Privacy Policy

About us
1. ASDF Consulting (Pty) Ltd (trading as "Bill") is a private company registered and operating in accordance with the laws of the Republic of South Africa, and situated at Block 2 Blaauwklip Office Park, Webersvallei Road, Stellenbosch, Western Cape, 7600.
About this privacy policy
1. The purpose of this policy ("Privacy Policy") is to communicate how we process personal information relating to identifiable natural persons or existing juristic persons ("Personal Information"), and to share certain information required in terms of the Protection of Personal Information Act 4 of 2013 ("POPIA").
2. This Privacy Policy describes how we process Personal Information in connection with our legal billing automation platform (the "Platform"), which assists legal practitioners (our "Users") in tracking billable time by importing email and calendar metadata and content for client-matter matching, receiving billing instructions via WhatsApp and in-app chat, and generating time entries and invoices. The Platform is accessible via our website at app.bill.co.za.
3. We may update this Privacy Policy from time to time by publishing a revised version on https://bill.co.za/privacy-policy, which shall take effect on the date of publication. Please be sure to keep yourself up to date with our latest Privacy Policy.
4. This Privacy Policy should be read with any agreements, terms, policies and the like published by us in relation to the Platform. To the extent that any other binding document may conflict with our Privacy Policy, the former shall prevail.
5. Should you have any questions about this Privacy Policy or how we process your Personal Information, you are welcome to contact us at privacy@bill.co.za (the "Privacy Mailbox").
6. The Platform is not intended for use by persons under the age of 18. We do not knowingly collect Personal Information from minors. If you become aware that a person under 18 has submitted Personal Information to us, please notify us at our Privacy Mailbox and we will take steps to delete such information promptly.
The types of Personal Information we process and how we obtain it
1. We process certain Personal Information as a responsible party in connection with the creation and management of user accounts on the Platform, the rendering of services to Users, and the conduct of direct marketing to prospective Users, as further detailed in Annexure A.
2. We also process certain Personal Information in our capacity as an operator on behalf of our Users, including Personal Information contained in communications processed through the Platform, such as emails, calendar events, and WhatsApp or in-app chat messages, which may relate to our Users' own clients and other third parties. In doing so, we act on our Users' instructions, and only to the extent necessary to provide the services through the Platform. We do not use this Personal Information for our own purposes, and we treat all such information as confidential and subject to appropriate security safeguards, as further described under section 7 below.
3. Where you choose to connect an email inbox or a calendar to the Platform, we will request your authorisation to access that account. Once connected, the Platform will have ongoing access to emails and / or calendar events in that account for the purpose of importing and processing email and calendar data to identify billable work, generate suggested time entries, associate items with client matters, and assist you in preparing invoices and billing records. You may revoke this access at any time through your account settings on the Platform or through your email or calendar provider, although doing so will prevent the Platform from processing that data for billing purposes.
4. The Platform also allows you to record and send voice notes, which are transcribed and processed for the purpose of generating billing records and time entries. This feature requires access to your microphone, which the Platform will request permission to use. We will only access your microphone if you grant such permission, and you may revoke it at any time through your device or browser settings, although doing so will prevent you from using the voice note feature.
Use of cookies and similar technologies
1. We may use cookies and similar technologies, such as local storage and session storage in your browser, to keep you signed in, preserve any work in progress (for example, an active timer or a sign-up, payment, or account-connection flow), and help the Platform function correctly. These technologies may collect basic device or usage information which in some cases may constitute Personal Information. We do not use cookies or similar technologies for advertising, marketing, or cross-site tracking.
2. Our marketing website may use cookieless web analytics to understand how visitors find us. This does not place cookies on your device or collect Personal Information.
3. You can manage or clear cookies and browser storage at any time through your browser settings. Doing so may sign you out of the Platform, lose any work in progress, or otherwise affect how the Platform functions.
Your right to update, correct, or delete your information
1. You have the right to request access to the Personal Information we hold about you, to ask that any inaccurate, irrelevant, excessive, outdated, incomplete, or misleading Personal Information be corrected or updated, and to request deletion of Personal Information that you believe we are not permitted to retain.
2. If you wish to exercise any of these rights, please contact us at our Privacy Mailbox.
3. To delete your User Account and request erasure of your associated Personal Information, you may use the account deletion function within the Platform, or submit a written request to our Privacy Mailbox. We will action your request within 30 days of receipt, subject to any retention obligations imposed by applicable law.
Your right to object to the processing of your Personal Information
1. You have the right to object to the processing of your Personal Information where such processing is based on our legitimate interests, your legitimate interests, or those of a third party, and there are reasonable grounds in your particular circumstances which justify the objection.
2. If you wish to object to the processing of your Personal Information as described under this heading, kindly contact us at our Privacy Mailbox.
Storage and security of your Personal Information
1. We implement technical and organisational measures, in compliance with the requirements of applicable law, to ensure that the Personal Information in our possession remains confidential and secure against unauthorised or unlawful processing, and against accidental loss, destruction, or damage. Such measures include:
  1. encrypting Personal Information during transmission over public networks, and encrypting Personal Information at rest at the storage layer;
  2. implementing strict authentication controls and access restrictions, limiting access to Personal Information to authorised personnel and systems on a least-privilege basis;
  3. the use of reputable third-party hosting and infrastructure providers who implement industry-standard security controls;
  4. automated daily backups, with point-in-time recovery capability, to prevent data loss;
  5. logging and monitoring of system activity to detect and respond to security events; and
  6. subjecting personnel with access to Personal Information or production systems to contractual confidentiality obligations.
2. You acknowledge and agree however that there are inherent risks to the security of data in the use of electronic services. We accordingly do not guarantee that your Personal Information cannot ever be compromised, and you accept this risk by engaging with us.
3. We retain Personal Information for as long as your User Account is active and for a period of 30 days following termination thereof, after which such information will be deleted or anonymised unless a longer retention period is required by applicable law or necessary for the resolution of disputes. You may download a copy of your Personal Information using the data export function within the Platform at any time while your User Account is active and may further request a copy thereof within 30 days following termination of your User Account by writing to our Privacy Mailbox.
How we share your Personal Information
1. Subject to compliance with POPIA, we may disclose your Personal Information as requested by you or as strictly necessary, including disclosure to:
  1. cloud hosting and infrastructure providers who support the operation of the Platform, including the storage and processing of account data;
  2. artificial intelligence and machine-learning providers used to provide a chat interface, process billing instructions and generate billing suggestions;
  3. payment processing services for subscription billing;
  4. messaging and communication service providers, including WhatsApp messaging gateway and transactional email delivery services;
  5. accounting platforms that you choose to connect to the Platform (optional and initiated by you);
  6. professional advisers, consultants, or auditors who assist us in fulfilling our governance and compliance obligations; and
  7. other third parties where disclosure is required or permitted by law.
2. Some of our service providers are located outside of South Africa, and accordingly certain Personal Information provided to us will be transferred outside of South Africa. We will only do so in accordance with the requirements for the lawful transfer of Personal Information outside of South Africa, as set out in section 72 of POPIA.
Direct marketing
1. We may, with your express consent, send you direct marketing communications about the Bill platform and our services.
2. We only send direct marketing to prospective Users who have expressly consented under section 69(1)(a) of POPIA. Before sending any marketing material, we first send a consent-request communication that:
  1. asks you to give express consent to receive marketing from us;
  2. describes the services about which we intend to communicate; and
  3. allows you to specify your preferred method of communication.
3. If you do not respond affirmatively to our consent request, we will not contact you again.
4. You may withdraw your consent to receive direct marketing at any time by contacting us at our Privacy Mailbox or by following the unsubscribe instructions in any marketing communication you receive. Withdrawal of consent will not affect the lawfulness of any marketing sent prior to withdrawal.
How to contact the Information Regulator
1. Section 74(1) of POPIA provides that any person may submit a complaint to the Regulator in the prescribed manner and form alleging interference with the protection of the Personal Information of a data subject.
2. Contact information of the Information Regulator:

Postal address	JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Telephone number	+27 (0) 10 023 5200
Fax number	086 500 3351
Email address	helpdesk@inforegulator.org.za
Website	https://eservices.inforegulator.org.za/

Annexure A: Categories of Personal Information and processing purposes

Type	Source	Purpose of collection and consequences of failure to provide the information
Full name, email address, and phone number.	Full name and email address are collected from the User during Google or Microsoft OAuth login. Phone number is collected later during WhatsApp verification in the setup flow, and is optional.	Used to create and manage the User's account on the Platform and to authenticate the User. Without this information, an account cannot be created.
Practice entity details: legal name, entity type, VAT registration number, physical address, and bank account details (bank name, branch code, account number, and account holder name).	Directly from the account owner during the post-registration onboarding flow, or via account settings. Bank account details for refund processing may also be supplied by the User by email when requesting a refund under our Refund Policy.	Used to associate billing records and invoices with the correct practice entity, to populate invoice documents generated by the Platform, and to process refunds under our Refund Policy where applicable. Without this information, invoices generated by the Platform cannot include the required practice entity or payment details.
Account role (owner, member, or assistant) and billing rate per hour.	Account role is assigned by the inviter (owner or assistant) when adding a user to an account, with the initial owner role assigned implicitly on account creation. Billing rate is set by the account owner during onboarding for their own membership, and by the inviter or member themselves thereafter.	Used to calculate the value of time entries and to manage User permissions within the account. Without this information, billing rates cannot be calculated and platform access cannot be appropriately scoped.
Authentication credentials: OAuth login tokens; password hashes where applicable.	Generated during the Google or Microsoft OAuth authentication process. Tokens are encrypted at rest using application-layer encryption backed by Google Cloud KMS.	Used to authenticate the User and to maintain a secure session on the Platform. Without this information, the User cannot log in or use the Platform.
Name, contact identifier (email address or LinkedIn profile URL), law firm or practice name, and marketing preferences (consent status and preferred communication channel).	Sourced from publicly available professional directories, published firm websites, or publicly visible LinkedIn profiles. Marketing preferences and consent status are recorded from prospective Users who respond affirmatively to our consent-request email or LinkedIn direct message.	Used to send information about the Bill platform to prospective Users who have expressly opted in under section 69(1)(a) of POPIA. Providing this information is voluntary. If consent is not given, no marketing is sent and contact details are not retained. You may withdraw consent at any time by contacting us at our Privacy Mailbox or by replying to any marketing communication asking to be removed.