Preskoči na vsebino

Pravno

Politika zasebnosti

Zadnja posodobitev:  ·  4-minute read

01.

Pregled

FreeBillGen is a free hosted invoicing service at freebillgen.com. This policy explains what personal data we collect, why, who else sees it, how long we keep it, and the rights you have under EU law.

It is written to comply with Articles 13 and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Republic of Lithuania Law on Legal Protection of Personal Data. The next section identifies the data controller; the rest of the page covers each topic in turn.

02.

Kdo je upravljavec osebnih podatkov

The service is operated by MB Libranet, a small partnership based in Vilnius, Lithuania, and is the sole data controller under GDPR Article 4(7). For privacy enquiries, write to [email protected]. Full legal entity details, including registration and VAT codes, are on the company information page.

We have not appointed a Data Protection Officer because our processing does not meet the Article 37 thresholds. The person responsible for data protection is reachable at the email address above.

03.

Katere podatke obdelujemo

We process the following limited categories of personal data, on the legal bases listed:

  • Account data. Your name, email address, and a bcrypt-hashed password (or passkey public key). Lawful basis: Performance of contract - Art. 6(1)(b) GDPR.
  • Invoice and client data you create. Only the data you choose to enter: client names, addresses, VAT numbers, line items, totals, payment status. Lawful basis: Performance of contract - Art. 6(1)(b) GDPR.
  • Session and security cookies. A signed session cookie and a CSRF token cookie used to keep you signed in and to block forged requests. Lawful basis: Strictly necessary - Art. 6(1)(f), legitimate interests.
  • Server logs. IP address, user-agent, and request metadata, retained briefly for abuse prevention and debugging. Lawful basis: Legitimate interests - Art. 6(1)(f) GDPR.
  • VIES audit log. When you validate an EU buyer VAT ID, we store the request identifier, the queried country and number, and the response, as evidence under Council Regulation (EU) 904/2010 Article 31. Lawful basis: Legal obligation - Art. 6(1)(c) GDPR.

Some of this data is not yours but belongs to your invoice clients (Art. 14 GDPR). The source is you - we receive it only because you enter it into your invoices. We process it on the legal basis of our contract with you and on your legitimate interest as a business operator in keeping a tax-compliant invoice record.

We never sell your data. We do not share it with advertisers, brokers, or analytics networks, and we do not run any tracking, profiling, or behavioural targeting.

04.

Sub-processors

We rely on a deliberately small set of sub-processors. None of them are advertising or analytics networks. Each is bound by a Data Processing Addendum and processes only the minimum data needed for its function.

SMTP2GO (transactional email)

When you send an invoice by email or receive a system notification, the message is dispatched through SMTP2GO via its EU region (mail-eu.smtp2go.com). Data shared: sender, recipient address, subject, body, and any attached PDF. SMTP2GO Inc. is established in New Zealand with EU infrastructure; transfers are covered by Standard Contractual Clauses.

Cloudflare Turnstile (bot protection)

The /login and /register forms render a Cloudflare Turnstile challenge to block automated abuse. The widget loads from challenges.cloudflare.com and exchanges a short-lived token with Cloudflare's siteverify endpoint. Data shared: your IP address, user-agent, and a one-time challenge token. Turnstile does not set tracking cookies and is not used for advertising. Cloudflare, Inc. is US-based; transfers are covered by the EU-US Data Privacy Framework and Standard Contractual Clauses.

bunny.net (font CDN)

The site loads two web fonts from fonts.bunny.net, a privacy-friendly font CDN operated by BunnyWay d.o.o. (Slovenia, EU). Data shared: your IP address and user-agent for the duration of the font request. See their privacy statement.

European Commission VIES (VAT validation)

When you validate a buyer VAT ID, the country code and VAT number you entered are sent to the European Commission's VAT Information Exchange System (VIES) at ec.europa.eu. The recipient is an EU institution; processing is governed by Regulation (EU) 2018/1725.

Hosting and PDF rendering (in-house)

The application runs on dedicated infrastructure inside the European Union. Invoice PDFs are rendered in-house using mPDF on our own servers. No third-party PDF-as-a-service or hosting reseller is involved.

No Google services. No Meta or Facebook pixels. No analytics SDKs. No third-party error-reporting services.

05.

Piškotki

We set only strictly necessary cookies. Under Article 5(3) of the ePrivacy Directive (2002/58/EC), strictly necessary cookies do not require consent, which is why you will not see a cookie banner.

Session cookie

Keeps you signed in and remembers your chosen interface language for the session. Expires when you log out or the session lifetime is reached.

HTTP-only · Secure · SameSite=Lax
CSRF token cookie (XSRF-TOKEN)

Carries a per-session anti-forgery token used to verify that state-changing requests came from this site. Required by the framework for any signed-in action.

Secure · SameSite=Lax

No analytics cookies. No advertising cookies. No third-party cookies are set by us. The Cloudflare Turnstile challenge described in Section 04 may set its own short-lived cookie scoped to challenges.cloudflare.com; that cookie is strictly necessary for the bot-protection challenge and is not used for tracking.

06.

Hramba podatkov

Account and invoice data are retained while your account is active. On account deletion, all standard personal data is removed within 30 days, except where Lithuanian accounting law (which sets a 10-year retention period for invoice records) requires us to keep specific documents for longer - in which case those records are moved to an access-restricted archive and held only as long as legally required.

Server logs are retained for up to 30 days unless they are needed longer for an active security investigation. VIES audit-log rows are retained for at least 10 years to satisfy the evidentiary requirements of Council Regulation (EU) 904/2010.

07.

Vaše pravice po GDPR

Under the GDPR you have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). Where processing is based on consent, you may withdraw it at any time (Art. 7(3)).

You also have the right under Article 77 GDPR to lodge a complaint with a supervisory authority - typically the one in the EU/EEA country where you live, work, or where the alleged infringement took place. Because the operator is established in Lithuania, the lead authority is the State Data Protection Inspectorate (State Data Protection Inspectorate of Lithuania, VDAI).

For a step-by-step guide on how to exercise each right, including timelines and what to put in a request, see the dedicated GDPR rights page.

08.

Automated decision-making

FreeBillGen does not use automated decision-making or profiling within the meaning of Article 22 GDPR. No decision that produces legal or similarly significant effects on you is made solely by automated means. We do not score, rank, or profile users for advertising, credit, fraud, or any other purpose.

09.

Varnost podatkov

Technical and organisational measures (Art. 32 GDPR):

  • Passwords stored as bcrypt hashes; passkeys (WebAuthn) supported.
  • Optional time-based 2FA via any TOTP-compatible authenticator app.
  • CSRF tokens on every state-changing request.
  • Parameterised queries throughout - no string-concatenated SQL.
  • HTTPS/TLS in transit; HTTP Strict Transport Security enabled.
  • Content Security Policy and other hardening headers.
  • Application-layer audit log for security-sensitive actions.
  • Encrypted database backups with restricted access.
10.

Mednarodni prenosi

Personal data is processed inside the European Union by default. Two of the sub-processors named in Section 04 may involve a transfer to a third country:

  • Cloudflare Turnstile - transfers to the United States, covered by the EU-US Data Privacy Framework and the European Commission's Standard Contractual Clauses.
  • SMTP2GO - the operating company is established in New Zealand (a country with a European Commission adequacy decision) and uses EU-region infrastructure for delivery. Where transfers occur, they are covered by Standard Contractual Clauses.

No other transfers to third countries take place. If this changes, we will rely on the appropriate GDPR Chapter V transfer mechanism and update this policy before the new transfer begins.

11.

Otroci

FreeBillGen is a business tool and is not directed to children under 16. We do not knowingly collect personal data from children.

12.

Spremembe te politike

If we make material changes, we will publish the updated text on this page with a new "last updated" date and notify active accounts by email. The current version is identified by the date at the top of the page.

13.

Kontakt

Privacy questions and rights requests: [email protected]. Postal address and full legal entity details are on the company information page.