Back to home

GDPR Information

Last updated May 7, 2026

This page summarizes how ebill.digital approaches GDPR roles, rights, security, processors, and data transfers for merchants, buyers, and website visitors.

1. Roles

ebill.digital generally acts as an independent controller for its own website, account, billing, security, analytics, and support activity. For buyer fiscal data that a merchant asks ebill.digital to process in order to create invoices, ebill.digital generally acts as processor and the merchant acts as controller.

2. Processing Instructions

Merchants instruct ebill.digital to collect fiscal checkout data, receive Stripe payment events, prepare invoice records, send invoice data to selected fiscal providers, retry failed work, record audit events, and make documents or status information available in the dashboard.

3. Categories of Data Subjects

  • Merchant users and team members.
  • Buyers who complete hosted fiscal checkout pages.
  • Developers using ebill.digital API tokens and checkout sessions.
  • Website visitors and people who submit contact forms.

4. Categories of Personal Data

  • Identity and contact data, including names, emails, phone numbers, and business details.
  • Fiscal data, including tax identifiers, billing addresses, invoice recipient details, and document metadata.
  • Payment references and Stripe event data needed to match payments to invoice work.
  • Authentication, security, log, support, and audit data.
  • Cookie consent and optional Google Analytics data for public pages.

5. Subprocessors

ebill.digital uses subprocessors and third-party providers to operate the service. These may include hosting, database, storage, email, monitoring, security, Stripe, Google Analytics, and merchant-selected fiscal providers. We require providers to protect personal data in a way that fits their role and the nature of the processing.

6. Security Measures

  • Stripe Connect OAuth instead of collecting merchant Stripe secret keys for production access.
  • Signed sessions, CSRF protection, rate limiting, and secure browser headers.
  • Webhook signature verification and merchant-specific webhook ownership records.
  • Audit events for invoice lifecycle and provider attempts.
  • Access controls for authenticated merchant dashboard areas.
  • Operational logging, retry controls, and monitored work queues.

7. International Transfers

If personal data is transferred outside the EEA, we rely on appropriate transfer safeguards such as adequacy decisions, Standard Contractual Clauses, or equivalent mechanisms offered by the relevant provider.

8. Assistance With Rights Requests

When ebill.digital acts as processor, we help merchants respond to valid data subject requests where reasonably possible and where the request relates to data processed through ebill.digital. Buyers should usually contact the merchant they purchased from first.

9. Deletion and Return

On account closure or written request, we delete or return personal data where technically and legally possible. Some fiscal, accounting, security, dispute, and audit records may need to be retained for legally required periods.

10. Contact

GDPR questions can be sent through our contact form.