that allow us to keep a history of visits and actions performed on the platform;
  • Location data (for support only);
  • Support data, including the content of the support ticket or exchanges on the support chat;
  • Physical/billing address data, including street address, city, postal code, state/province, and country;
  • Business identifiers, including tax identification numbers (e.g., VAT numbers), business registration numbers (e.g., SIRET, company number), and legal company names;
  • Organization data, including your organization’s name and email domain;
  • Email communication metadata, including sender and recipient addresses and display names, email subject lines, full email body content (text and HTML), email protocol identifiers (messageId, references, inReplyTo), send/receive timestamps, and delivery status history;
  • Language preference for platform communications.

Clients

When you are a Client or a contact person for a Client, the following categories of personal data may be collected as part of our business relationship:

  • Identification data, for example your last name, first name, email address;
  • Contract Data, including the type of subscription, billing details.

Visitors

When you are a Visitor, the following categories of personal data may be collected:

  • Identification data, for example your last name, first name, email address;
  • Device data, for example, the model of the device used, the version of the browser used, the screen resolution;
  • Browsing data, for example, the pages you visit on the site https://billabex.com;
  • your IP address;
  • Location data;
  • Chat data, if you use the chat present on https://billabex.com;
  • additional third-party information relative to your professional activity.

Account Contacts (Third-Party Contacts)

When you are a contact person for a debtor account managed on the Billabex platform by one of our Users, the following categories of personal data may be collected:

  • Identification data, for example your last name, first name, email address;
  • Professional data, including your role or job title within the debtor company;
  • Physical/billing address data, including street address, city, postal code, state/province, and country;
  • Business identifiers, including tax identification numbers (e.g., VAT numbers), business registration numbers (e.g., SIRET, company number), and legal company names;
  • Language preference for communications;
  • Notes and free-text content, which may include additional personal information provided by the User;
  • Primary contact status, indicating whether you are the main contact for the account;
  • Financial data related to invoices and credit notes associated with your account (amounts, payment status, balances);
  • Email communication metadata, including correspondence between you and the User’s AI agent (sender/recipient addresses, subject lines, email content, timestamps, delivery status).

Account Contacts are individuals or representatives of companies whose invoices are being managed for payment follow-up on behalf of the User’s organization. This data is collected either through integration with billing tools (Pennylane, Zoho Books) or manually entered by Users.

AI Agent Identities

Each organization using Billabex is assigned an AI agent (automated bot) that performs receivables management tasks on behalf of the User. These AI agents are equipped with generated identities including:

  • Generated personal identity: first name, last name, and email address (using the @revoptim domain);
  • Gender attribution: for the purpose of generating appropriately gendered communications in languages that require grammatical agreement (such as French).

Important clarification: These AI agent identities are entirely fictional and AI-generated. They do not represent real natural persons. The names, email addresses, and gender attributions are synthetic identities created solely to enable professional email communications with debtor contacts. As such, this data does not constitute personal data of natural persons under data protection regulations, but is disclosed here for transparency purposes.

Account Contacts should be aware that they may receive communications from these AI agents, which act on behalf of the User organization to manage payment follow-ups and related account activities.

We inform you, during the collection of your personal data, if certain data must be mandatory or if they are optional. Mandatory data are necessary for the operation of our services. Regarding optional data, you are completely free to provide them or not. We also indicate what the possible consequences of a failure to respond are.

Article 6: Origin of Data Collection

We can collect personal data in two different ways:

Either directly from you:

  • voluntarily when you fill in collection fields;
  • automatically, when you use the Platform or browse the sites.

Or indirectly:

  • either from other users of our services;
  • either from our technical partners providing an integration service;
  • either from third parties (notably if you use the Single Sign On functionality to connect to the Platform);
  • from our business partners;
  • from our marketing partners, when you download a white paper from a third-party site (for example from a social network).

In the event that partners or third parties collect other personal data, they would be solely responsible for compliance with their legal and regulatory obligations for this collection and processing that they carry out by themselves, with their own means and for their own needs.

Article 7. For What Purposes Do We Collect Your Data?

Depending on how you interact with us, our processing pursues the following purposes, associated with the legal basis of the collection.

Users

PurposeAssociated Legal Basis
Service Performance as described in our General Conditions ; Provision of user support ; Sending communications relative to new features (“Product Communications”) and changes to our Terms of UseProcessing is necessary for the performance of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject.
Monitoring Usage of the Platform ; Aggregation and analysis of data for the purposes of improving the Platform and Services ; Detection, prevention and resolution of technical bugs ; Informing users about their use of the Platform, the management of their account and any instructions sent by email (for example for email address validation) ; Constitution and management of a User databaseProcessing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Management and processing of requests to exercise the rights of natural persons. ; Processing rendered necessary to ensure our compliance with applicable laws and regulationsProcessing is necessary for compliance with a legal obligation to which the controller is subject.

Client

PurposeAssociated Legal Basis
Service Performance as described in our General Conditions ; Managing Clients regarding Contracts, orders, invoices, loyalty programs, follow-up of the relationship with clients. ; Provision of Client support ; Sending information notices relative to the change of Terms and Conditions ; Sending information notices relative to the Subscription Contract, including the expiration or renewal of a subscription, or any other instruction rendered necessary for the performance of the ServicesProcessing is necessary for the performance of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject.
Constitution and management of Client database ; Detection and prevention of fraud attempts ; Management of unpaid debts and litigation ; Organization of campaigns and/or commercial operations (for example referral system) excluding gambling subject to authorization ; Sending communications relative to our offers and services related to those for which you are already a client unless you do not wish to receive them ; Developing commercial statisticsProcessing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Sending communications relative to our offers and services as well as our new content and organization of events ; Processing having another purpose requiring your consentThe data subject has consented to the processing of their personal data for one or more specific purposes.
Management and processing of requests to exercise the rights of natural persons. ; Processing rendered necessary to ensure our compliance with applicable laws and regulationsProcessing is necessary for compliance with a legal obligation to which the controller is subject.

Visitor

PurposeAssociated Legal Basis
Responding to a request from contact forms or following the sending of an email from you or following a contact during a digital or physical event or via any other channelProcessing is necessary for the performance of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject.
Aggregation and analysis of data relative to the navigation of the Billabex.com site to establish attendance statistics ; Adapting the content of the Billabex.com site to the characteristics you have provided (for example site language), which Billabex may be aware of and - if applicable - to your previous browsing ; Constitution and management of a prospecting database ; Management of marketing communication and conduct of prospectingProcessing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Sending communications relative to our offers and services as well as our new content and organization of events ; Processing having another purpose requiring your consentThe data subject has consented to the processing of their personal data for one or more specific purposes.
Management and processing of requests to exercise the rights of natural persons. ; Processing rendered necessary to ensure our compliance with applicable laws and regulationsProcessing is necessary for compliance with a legal obligation to which the controller is subject.

Account Contacts (Third-Party Contacts)

PurposeAssociated Legal Basis
Payment follow-up and debt collection services on behalf of the User’s organization ; Sending communications regarding outstanding invoices and payment reminders ; Account management and maintaining business relationshipsProcessing is necessary for the performance of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject (the User who contracted Billabex for receivables management services).
Legitimate interest in debt collection and receivables management services ; Management of business relationships with debtor accounts ; Prevention of payment defaults and fraud detectionProcessing is necessary for the purposes of the legitimate interests pursued by the controller (debt collection and receivables management) or by a third party (the User organization).
Management and processing of requests to exercise the rights of natural persons. ; Processing rendered necessary to ensure our compliance with applicable laws and regulationsProcessing is necessary for compliance with a legal obligation to which the controller is subject.

Article 8. Recipients of the Collected Data

The authorized and qualified personnel of our company, the services in charge of control (auditor in particular) and our subcontractors will have access to your personal data. Public bodies may also be recipients of personal data, exclusively to meet our legal obligations, court officers, and ministerial officers. The bodies in charge of debt collection may be recipients of data relative to the buyer’s payment only.

Article 9. Transfer of Personal Data

Your personal data will not be subject to transfers, rentals or exchanges for the benefit of third parties.

Article 10. Retention Period of Personal Data

(i) Regarding data relative to client and prospect management: Your personal data will not be kept beyond the time strictly necessary for the management of our commercial relationship with you. However, data allowing to establish the proof of a right or a contract, which must be kept under compliance with a legal obligation, will be kept for the period provided for by the law in force. Regarding possible prospecting operations for clients, their data may be kept for a period of three years from the end of the commercial relationship. Personal data relative to a prospect, non-client, may be kept for a period of 3 (three) years from their collection or the last contact from the prospect. At the end of this three-year period, we will be able to contact you again to find out if you wish to continue receiving commercial solicitations.

(ii) Regarding identity documents: In case of exercise of the right of access or rectification, data relative to identity documents may be kept for the period provided for in Article 9 of the Code of Criminal Procedure, i.e., one year. In case of exercise of the right to object, these data may be archived for the limitation period provided for in Article 8 of the Code of Criminal Procedure, i.e., three years.

(iii) Regarding data relative to bank cards: Financial transactions relative to the payment of purchases and fees via the Solution are entrusted to a payment service provider who ensures their smooth running and security. For the needs of the services, this payment service provider may be brought to receive your personal data relative to your bank card numbers, which it collects and stores, in our name and on our behalf. We do not have access to these data. To allow you to regularly make purchases or to settle the related fees on the Solution, your bank card data are kept during the time of your registration on the Solution and at the very least, until the moment you perform your last transaction. By having checked the box expressly provided for this purpose on the Solution, you give us your express consent for this storage. The data relative to the CVV2 code, written on your bank card, are not stored. If you refuse that your personal data relative to your bank card numbers be stored under the conditions specified above, we will not store these data beyond the time necessary to allow the transaction to take place. In any event, the data relative to these may be kept, for a purpose of proof in case of possible contestation of the transaction, in intermediate archives, for the period provided for by Article L 133-24 of the Monetary and Financial Code, in this case 13 months following the date of debit. This period can be extended to 15 months to take into account the possibility of using deferred debit payment cards.

(iv) Regarding the management of opt-out lists from prospecting: The information allowing to take into account your right to object are kept for at least three years from the exercise of the right to object.

(v) Regarding cookies: The retention period for the cookies referred to in Article 13 is 13 months.

Article 11. Security

We inform you we take all useful precautions, organizational and technical measures appropriate to preserve the security, integrity and confidentiality of your personal data and notably, prevent them from being distorted, damaged or that unauthorized third parties have access to them. We also resort to secure payment systems conforming to the state of the art and applicable regulations. The security measures implemented by Billabex are detailed on the dedicated page.

Article 12. Hosting

We inform you that your data are kept and stored, for the entire duration of their conservation, on the servers of the company Amazon Web Service. These servers are located in Ireland.

Article 13. Cookies

Cookies are text files, often encrypted, stored in your browser. They are created when a user’s browser loads a given website: the site sends information to the browser, which then creates a text file. Each time the user returns to the same site, the browser retrieves this file and sends it to the website’s server. The Solution uses different types of cookies, which have different purposes:

  • Technical cookies are used throughout your browsing to facilitate it and perform certain functions. A technical cookie can for example be used to remember the answers filled in a form or the preferences of the user regarding the language or the presentation of a website, when such options are available. These cookies are essential for the performance of the service. Among these technical cookies, several third-party cookies are used to offer functionalities based on services external to the Solution: for the connection buttons set up on the home page: Google, Microsoft; for access to customer support: CRISP; for the captcha set up on the registration page: Google reCAPTCHA.

  • Audience analysis cookies allow us to measure the number of visits to the Solution, the number of page views and the use of site functionalities for statistical purposes. This information base then allows us to improve the product and your user experience on our site, by better understanding our users’ expectations. Your IP address is also collected to determine the city from which you connect. Among these audience analysis cookies, several third-party cookies are used: Google Analytics, Mixpanel, Sentry.

  • Marketing cookies allow us to better understand our clients’ use of the Solution to bring them personalized support compared to their experience of the Solution, and the use they make of it. These cookies also allow adapting our communication policy to each client. Among these marketing cookies, several third-party cookies are used: LinkedIn, Facebook, Google Ads, Outbrain.

We remind you for all intents and purposes that it is possible for you to object to the deposit of cookies by configuring your browser. Such a refusal could, however, prevent the proper functioning of the Solution.

Article 14. Access to Your Personal Data

In accordance with the “Informatique et Libertés” law and the GDPR, you have the right to obtain communication and, if necessary, rectification or erasure of the data concerning you, through online access to your file.

You can also contact:

  • contact form: for the attention of the dpo
  • postal address: 26 RUE BOSQUET, 75007 PARIS France

The persons whose data are collected on the basis of our legitimate interest, as mentioned in Article 4, are reminded that they can at any time object to the processing of the data concerning them. We may, however, be brought to pursue the processing if there are legitimate grounds for the processing that prevail over your rights and freedoms or if the processing is necessary to establish, exercise or defend our rights in court.

Article 15. Right to Define Directives Relative to Data Processing After Your Death

You have the right to define directives relative to the retention, erasure and communication of your personal data after your death.

These directives can be general, meaning they then bear on all the personal data concerning you. They must in this case be registered with a digital trusted third party certified by the CNIL.

The directives can also be specific to the data processed by our company. It is then appropriate to transmit them to us at the following coordinates:

  • contact form: for the attention of the dpo
  • postal address: 26 RUE BOSQUET, 75007 PARIS France

By transmitting such directives to us, you expressly give your consent for these directives to be kept, transmitted and executed according to the terms provided herein.

You can designate in your directives a person in charge of their execution. This person will then have the capacity, when you are deceased, to take knowledge of said directives and ask us for their implementation. Failing designation, your heirs will have the capacity to take knowledge of your directives at your death and ask us for their implementation. You can modify or revoke your directives at any time by writing to us at the coordinates above.

Article 16. Portability of Your Personal Data

You have a right to the portability of the personal data you have provided to us, understood as the data you have declared actively and consciously in the context of access and use of the services, as well as the data generated by your activity in the context of use of the services. We remind you that this right does not bear on data collected and processed on another legal basis than consent or performance of the contract binding us.

This right can be exercised free of charge, at any time, and notably during the closure of your account on the Platform, to recover and keep your personal data. In this framework, we will send you your personal data, by any means judged useful, in a standard open format commonly used and machine-readable, in accordance with the state of the art.

Article 17. Lodging a Complaint Before a Supervisory Authority

You are also informed that you have the right to lodge a complaint with a competent supervisory authority (la Commission Nationale Informatique et Libertés for France), in the Member State in which your habitual residence, your place of work or the place where the violation of your rights would have been committed is located, if you consider that the processing of your personal data object of this Charter constitutes a violation of the applicable texts.

This recourse may be exercised without prejudice to any other recourse before an administrative or jurisdictional court. Indeed, you also have a right to an effective administrative or jurisdictional recourse if you consider that the processing of your personal data object of this Charter constitutes a violation of the applicable texts.

Article 18. Limitation of Processing

You have the right to obtain the limitation of the processing of your personal data in the following cases:

  • During the verification period we implement, when you contest the accuracy of your personal data;
  • When the processing of these data is unlawful, and you wish to limit this processing rather than delete your data;
  • When we no longer need your personal data, but you wish for their retention to exercise your rights;
  • During the verification period of legitimate grounds, when you have opposed the processing of your personal data.

Article 19. Modifications

We reserve the right, at our sole discretion, to modify this charter at any time, in total or in part. These modifications will come into force from the publication of the new charter.

Your use of the Solution following the coming into force of these modifications will be worth recognition and acceptance of the new charter. Failing this and if this new charter does not suit you, you must no longer access the Solution.