Privacy Policy

OCTOBILL, LLC.

Effective Date: June 26, 2026 · Version: 1.0 · Jurisdiction: United States · Contact: legal@octobill.it

IMPORTANT NOTICE

This Privacy Policy describes how Octobill, LLC ("Octobill," "we," "us," "our") collects, uses, stores, and shares information about merchants ("Merchant") and, in limited circumstances, their end customers ("Customers") in connection with the Octobill business management software platform available at octobill.it. Please read this policy in full. By creating an account or using the Octobill platform, you agree to the practices described herein.

01 Information We Collect

1.1 Merchant Account Information

When you register for an Octobill merchant account, we collect:

Full name and title of the authorized account holder
Business legal name and DBA (doing-business-as) name
Business mailing address and physical location address
Business email address and primary phone number
Business type, industry category, and description
Tax identification number (EIN or SSN for sole proprietors), collected and processed by your connected payment processor (Stripe, Square, or Shopify) — not stored by Octobill
Login credentials (email address and hashed password)

1.2 Customer Contact Data Stored on Your Behalf

As part of managing your subscription programs and loyalty offerings, Octobill stores the following data about your end customers on your behalf:

Full name
Email address
Phone number (including mobile numbers used for SMS communications)
Physical mailing and delivery address
Subscription enrollment status, plan details, and billing history
Loyalty program participation and reward balance

You, as the Merchant, are the data controller for your customers' personal information. Octobill acts as a data processor on your behalf and processes this data only in accordance with your instructions and these Terms.

1.3 SMS Opt-In Data

When you or your customers opt in to SMS communications through the Octobill platform, we collect and store:

Mobile phone number

Opt-in timestamp and consent record

Opt-in source (e.g., subscription enrollment form, checkout widget, in-store signup)
SMS communication history (message delivery status logs)

SMS opt-in data is used exclusively to send transactional messages on behalf of the Merchant, including subscription confirmations, payment links, invoice notices, proposal notifications, renewal reminders, and loyalty updates. This data is never used for third-party advertising or shared with unaffiliated parties.

1.4 Payment & Transaction Data

Octobill does not store payment card numbers, bank account numbers, or other sensitive financial credentials. All payment data is processed and stored directly by your connected payment processor (Stripe, Square, or Shopify). Octobill receives and stores only non-sensitive transaction metadata, including:

Transaction amount and currency
Transaction date and status
Subscription or invoice reference identifier
Payment processor transaction ID (for reconciliation purposes)

1.5 Usage & Platform Data

We automatically collect certain technical and behavioral data when you use the Octobill platform:

IP address and approximate geographic location
Browser type, operating system, and device identifiers
Pages visited, features used, and session duration
Error logs and diagnostic data

Referring URL and exit pages

This data is used to operate, secure, and improve the platform. It is not used to profile merchants for advertising purposes.

1.6 Communications Data

If you contact Octobill support, compliance, or legal teams, we retain records of that correspondence, including email content, support ticket history, and any documentation you provide.

02 How We Use Your Information

Octobill uses merchant and customer data for the following purposes:

2.1 Platform Operations

Creating, maintaining, and authenticating your merchant account
Processing and managing subscription programs, invoices, and proposals
Delivering payment links and billing notifications to your customers
Operating loyalty programs and tracking customer reward balances
Facilitating integration with connected payment processors and POS systems

2.2 SMS & Email Communications

We send transactional SMS and email messages on your behalf to your customers, including:

Subscription enrollment confirmations and renewal notices
Payment links, invoice delivery, and payment receipt confirmations
Proposal delivery and acceptance notifications
Loyalty program balance updates and reward redemption confirmations
Account security alerts (e.g., password reset, login notifications)

All SMS communications are transactional in nature and are sent only to customers who have provided affirmative opt-in consent. We do not send marketing or promotional SMS messages on behalf of merchants without explicit additional consent from end customers.

2.3 Platform Security & Fraud Prevention

Detecting and preventing unauthorized access, fraud, and abuse
Monitoring for prohibited activity under our Merchant Terms of Service
Verifying merchant identity and business legitimacy

2.4 Platform Improvement

Analyzing aggregate usage patterns to improve features and user experience
Diagnosing technical errors and improving platform reliability
Conducting internal research and product development

2.5 Legal & Compliance

Complying with applicable federal, state, and local laws and regulations
Responding to lawful requests from government authorities or courts
Enforcing our Merchant Terms of Service and other applicable policies
Establishing, exercising, or defending legal claims

03 SMS Communications & TCPA Compliance

Octobill's SMS functionality is governed by the following requirements:

3.1 Opt-In Requirements

Customers must affirmatively opt in to receive SMS messages before any transactional SMS is sent. Implied consent is not sufficient.

Opt-in consent must be obtained through a compliant mechanism (e.g., a checkbox on a subscription enrollment form, a keyword opt-in via SMS, or a signed paper form). The opt-in must clearly disclose the types of messages the customer will receive, the message frequency, and that standard message and data rates may apply.

Octobill stores a timestamped record of each customer opt-in for your compliance records. Merchants are responsible for maintaining independent records of consent.

3.2 Required SMS Disclosures

All opt-in mechanisms used through the Octobill platform must include the following disclosures:

Program name (your business name)
Message frequency (e.g., "Message frequency varies")
"Message and data rates may apply"
How to opt out (e.g., "Reply STOP to unsubscribe")
How to get help (e.g., "Reply HELP for help")
A link to the merchant's Privacy Policy and Terms

3.3 Opt-Out & Suppression

Customers may opt out of SMS communications at any time by replying STOP to any message. Octobill's platform will process and honor opt-out requests within the timeframe required by applicable law (not to exceed 24 hours).

Opted-out numbers are added to a suppression list and will not receive further SMS messages from the associated merchant program.

Merchants must not attempt to re-enroll opted-out customers without obtaining fresh affirmative consent.

3.4 Merchant Responsibility

Merchants are solely responsible for ensuring their use of Octobill's SMS features complies with the TCPA, CAN-SPAM Act, CTIA Messaging Guidelines, and all applicable state telemarketing and electronic communications laws. Octobill is not liable for any penalties, claims, or damages arising from a merchant's non-compliant use of SMS features.

04 How We Share Your Information

Octobill does not sell merchant or customer personal data to third parties for advertising, marketing, or data brokerage purposes. We share data only in the following limited circumstances:

4.1 Payment Processors & Integrated Services

Octobill shares necessary transaction and customer data with your connected payment processors (Stripe, Square, Shopify) and POS systems (Toast POS) to facilitate subscription billing, payment collection, and commerce integrations. Each processor receives only the data required to perform the specific function. Data shared with these processors is governed by their respective privacy policies.

4.2 Service Providers & Subprocessors

We engage a limited set of third-party service providers to operate the Octobill platform, including hosting infrastructure, email and SMS delivery services, analytics tools, and customer support software. These subprocessors are contractually bound to process data only on Octobill's behalf and in accordance with this Privacy Policy. A current list of subprocessors is available upon written request at legal@octobill.it.

4.3 Legal Obligations & Safety

We may disclose data if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation, court order, or government request; (b) enforce our Merchant Terms of Service; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Octobill, our merchants, customers, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, sale of assets, or other business transfer, merchant and customer data held by Octobill may be transferred to the successor entity. We will notify affected merchants via email or in-platform notice before their data is transferred and becomes subject to a different privacy policy.

05 Data Retention

Octobill retains merchant account data for as long as your account is active and for a minimum of three (3) years following account termination, as required for our legal, compliance, and dispute resolution obligations.

06 Cookies & Tracking Technologies

The Octobill platform and website (octobill.it) use cookies and similar tracking technologies to operate and improve the platform. Specifically:

6.1 Essential Cookies

Required for the platform to function. These cookies manage your authenticated session, maintain your preferences, and enable security features such as CSRF protection. They cannot be disabled without disrupting platform functionality.

6.2 Analytics Cookies

We use analytics tools to understand how merchants use the platform, which features are most frequently used, and where technical errors occur. This data is aggregated and anonymized where possible.

6.3 Embeddable Widget

If you install the Octobill subscriber widget on your website (octobill.it/widget.js), that widget does not place third-party advertising or tracking cookies on your customers' browsers. It sets only session-functional cookies required for the subscription enrollment and payment flow.

6.4 Do Not Track

Octobill does not currently respond to browser-level Do Not Track (DNT) signals. If this changes, this policy will be updated accordingly.

07 Your Rights & Choices

Depending on your jurisdiction, you and your customers may have the following rights with respect to personal data:

7.1 Merchant Rights

Access: Request a copy of personal data Octobill holds about you or your merchant account.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your merchant account and associated data, subject to our legal retention obligations.
Data Portability: Request an export of your merchant account data and customer data in a machine-readable format.
Restriction: Request that we restrict processing of your data in certain circumstances.

To exercise any of these rights, contact us at legal@octobill.it. We will respond within 30 days of receiving a verifiable request.

7.2 Your Customers' Rights (Merchant Obligations)

As the data controller for your customers' personal information, you are responsible for handling your customers' data rights requests — including access, deletion, and opt-out requests. Octobill will assist you in responding to verifiable customer requests that require action on data held within the platform. You must maintain a published privacy policy that covers your customers' rights under applicable law.

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: (a) know what personal information is collected, used, shared, or sold; (b) delete personal information we hold; (c) opt out of the sale or sharing of personal information (Octobill does not sell personal information); (d) correct inaccurate personal information; and (e) limit the use of sensitive personal information. To submit a CCPA request, contact legal@octobill.it or visit octobill.it/privacy.

7.4 State Privacy Rights (Virginia, Colorado, Connecticut, Texas)

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA) have similar rights to those listed above, including the right to opt out of targeted advertising and profiling. Octobill does not engage in targeted advertising or sell personal data. To submit a request under any applicable state privacy law, contact legal@octobill.it.

08 Data Security

Octobill implements administrative, technical, and physical safeguards designed to protect merchant and customer data from unauthorized access, disclosure, alteration, and destruction, including:

Encryption of data in transit using TLS 1.2 or higher
Encryption of sensitive data at rest
Access controls and role-based permissions limiting internal data access to authorized personnel
Regular security monitoring and vulnerability assessment

Third-party subprocessor security vetting

Payment card data is processed exclusively by your connected payment processor (Stripe, Square, or Shopify). Octobill does not access, store, or transmit cardholder data and is not in scope for PCI DSS compliance on behalf of merchants.

09 Children's Privacy

The Octobill platform is intended solely for use by adults operating lawful business entities. We do not knowingly collect personal information from individuals under the age of 13. If a merchant creates a subscription program that may be accessed by children under 13, that merchant is solely responsible for implementing COPPA-compliant parental consent mechanisms as required by the Children's Online Privacy Protection Act. Octobill does not provide COPPA compliance tooling and is not liable for a merchant's failure to comply with COPPA.

10 Third-Party Links & Integrations

The Octobill platform may contain links to or integrations with third-party websites, tools, and services (including Stripe, Square, Shopify, and Toast POS). This Privacy Policy applies only to data collected and processed by Octobill. We are not responsible for the privacy practices of any third-party service. We encourage you to review the privacy policies of any third-party service you connect to or use in conjunction with Octobill.

11 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or platform features. When we make material changes, we will notify merchants via email or in-platform notice at least 14 days before the updated policy takes effect. The effective date at the top of this document will always reflect the current version. Continued use of the platform after the effective date of a revised policy constitutes your acceptance of the changes.

A history of prior versions of this Privacy Policy is available upon written request to legal@octobill.it.

12 Contact Us

For questions, requests, or concerns about this Privacy Policy or your data rights, contact Octobill at: legal@octobill.it.