Categories of Personal Information and processing purposes

This annexure forms part of our Privacy Policy. It sets out, for each category of Personal Information we process as a responsible party, the type of information collected, where it comes from, and why we process it.

01 Account holder identity Who you are and how to reach you.

What we collect: Full name, email address, and phone number. Where the User authenticates via Google OAuth, a profile photograph URL (a link to the User's Google profile picture, provided by Google) may also be stored.
Where it comes from: Full name and email address are collected from the User during Google or Microsoft OAuth login. The profile photograph URL, where available, is provided by Google as part of the OAuth response; Users cannot upload a profile photograph directly to the Platform. Phone number is collected later during WhatsApp verification in the setup flow, and is optional.
Why we collect it: Used to create and manage the User's account on the Platform and to authenticate the User. The profile photograph, where available, is used to personalise the User's display in the Platform interface. Without this information, an account cannot be created.

02 Practice entity and payment details Your firm's legal and banking details for invoice generation.

What we collect: Practice entity details: legal name, entity type, VAT registration number, physical address, and bank account details (bank name, branch code, account number, and account holder name).
Where it comes from: Directly from the account owner during the post-registration onboarding flow, or via account settings.
Why we collect it: Used to associate billing records and invoices with the correct practice entity, and to populate invoice documents generated by the Platform. Without this information, invoices generated by the Platform cannot include the required practice entity or payment details.

03 Role and billing rate Your position in the account and your hourly rate.

What we collect: Account role (owner, member, or assistant) and billing rate per hour.
Where it comes from: Account role is assigned by the inviter (owner or assistant) when adding a user to an account, with the initial owner role assigned implicitly on account creation. Billing rate is set by the account owner during onboarding for their own membership, and by the inviter or member themselves thereafter.
Why we collect it: Used to calculate the value of time entries and to manage User permissions within the account. Without this information, billing rates cannot be calculated and platform access cannot be appropriately scoped.

04 Authentication and integration credentials Login tokens, plus the tokens that let the Platform read your connected inbox and calendar.

What we collect: Two distinct sets of credentials are stored, each on a separate record. (i) Platform login credentials: OAuth login tokens issued for sign-in to the Platform, and password hashes where the User registered with email and password rather than OAuth. (ii) Connected integration tokens: OAuth access and refresh tokens for each email or calendar account the User has separately connected to the Platform (Gmail, Google Calendar, or Microsoft Outlook covering mail or calendar).
Where it comes from: Platform login tokens are generated during the Google or Microsoft OAuth sign-in flow, or password hashes are derived from the password the User sets at registration. Connected integration tokens are issued by the provider (Google or Microsoft) when the User authorises the Platform to access a specific email inbox or calendar through a separate OAuth consent flow inside the Platform. All tokens are encrypted at rest using application-layer encryption backed by Google Cloud KMS.
Why we collect it: Platform login credentials are used to authenticate the User and maintain a secure session on the Platform; without them, the User cannot log in. Connected integration tokens are used to read the User's connected email and calendar on the User's behalf so that the Platform can import emails and calendar events for billing purposes (the underlying email and calendar content is processed as further described in clause 3.2 of the Privacy Policy). The User may revoke a connected integration at any time through the Platform's account settings or through the provider; revoking it deletes the relevant tokens from the Platform.

05 Subscription billing data Payment card summary and subscription status from Paystack.

What we collect: Subscription billing data: the last four digits, brand, and channel of the User's payment card; the User's email address as recorded against the payment record; Paystack transaction and subscription identifiers; billing address (where provided); and subscription metadata (plan, status, billing period, trial end, and cancellation date). Where the User requests a refund, the User may also supply bank account details (bank name, branch code, account number, and account holder name).
Where it comes from: Card details are entered by the User directly into a payment form hosted by our payment provider (Paystack); the Platform never receives or stores the full card number, expiry date, CVV, cardholder name, or reusable card token. The Platform stores only the data Paystack returns; subscription metadata is refreshed by webhook when charges, renewals, and cancellations occur. Refund bank account details, where supplied by email, are held only in the support email thread for the duration of the refund.
Why we collect it: Used to charge the User for their subscription, manage renewals and failed-payment retries, reflect subscription status, and reconcile payments. Refund bank account details, where supplied, are used solely to process the refund by electronic funds transfer and are deleted afterwards. Without this information, the User cannot subscribe to or be charged for the Platform.

06 Direct marketing prospects Contact details for opted-in prospective users only.

What we collect: Name, contact identifier (email address or LinkedIn profile URL), law firm or practice name, and marketing preferences (consent status and preferred communication channel). Where a prospect is added by Bill staff through our internal admin tools, a phone number may also be recorded for internal reference; we do not send direct marketing by phone.
Where it comes from: Sourced from publicly available professional directories, published firm websites, or publicly visible LinkedIn profiles. Marketing preferences and consent status are recorded from prospective Users who respond affirmatively to our consent-request email or LinkedIn direct message. Phone numbers, where recorded, are entered manually by Bill staff or imported from the same publicly available sources or from prior business contact.
Why we collect it: Used to send information about the Bill platform to prospective Users who have expressly opted in under section 69(1)(a) of POPIA. Providing this information is voluntary. If consent is not given, no marketing is sent and contact details are not retained. You may withdraw consent at any time by contacting us at our Privacy Mailbox or by replying to any marketing communication asking to be removed.