Privacy Policy
Effective date: February 24, 2025
Last updated: March 9, 2026
1. Scope
This Privacy Policy explains how Diffbill collects, uses, discloses, and safeguards information when you use our website, application, and related services.
2. Information We Collect
- Account data: name, email, and account identifiers.
- Auth and integration data: OAuth provider identifiers and encrypted tokens.
- Billing and subscription data: plan tier, subscription status, and Stripe customer references.
- Product data: connected repository metadata, selected work sources, invoice drafts, and settings.
- Analytics data: page views and navigation events (via Google Analytics), feature usage events (e.g., flows started, steps completed) (via PostHog), error and exception reports, and optional AI usage metadata. When LLM tracing is enabled, we may redact prompt and response content to protect sensitive data.
- Usage and diagnostic data: request metadata and operational logs.
- Support data: messages sent through support/contact channels.
3. How We Use Information
- Provide, maintain, and secure the service.
- Authenticate users and manage access controls.
- Generate and manage invoice workflows and billing-related features.
- Improve the product: we use analytics to build useful features, fix bugs, understand usage patterns, and improve reliability and user experience. We do not sell this data.
- Detect fraud, abuse, and security incidents.
- Communicate service updates and respond to support requests.
- Comply with legal obligations and enforce terms.
4. Legal Bases (Where Applicable)
Where required by law, we process personal data under one or more legal bases, including contract performance, legitimate interests, compliance obligations, and consent (when consent is specifically requested).
5. Sharing and Disclosure
We do not sell personal information. We may share information with:
- Service providers and subprocessors: PostHog (product analytics) and Google Analytics (page view analytics), Vercel (hosting and web vitals), Stripe (payments), and communications providers.
- Integration providers you authorize (for example GitHub, Stripe).
- Professional advisors and auditors under confidentiality obligations.
- Authorities or counterparties when required by law, legal process, or to protect rights and safety.
6. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy, to comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on data category and account status.
7. Security
We use administrative, technical, and organizational safeguards designed to protect information. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.
8. International Data Transfers
Your data may be processed in countries other than your own. Where required, we apply appropriate safeguards for cross-border transfers.
9. Your Rights and Choices
Depending on your location, you may have rights to access, correct, delete, export, or restrict certain processing of your data.
To submit a request, email privacy@diffbill.com. We may verify identity before fulfilling requests where required.
10. Cookies and Similar Technologies
We use cookies and similar technologies for session management, security, and optional product analytics. Necessary cookies support Better Auth sessions, GitHub OAuth redirects, and related security protections. Analytics cookies or similar storage are used only when you allow analytics.
Your cookie preference is stored in a first-party cookie and shared across `www.diffbill.com` and `app.diffbill.com`, so you do not have to make the same choice twice. You can change your choice at any time from the cookie preferences controls in the product or website footer.
| Cookie / storage | Purpose | Category |
|---|---|---|
| diffbill_consent | Stores your analytics preference once for both diffbill subdomains. | Necessary |
| better-auth.session_token | Maintains your authenticated session in the core app. | Necessary |
| Better Auth OAuth security cookies | Supports GitHub sign-in flows, callback verification, and request integrity. | Necessary |
| PostHog cookies / local storage | Measures product usage, navigation, and client-side failures after you opt into analytics. | Analytics |
| Google Analytics cookies / local storage | Measures page views and navigation events after you opt into analytics. | Analytics |
11. Children's Privacy
Diffbill is not directed to children under 13, and we do not knowingly collect personal information from children under 13.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material updates will be reflected by revising the Last updated date and publishing the new version.
13. Contact
Privacy questions and data requests: privacy@diffbill.com