Your bill, our promises.
This is the plain-English version of our privacy policy. We’ve tried to write it the way we’d explain it at a bus stop — no jargon, no get-out clauses.
- Your bill is deleted within seconds — it’s never written to a disk anywhere.
- We never collect your name, address, account number or full postcode.
- We don’t use tracking cookies, advertising pixels, or any third-party trackers.
- We use six trusted services to run BillLuma — they’re all listed below by name.
- You can ask us to delete everything we hold about you at any time, and we will.
1. Who we are
BillLuma is currently operated by Gaurav Srivastava, a sole trader trading as BillLuma. We’re based in India and we serve UK households.
We’re the data controller for the personal information described in this policy — that means we decide what’s collected and what happens to it.
Later in 2026 we plan to incorporate as BillLuma Ltd, a UK limited company. When that happens, we’ll update this policy and email anyone on our mailing list to let them know.
We’re registered with the UK’s Information Commissioner’s Office under registration number (pending — to be added once issued).
2. What we collect
We collect different things at different points. Here’s the full list.
When you upload an energy bill
- The bill itself (PDF or image). It’s held in memory for roughly two to eight seconds while our parser reads it, then it’s gone. It’s never written to a hard drive, an object store, or any database.
- Five anonymised fields extracted from your bill: usage in kWh, your unit rate, your standing charge, your supplier’s name, the first half of your postcode (e.g. “M14”), and your property type. We use these to give you a useful comparison.
- Your IP address, briefly, so we can stop the service being abused. We allow five uploads per hour and twenty per day from any one address.
When you give us your email
- Your email address.
- The date you opted in, which page you opted in from, and the fact that you ticked the box. UK marketing law (PECR) requires us to keep this proof.
When you visit the site
- Anonymous, aggregate analytics via Plausible — pages visited and country of origin. No cookies. No fingerprinting. Your IP address is hashed and discarded; we never store it.
3. What we don’t collect
To be specific:
- Your name, unless you choose to tell us.
- Your full address or full postcode.
- Your energy account number with your supplier.
- Any bank or payment details — the service is free.
- Cookies for advertising, tracking, profiling or any non-essential purpose.
- Anything from third parties about you. We don’t buy data lists.
4. Why we collect it
UK GDPR requires us to have a lawful basis for using your data. Here are ours, by data type.
- The bill file itself — legitimate interest in giving you the service you’ve asked for. It’s deleted as soon as the parse is done, so there’s no ongoing processing.
- The five anonymised fields — legitimate interest in showing you a useful benchmark and improving the service over time.
- Your email address (if you give it) — your consent. You can withdraw it any time, and we’ll act on that without asking why.
- IP for rate limiting — legitimate interest in preventing abuse of a free service.
- Anonymous analytics — legitimate interest in understanding how the site is used. No personal data is involved.
5. How long we keep it
- The bill file: two to eight seconds, in memory only. Never written to disk.
- The five anonymised fields: while you have an account, or up to 24 months from your last visit if you don’t. Deleted on request.
- Your email address: until you unsubscribe, or until the list is no longer active.
- PECR opt-in proof: at least 24 months after you unsubscribe, because we may need to demonstrate to the ICO that the original opt-in was lawful.
- Rate-limiting records: 24 hours, then deleted.
- Anonymous analytics: rolling 12 months, then aggregated and discarded.
6. Who else sees it
BillLuma is built on a small set of services, each chosen for a specific job. Every one of them is bound by a data processing agreement that limits what they can do with your data. Here’s the full list.
| Service | What it does | Where | What it sees |
|---|---|---|---|
| Vercel | Hosts the website | USA | Page traffic and request metadata |
| Supabase | Database and accounts | Frankfurt, EU | Email address and the five anonymised fields |
| Anthropic | Reads the bill (AI parser) | USA | Bill content, in transit only — never stored, never used for training |
| Resend | Sends our emails | Ireland, EU | Email address, send and delivery events |
| Upstash | Rate-limits abuse | EU | Hashed IP address for 24 hours |
| Plausible | Anonymous analytics | EU | Page visits and country — no IP, no cookies |
| Cloudflare | Email routing for hello@billluma.co.uk | Distributed | Inbound email metadata and contents |
We don’t sell your data. We don’t share it with advertisers, brokers, or anyone outside the list above.
7. International transfers
Two of our processors — Vercel and Anthropic — are based in the United States. The bill content is therefore briefly processed in the US during the parse, and our website traffic is served from US infrastructure.
These transfers are covered by the UK’s International Data Transfer Addendum (IDTA) and the EU’s Standard Contractual Clauses (SCCs), which are the legally-recognised mechanisms for moving personal data outside the UK and EU.
BillLuma itself is operated from India. The personal data we hold (your email and the five anonymised fields) lives in our EU-region database — it doesn’t sit on a laptop in Delhi.
8. Your rights
Under UK GDPR you have the following rights, free of charge:
- Right of access — see what we hold about you.
- Right to rectification — correct anything that’s wrong.
- Right to erasure — have us delete everything (sometimes called “the right to be forgotten”).
- Right to data portability — get your data in a portable, machine-readable format.
- Right to object or restrict processing — tell us to stop using your data for a particular purpose.
- Right to withdraw consent — for marketing emails, with one click. No questions asked.
To use any of these, email hello@billluma.co.uk and we’ll respond within 30 days. We won’t ask for ID unless we genuinely can’t verify it’s you — and even then, we’ll ask for as little as possible.
10. Children
BillLuma is for UK adult households. We don’t knowingly collect personal data from anyone under 18. If you think a child has used our service or given us their email address, please email hello@billluma.co.uk and we’ll delete it immediately.
11. Changes to this policy
If we change anything material — particularly anything that affects what we collect, how long we keep it, or who else sees it — we’ll do two things:
- Email everyone on our list with a plain-English summary of what’s changing and why.
- Post a notice on the site for at least 30 days before the change takes effect.
Small clarifications and typo fixes will just appear in the next version, with the date updated at the top.
12. Contact and complaints
For anything privacy-related — questions, requests, complaints, the lot:
Email us first
We aim to reply within three working days, and we’ll always acknowledge your message even if a full response takes longer.
Not happy with our response?
You have the right to complain to the UK’s data protection regulator. They are:
The Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Phone: 0303 123 1113
Web: ico.org.uk
You’re welcome to go to them directly — but if you give us a chance to put it right first, we’ll do our best to.