1. Introduction

SwiftBill ("we," "our," or "us") is operated by Sheboftek, a sole proprietorship. We are committed to protecting your privacy and handling your personal data responsibly and transparently. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the SwiftBill mobile application (available on the Apple App Store) and our website at getswiftbill.app (collectively, the "Service").

SwiftBill is an invoicing and financial document management application designed for freelancers and small businesses operating in Saudi Arabia, the United Arab Emirates, and globally. By using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to our collection, use, and disclosure of your information as described herein.

If you do not agree with this Privacy Policy, please do not use the Service.

2. Information We Collect

We collect different categories of information depending on how you interact with the Service. We adhere to the principle of data minimization and only collect information necessary to provide and improve the Service.

2.1 Account Information
When you create an account, we collect your email address and display name. If you use Apple Sign-In, we receive a unique identifier and, if you choose to share it, your name and email address. We also store authentication tokens for session management. We do not store or have access to your Apple ID password.

2.2 Business Profile Information
To generate professional documents, you may provide: business name, business address, phone number, email address, website URL, logo image, tax registration numbers (e.g., VAT number, commercial registration number), and bank or payment details for inclusion on invoices.

2.3 Client Information
You may store your clients' contact details within the app, including: client name, company name, email address, phone number, billing address, shipping address, and tax identification numbers. You are responsible for ensuring you have the right to store and process your clients' information.

2.4 Financial and Document Data
The Service processes financial and document data that you create, including: invoices, estimates, contracts, receipts, credit notes, and expense records. This data includes line item descriptions, quantities, unit prices, tax rates, discount amounts, currency codes, payment terms, due dates, and document status information. You retain full ownership of all documents and financial data you create.

2.5 Expense Data
If you use expense tracking, we process: expense categories, amounts, dates, merchant names, receipt images, approval status, and reimbursement records.

2.6 Analytics Data
We collect privacy-focused analytics via Mixpanel to understand how the Service is used and to improve its features. Analytics events track feature usage patterns (e.g., documents created, templates used, features accessed) without collecting personally identifiable information (PII). We do not send your name, email, phone number, or any business or client data to our analytics provider.

2.7 AI Interaction Data
When you use AI-powered features (text-to-document generation, receipt OCR scanning, contract Q&A wizard, or smart autofill), relevant portions of your input data are sent to Google Gemini for processing. This may include document text, line item details, business context, and receipt images. See Section 8 (AI Features and Data Processing) for full details.

2.8 Device and Technical Data
We may collect: device model, operating system version, app version, language preference, and general crash or error logs to diagnose technical issues. This data does not include personal identifiers.

3. How We Use Your Information

We use the information we collect for the following purposes, with the corresponding legal basis under the EU General Data Protection Regulation (GDPR):

Service Delivery and Contract Performance (Article 6(1)(b) GDPR)
To create, manage, and export invoices, estimates, contracts, receipts, credit notes, and expense records; to generate professional PDF documents using your chosen template; to sync your data across devices via cloud storage; to process subscription payments through Apple StoreKit; and to authenticate your identity and manage your account.

Legitimate Interests (Article 6(1)(f) GDPR)
To analyze aggregated, non-identifying usage patterns via Mixpanel to improve app features and user experience; to detect and prevent fraud, abuse, and security incidents; to send optional notification reminders for upcoming invoice due dates and payment follow-ups; and to provide customer support and respond to inquiries.

Consent (Article 6(1)(a) GDPR)
To process your data through AI-powered features (Google Gemini) when you explicitly choose to use them; and to send promotional communications, if you opt in.

Legal Obligation (Article 6(1)(c) GDPR)
To comply with applicable laws, regulations, legal processes, or enforceable governmental requests; to maintain records as required by financial regulations; and to respond to data subject access requests and other regulatory requirements.

4. How We Share Your Information

We do NOT sell your personal information. We have never sold personal information and have no plans to do so. We share your data only with the following third-party service providers, strictly to operate the Service:

Supabase (Authentication and Cloud Sync)
We use Supabase for user authentication (email sign-up and Apple Sign-In) and optional cloud data synchronization. Your account credentials, authentication tokens, and synced document data are stored on Supabase's hosted servers. Supabase employs industry-standard encryption for data in transit and at rest.
Supabase Privacy Policy

Mixpanel (Analytics)
We use Mixpanel, a US-based analytics platform, for privacy-focused event tracking. We send only aggregated feature usage events (e.g., "document_created," "template_selected"). No personally identifiable information, names, email addresses, financial data, or document content is sent to Mixpanel.
Mixpanel Privacy Policy

Google Gemini 2.5 Flash (AI Document Generation)
When you use AI features, relevant data is sent to Google's Gemini API for processing. This may include document text, line item descriptions, business context, and receipt images you provide. Google processes this data to generate or enhance your documents. We use Gemini via a server-side proxy to minimize direct exposure of your data. See Section 8 for full AI processing details.
Google Privacy Policy

Apple (Payments and Authentication)
Subscription payments are processed exclusively through Apple StoreKit 2 and the Apple App Store. We do not collect, process, or store your credit card number, bank account details, or other payment instrument information. Apple handles all payment processing in accordance with their privacy policy. Apple Sign-In provides us only with the information you authorize.
Apple Privacy Policy

Legal and Safety Disclosures
We may disclose your information if required to do so by law, in response to valid legal process (such as a court order or subpoena), to protect the rights, property, or safety of Sheboftek, our users, or the public, or to enforce our Terms of Service.

5. International Data Transfers

SwiftBill is operated by Sheboftek. Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our third-party service providers (Mixpanel, Supabase, Google) operate infrastructure.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, as well as any supplementary measures necessary to ensure an adequate level of data protection.

For users in Saudi Arabia and the UAE, data may be transferred outside the Kingdom of Saudi Arabia or the UAE in accordance with the requirements of the Saudi Arabia Personal Data Protection Law (PDPL) and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), respectively. We ensure that any cross-border transfer is subject to appropriate safeguards and contractual protections.

6. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law. Specific retention periods are as follows:

Account Data: Retained for the duration of your account. Deleted within 30 days of account deletion request.

Documents (Invoices, Estimates, Contracts, Receipts, Credit Notes): Retained for the duration of your account. Local copies on your device are under your control. Cloud-synced copies are deleted within 30 days of account deletion.

Expense Records: Retained for the duration of your account and deleted within 30 days of account deletion.

Client Information: Retained for the duration of your account. Deleted when you remove the client record or delete your account.

Analytics Data: Aggregated, non-identifying analytics events are retained by Mixpanel in accordance with their data retention policy (typically up to 5 years). These events cannot be linked to individual users.

AI Interaction Data: Data sent to Google Gemini for AI processing is not stored by us after the response is returned. Google may retain data in accordance with their own data retention policies.

Server Logs and Security Data: Authentication logs and rate-limiting records are retained for up to 90 days for security and abuse prevention purposes.

Backup Copies: Backup copies of deleted data may persist in our encrypted backups for up to 30 additional days before being permanently purged.

7. Your Rights

Depending on your jurisdiction, you have specific legal rights regarding your personal data. We are committed to honoring all applicable rights and responding within the legally required timeframes.

7.1 European Economic Area, United Kingdom, and Switzerland (GDPR)
If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation. We will respond to your request within 30 days.

• Right of Access (Article 15) — Request a copy of all personal data we hold about you, including the purposes of processing and categories of data.
• Right to Rectification (Article 16) — Request correction of inaccurate or incomplete personal data. You can also update most data directly in the app.
• Right to Erasure ("Right to Be Forgotten") (Article 17) — Request deletion of your personal data. See Section 7.5 for the deletion process.
• Right to Restriction of Processing (Article 18) — Request that we limit the processing of your data in certain circumstances.
• Right to Data Portability (Article 20) — Receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV).
• Right to Object (Article 21) — Object to processing based on legitimate interests, including analytics and profiling.
• Right to Withdraw Consent (Article 7(3)) — Withdraw consent at any time for processing activities based on consent (such as AI features), without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint — You have the right to lodge a complaint with your local data protection supervisory authority.

7.2 California, United States (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act. We will respond to your request within 45 days (with a possible 45-day extension if necessary).

• Right to Know — Request information about the categories and specific pieces of personal information we have collected, the sources from which we collected it, our business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete — Request deletion of the personal information we have collected from you, subject to certain exceptions.
• Right to Opt-Out — You have the right to opt out of the "sale" or "sharing" of your personal information. As stated above, we do not sell or share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality of service, or access levels.
• Right to Correct — Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information — Direct us to limit the use and disclosure of your sensitive personal information to what is necessary to perform the Service.

7.3 Saudi Arabia (Personal Data Protection Law — PDPL)
If you are a resident of the Kingdom of Saudi Arabia, you have the following rights under the Saudi Personal Data Protection Law (Royal Decree M/19, dated 9/2/1443H):

• Right to Be Informed — Know the legal basis and purpose for collecting your personal data.
• Right of Access — Access your personal data that we hold and obtain a copy in a clear and readable format.
• Right to Rectification — Request correction, completion, or updating of inaccurate or incomplete personal data.
• Right to Destruction — Request destruction of your personal data when it is no longer necessary for the purpose for which it was collected.
• Right to Withdraw Consent — Withdraw your consent to the processing of your data at any time.
• Right to Lodge a Complaint — File a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) if you believe your data rights have been violated.

7.4 United Arab Emirates (Federal Decree-Law No. 45 of 2021 — UAE PDPL)
If you are a resident of the United Arab Emirates, you have the following rights under the UAE Personal Data Protection Law:

• Right of Access — Request access to your personal data that we process, including the purposes and nature of processing.
• Right to Rectification — Correct, amend, or erase inaccurate or incomplete data.
• Right to Restrict Processing — Request that we stop or restrict the processing of your personal data.
• Right to Data Portability — Receive your personal data in a commonly used machine-readable format.
• Right to Object — Object to processing that may cause damage to you.
• Right to Lodge a Complaint — File a complaint with the UAE Data Office if you believe your data rights have been violated.

7.5 How to Request Data Deletion
You can request deletion of your personal data through either of the following methods:

• In-App: Navigate to Settings > Account > Delete Account. This immediately removes your account and all associated data from our servers.
• Email: Send a deletion request to support@getswiftbill.app with the subject line "Data Deletion Request." We will verify your identity and process the request within 30 days.

Upon deletion, all account data, documents, client records, expense records, business profiles, and synced data are permanently removed from our servers. Backup copies may take up to an additional 30 days to be fully purged. Data stored locally on your device is under your control and can be removed by uninstalling the app.

8. AI Features and Data Processing

SwiftBill offers optional AI-powered features using Google Gemini 2.5 Flash. These features are entirely opt-in — AI processing only occurs when you explicitly initiate an AI action.

AI Features Include:

• Text-to-document generation (natural language to invoice, estimate, or contract)
• Receipt OCR scanning (extracting data from receipt images)
• Contract Q&A wizard (interactive guided contract creation)
• Smart autofill (AI-suggested document fields based on context)

Data Sent to Google Gemini:
When you use an AI feature, we send the minimum necessary data to Google Gemini via a server-side proxy (Supabase Edge Function). This may include text you type, document context, line item details, and receipt images. We do not send your full account data, authentication tokens, or unrelated documents.

Consent and Control:
AI features require your explicit action to activate. You can use SwiftBill fully without ever using AI features. If you choose to use AI features, you consent to the processing of the relevant data by Google Gemini for that specific request.

Accuracy Disclaimer:
AI-generated content may contain errors, inaccuracies, or omissions. You are solely responsible for reviewing, verifying, and approving all AI-generated documents before sending them to clients or using them for any business or legal purpose. SwiftBill and Sheboftek accept no liability for errors in AI-generated content.

EU AI Act Transparency (Regulation (EU) 2024/1689):
In accordance with the EU AI Act, we disclose that SwiftBill uses a general-purpose AI model (Google Gemini 2.5 Flash) to assist with document generation. AI-generated or AI-assisted content within the app is labeled as such. The AI system is used as a productivity tool and does not make autonomous decisions with legal or financial consequences. All outputs require your review and explicit approval.

9. Tax Compliance Data

SwiftBill provides tools to assist with generating invoices and documents that include VAT calculations, QR codes (as required by ZATCA in Saudi Arabia), and tax identification numbers. We process tax-related data (VAT numbers, tax rates, compliance fields) solely to populate your documents as you direct.

Important Disclaimer: SwiftBill is NOT a certified tax compliance provider. We are not accredited, endorsed, or certified by the Zakat, Tax and Customs Authority (ZATCA), the UAE Federal Tax Authority (FTA), or any other governmental tax authority. SwiftBill does not provide tax, legal, or accounting advice. The tax calculations, QR codes, and compliance fields provided by the app are tools to assist you, but you are solely responsible for ensuring that your documents meet the legal and tax requirements of your jurisdiction. Always consult a qualified tax professional or accountant for compliance matters.

10. Document Export and Sharing

SwiftBill allows you to export documents as PDF files and share them via email, messaging apps, AirDrop, or shareable links. Once a document leaves the SwiftBill app (whether exported as a PDF, shared via a link, or sent through a third-party messaging service), it is outside of our control.

We are not responsible for the security, privacy, or distribution of documents after they have been exported or shared. You are responsible for ensuring that documents containing sensitive business or client information are shared securely and only with intended recipients.

Shared invoice links are generated with unique, non-guessable tokens. You may revoke a shared link at any time by disabling sharing for that document in the app.

11. Children's Privacy

SwiftBill is a business and financial document management tool intended for use by adults. The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and become aware that your child has provided us with personal data, please contact us at support@getswiftbill.app and we will take steps to delete such information within 30 days.

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in Transit: All data transmitted between the app, our servers, and third-party services is encrypted using TLS (Transport Layer Security).
• Encryption at Rest: Data stored on our servers (Supabase) is encrypted at rest using industry-standard AES-256 encryption.
• Authentication Security: Login rate limiting with exponential backoff after failed attempts, password reset cooldowns (60-second minimum between requests), minimum 8-character password requirement, and secure nonce generation for Apple Sign-In.
• API Security: Rate limiting on all API endpoints, JWT-based authentication with token refresh, and server-side proxy for AI requests.
• Access Controls: Row-level security (RLS) on all database tables ensures users can only access their own data.
• Secure Sharing: Shared document links use unique, non-guessable tokens with proper URL encoding.

While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously review and update our security practices.

13. Do Not Track Signals

In compliance with the California Online Privacy Protection Act (CalOPPA), we disclose our response to Do Not Track (DNT) browser signals. SwiftBill does not track users across third-party websites or services. Our analytics (Mixpanel) do not use cookies for cross-site tracking within the mobile application. We honor Do Not Track signals and do not engage in behavioral tracking across websites.

14. Do Not Sell or Share My Personal Information

We do NOT sell your personal information. We do not sell, rent, lease, or trade your personal information to any third party for monetary or other valuable consideration. We do not share your personal information for cross-context behavioral advertising purposes. This applies to all users regardless of jurisdiction, including California residents under the CCPA/CPRA, EU residents under the GDPR, and residents of Saudi Arabia and the UAE.

15. Cookie Policy

Website (getswiftbill.app):
Our website may use essential cookies necessary for the functioning of the site (e.g., language preference). We do not use advertising cookies or third-party tracking cookies on our website. Any analytics on the website are privacy-focused and do not use cookies to identify or track individual visitors.

Mobile Application:
The SwiftBill iOS application does not use cookies. Data persistence within the app uses SwiftData (on-device) and Supabase (cloud sync) rather than browser-based cookies.

16. Subscription Information

SwiftBill offers auto-renewable subscription plans managed through the Apple App Store:

• Monthly Plan: $5.99/month with a 3-day free trial.
• Yearly Plan: $39.99/year with a 7-day free trial.

Payment will be charged to your Apple ID account at confirmation of purchase. The subscription automatically renews unless you turn off auto-renewal at least 24 hours before the end of the current period. Your account will be charged for renewal within 24 hours prior to the end of the current period at the same price. You can manage and cancel your subscriptions by going to your App Store account settings after purchase. Any unused portion of a free trial period, if offered, will be forfeited when you purchase a subscription.

17. User Content Ownership

You retain full ownership of all documents, data, and content you create using SwiftBill, including invoices, estimates, contracts, receipts, credit notes, expense records, business profiles, and client records. We do not claim any intellectual property rights over your content. We access and process your content solely to provide the Service as described in this Privacy Policy.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify you via in-app notification or email for significant changes.
• Provide a summary of changes where practical.

Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal data, or our data practices, please contact us:

Sheboftek
Email: support@getswiftbill.app
Website: https://getswiftbill.app

For GDPR-related inquiries or to exercise your data protection rights, please include "Data Protection Request" in the subject line of your email. We will respond to all data protection requests within 30 days (or 45 days for CCPA requests) of receiving your verified request.