Privacy policy
Last updated: March 31, 2026. This policy explains how PIXEL LABS SOLUTIONS SLU (hereinafter "Billora" or "we") processes personal data when you use the website billora.app and related services (the "Service"), in line with Regulation (EU) 2016/679 (GDPR) and applicable Spanish data protection law (LOPDGDD).
1. Data controller
- Legal name: PIXEL LABS SOLUTIONS SLU
- Tax ID (CIF): B22907570
- Registered address: C/ Trinidad Grund 21, 6-81, 29001 Málaga (España)
- Trade registry: Registro Mercantil de Málaga
- Contact email: soporte@billora.app
- Data Protection Officer (DPO): dpo@billora.app
2. Data we collect
Depending on how you use the Service, we may process:
- Identity and contact data: name, email, phone, tax ID, billing or company details.
- Account data: login credentials (securely hashed), account preferences, user and organisation identifiers.
- Usage and technical data: IP address, browser type, device, pages viewed, timestamps, security and performance logs.
- Content you enter in the application: tax, customer, invoicing, case file, clinical, payroll or other data you upload as part of the Service.
- Payment data: credit card details are processed directly by Stripe, Inc. and never stored on our servers.
- Communications: messages you send us (support, contact form, email).
3. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and maintain your account, deliver the Service, billing and support | Art. 6(1)(b) — Contract performance |
| Improve security, analyse aggregated usage, prevent fraud, operational communications | Art. 6(1)(f) — Legitimate interests |
| Tax and accounting retention, VeriFactu/AEAT compliance | Art. 6(1)(c) — Legal obligation |
| Non-essential cookies, optional marketing | Art. 6(1)(a) — Consent |
4. Retention
We retain data for the duration of the contractual relationship and, afterwards, for the legally required periods: 4 years for tax obligations, 5 years for accounting records, 3 years for civil liability, and the relevant period under health regulations for clinical data. After these periods, data is deleted or irreversibly anonymised.
5. Recipients and processors
We may share data with:
- Infrastructure and hosting providers: to host the platform and backups.
- Transactional email: Resend, for Service notifications and emails.
- Payment gateway: Stripe, Inc. for card payment processing.
- Web analytics: aggregated analytics tools, subject to consent where applicable.
- OCR and document processing: invoice/receipt data extraction services.
- Public authorities: AEAT (VeriFactu, SII), Social Security or others when required by law.
All processors operate under contracts compliant with Article 28 GDPR with appropriate security and confidentiality safeguards.
6. International transfers
Some providers may be located outside the European Economic Area (EEA). In such cases, we implement appropriate safeguards under the GDPR: Standard Contractual Clauses (Commission Decision 2021/914), applicable adequacy decisions (such as the EU-US Data Privacy Framework), or, exceptionally, the derogations under Art. 49 GDPR.
7. Security
We implement technical and organisational measures in line with the state of the art and the Spanish National Security Framework (ENS), including: TLS encryption in transit, encryption at rest for sensitive data, role-based access controls, access auditing, encrypted backups, and periodic security reviews. No system is perfectly secure; please report suspected security issues to dpo@billora.app.
8. Your rights
Under the GDPR and LOPDGDD, you may exercise the following rights at any time:
- Access (Art. 15): obtain confirmation and a copy of your data.
- Rectification (Art. 16): correct inaccurate or incomplete data.
- Erasure (Art. 17): request deletion of your data where applicable.
- Restriction (Art. 18): request temporary restriction of processing.
- Portability (Art. 20): receive your data in a structured, machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interests.
- Withdraw consent: at any time, without retroactive effect.
- Not be subject to automated decisions (Art. 22).
To exercise your rights, email dpo@billora.app with your request, identifying yourself with your name and account email. We respond within one month, extendable as legally permitted.
If you believe your rights have not been properly addressed, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) — C/ Jorge Juan 6, 28001 Madrid, Spain.
9. Cookies and similar technologies
We use cookies as described in our Cookie policy. You can manage preferences via our cookie banner or your browser settings.
10. Health data processing
When the user uses the Clinic module, patient health data is treated as a special category (Art. 9 GDPR). The legal basis is the patient's explicit consent or the necessity for preventive medicine, diagnosis, healthcare or treatment purposes under Art. 9(2)(h) GDPR. This data is stored with enhanced security measures.
11. Children
The Service is not directed at children under 16. We do not knowingly collect data from minors without the consent of their legal representative. If you believe we have collected a child's data without authorisation, contact dpo@billora.app for immediate deletion.
12. Changes
We may update this policy to reflect legal, technical or Service changes. We will post the current version on this page with the update date. For material changes affecting your rights, we will notify you by email or prominent notice within the Service.
13. Contact
For any privacy or data protection questions:
- DPO: dpo@billora.app
- General support: soporte@billora.app
- Postal address: PIXEL LABS SOLUTIONS SLU, C/ Trinidad Grund 21, 6-81, 29001 Málaga (España)