GDPR Compliance

SubPaid is committed to protecting the privacy of our European Union users in accordance with the General Data Protection Regulation (GDPR).

Your Data Rights Under GDPR

As an EU resident, you have specific rights regarding your personal data. Here's how SubPaid honors these rights.

Right to Access

You can request a copy of all personal data we hold about you at any time.

Right to Rectification

You can request correction of any inaccurate or incomplete personal data.

Right to Erasure

You can request deletion of your personal data, subject to legal retention requirements.

Right to Data Portability

You can request your data in a machine-readable format to transfer to another service.

Data Controller

SubPaid, Inc. acts as the Data Controller for personal data processed through our platform. For any GDPR-related inquiries, contact our Data Protection Officer:

Email: dpo@subpaid.com
Address: SubPaid, Inc., 123 Main Street, San Francisco, CA 94102, USA

Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract Performance: To provide our invoicing services as agreed
  • Legitimate Interest: To improve our services and prevent fraud
  • Consent: For marketing communications and optional features
  • Legal Obligation: To comply with tax and financial regulations

Data Processing Activities

We process the following categories of personal data:

  • Identity Data: Name, business name, email address
  • Financial Data: Invoice details, payment information
  • Technical Data: IP address, browser type, device information
  • Usage Data: How you interact with our platform
  • AI Processing Data: Photos for Snap-to-Invoice, voice recordings for SAM Agent

International Data Transfers

SubPaid is based in the United States. When we transfer personal data from the EU to the US, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all sub-processors
  • Technical and organizational security measures

Sub-Processors

We use the following third-party services to process your data:

  • Amazon Web Services (AWS): Cloud infrastructure and data storage
  • Stripe: Payment processing
  • OpenAI: AI processing for Snap-to-Invoice and Payment Prophet
  • Twilio: Voice services for SAM Voice Agent
  • SendGrid: Email delivery

All sub-processors are contractually bound to process data in accordance with GDPR requirements.

Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

  • Active Accounts: Data retained while account is active
  • Closed Accounts: Data deleted within 90 days of account closure
  • Financial Records: Retained for 7 years for tax compliance
  • Marketing Data: Deleted upon withdrawal of consent

Automated Decision-Making

SubPaid uses AI for the following automated processes:

  • Snap-to-Invoice: Automated extraction of invoice details from photos
  • Payment Prophet: Prediction of payment timing based on historical data

These processes do not produce legal effects or similarly significant effects on you. You can always review and edit AI-generated content before use.

Exercise Your Rights

To exercise any of your GDPR rights, please contact our Data Protection Officer. We will respond to your request within 30 days.

Contact DPOManage Data in Settings

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority. For a list of EU data protection authorities, visit the European Data Protection Board website.

Related policies: Privacy Policy | Terms of Service | Security