Privacy Policy

Who we are

Bilingo is operated by Visionstar B.V. (trading as Bilingo), a company registered in the Netherlands.

For the purposes of GDPR, Visionstar B.V. is the data controller of your personal data.

What data we collect

Account data

• Email address (required to create an account)
• Name or display name
• Country of residence
• Preferred language
• Password (stored as a salted hash — we never store your actual password)

Bill data

• Bill names, amounts, due dates, and providers you add
• Payment status (paid / unpaid) as marked by you
• Payment history within the app

Household data

• Names and email addresses of household members you invite (Family and Ultimate plans)
• Bill assignments between household members

Usage data

• App usage patterns (screens visited, features used) — anonymised
• Crash reports and error logs
• Device type and operating system version
• App version

Communication data

• Emails you send to hello@bilingo.app
• In-app support messages
• Waitlist sign-up email address

How we use your data

Data we never collect

• Your bank account balance or transaction history (except on Ultimate — see §5)
• Your credit card or payment card numbers
• Your national ID, BSN, passport number, or tax ID
• Your location beyond country level
• Sensitive personal data (health, religion, political opinions, biometrics)
• Data about children under 16

We do not run advertising on Bilingo, and we do not build advertising profiles from your data.

Bank & email reading (Ultimate plan only)

If you subscribe to the Ultimate plan, you may optionally connect a bank account or email inbox to allow Bilingo to auto-detect incoming bills. This feature is:

• Entirely optional. The app works fully without it.
• Explicitly consented. You must actively enable each connection.
• Read-only. Bilingo can read transaction descriptions and email subjects to detect bills. We cannot initiate payments, move funds, or send emails on your behalf.
• Revocable at any time. Disconnect from within the app; we delete the access token immediately.

Bank connections use PSD2-compliant Open Banking APIs. Email connections use OAuth 2.0 (no passwords are stored). Data fetched via these connections is processed to identify bill-related entries and is not stored beyond what is needed to populate your bill list.

Data sharing & third parties

We do not sell, rent, or trade your personal data. We share data only with:

• Stripe — payment processing (they handle card data; we never see your card number)
• Apple / Google — app distribution and push notification delivery
• Postmark — transactional email delivery (reminders, receipts)
• Sentry — anonymised crash reporting
• Open Banking providers — only on Ultimate, only with your consent

All processors are contractually bound to process your data only for the stated purpose and in compliance with GDPR.

We may share data with law enforcement or regulatory authorities only when required by law and after appropriate legal review.

Data retention

• Active accounts: Data is retained for as long as your account is active.
• Deleted accounts: All personal data is permanently deleted within 30 days of account deletion, except where retention is required by law (e.g., financial records for 7 years under Dutch accounting law — limited to transaction amounts and dates, not bill details).
• Waitlist data: Email addresses collected before launch are deleted within 90 days of the launch date if no account is created.
• Support emails: Retained for up to 2 years for quality assurance, then deleted.

Your rights under GDPR

As a user in the European Economic Area (and we extend these rights to all users globally), you have the right to:

• Access — request a copy of all personal data we hold about you
• Rectification — correct any inaccurate data
• Erasure ("right to be forgotten") — delete your account and all associated data
• Restriction — limit how we process your data in certain circumstances
• Portability — receive your bill data in a structured, machine-readable format (CSV)
• Objection — object to processing based on legitimate interests
• Withdraw consent — at any time, for consent-based processing (e.g. bank connections)

To exercise any of these rights, email hello@bilingo.app. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).

Cookies

The Bilingo mobile app does not use cookies. The Bilingo website uses:

• Strictly necessary cookies — session management, CSRF protection. Cannot be disabled.
• Analytics cookies — anonymised page view counts (no cross-site tracking). You may opt out via our cookie banner.

We do not use advertising cookies, third-party tracking pixels, or social media cookies.

Children's privacy

Bilingo is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact hello@bilingo.app and we will delete it promptly.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and display a notice in the app at least 14 days before the changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

Continued use of Bilingo after the effective date constitutes acceptance of the updated policy.

Contact us

For privacy-related questions, data requests, or concerns:

For general support: hello@bilingo.app