Privacy Policy
Last updated: 12 June 2026
1. Data controller
The FastFaktura service is operated by HIPPOCAMPE DIGITAL LTD, a company registered in England and Wales (No. 17143837), with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. VAT: Not VAT registered. Personal data contact: privacy@fastfaktura.io. No data protection officer (DPO) or EU representative has been appointed. For all privacy enquiries, please contact us at the address above.
2. Purpose
This policy describes how FastFaktura collects, uses and protects personal data in providing its CRM and billing service (the "Service"), in accordance with the General Data Protection Regulation (GDPR) and applicable data protection law. It applies to account holders and recipients of invoices and communications sent via the Service.
3. Data collected and account
In connection with the Service, we process the following categories of data:
- Account data: email address, company name, country, VAT or company number, language preferences.
- Client data: information you store about your own clients (name, email, phone, address, notes), for which you act as data controller and FastFaktura as processor.
- Billing data: invoice content, amounts, payment status, send and reminder history.
- Technical data: connection logs, IP address, user agent, session identifiers, necessary for Service security.
- Presence and visit data: when you browse the website, a session identifier is sent to our servers via a presence heartbeat (/api/presence/heartbeat), along with your IP address, user agent and approximate geolocation (country, city) derived from your IP. This data is used for security, fraud and abuse prevention (legitimate interest) and is not used for advertising.
4. Subscription and payment via Stripe
Subscription payments and invoice collections are processed by Stripe Payments Europe, Ltd., acting as payment service provider. Card data is transmitted directly to Stripe and never passes through our servers. Stripe processes this data in accordance with its own privacy policy and PCI-DSS standards. We only retain technical transaction identifiers and payment statuses needed to manage your subscription and invoices.
5. Purposes and legal bases (GDPR / UK GDPR)
We process personal data for the following purposes:
- Provision of the Service and account management — contract performance.
- Subscription billing and collection — contract performance and legal obligations.
- Sending invoices, reminders and login codes — contract performance.
- Security, fraud and abuse prevention — legitimate interest.
- Compliance with accounting and tax obligations — legal obligation.
Data is retained for the duration of the contractual relationship, then archived or deleted in accordance with legal retention periods (including 10 years for accounting records). After account termination, account data is deleted within 30 days, except where legal retention applies.
6. Email and SMS opt-out
Each email sent via the Service contains an unsubscribe link and each SMS indicates an opt-out procedure. When a recipient exercises this right, their address or number is added to a channel-specific block list and further sends to that recipient are automatically blocked. This list is kept as long as necessary to honour the recipient's choice.
7. Your rights
Under the GDPR, you have the right of access, rectification, erasure, restriction, objection and portability regarding your personal data. You may exercise these rights via the Contact page; we respond within one month. You also have the right to lodge a complaint with the ICO (ico.org.uk) in the United Kingdom or the CNIL (cnil.fr) in the European Union.
8. Sub-processors and hosting
We use the following sub-processors to provide the Service. The list may be updated; material changes will be notified to account holders.
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Vultr Holdings LLC | Cloud hosting and infrastructure | Stockholm, Sweden (EU) | Processing within the European Economic Area |
| Stripe Payments Europe, Ltd. | Subscription billing and invoice payment collection | Dublin, Ireland (EU) | Processing within the European Economic Area |
| Resend, Inc. | Transactional email delivery | United States | Standard Contractual Clauses (SCCs) and provider commitments |
| Sinch AB | SMS delivery (primary provider) | Stockholm, Sweden (EU) | Processing within the European Economic Area |
| Infobip Ltd. | SMS delivery (fallback provider) | United Kingdom / EU | Processing within the European Economic Area |
| ip-api.com (IP geolocation) | IP geolocation for visit analytics and security | United States | Legitimate interest; limited data (IP address only) |
The Service is hosted on dedicated infrastructure operated by Vultr Holdings LLC in Stockholm, Sweden (European Union). Application data is stored in PostgreSQL on the same infrastructure.
9. Termination and data deletion
If you cancel your subscription, you have 30 days to export your data (clients, invoices, history). After this period, data is deleted from our production systems, then from backups according to their rotation cycle, except data whose retention is required by law.
10. Governing law and contact
This policy is governed by English law, without prejudice to mandatory rights of EU residents under the GDPR. For any data protection questions, contact privacy@fastfaktura.io or the Contact page. We may update this policy; in case of material changes, account holders will be notified by email before the changes take effect.