Legal

Privacy Policy

Last updated: 25 May 2026

3docs (“we”, “our”, “us”) is a UK-based invoicing service for freelancers and sole traders, operated from Nottingham, England. This policy explains what personal data we collect, why we collect it, and your rights under UK GDPR and the Data Protection Act 2018.

If you have any questions, email us at hello@3docs.co.uk.

1. Who is the data controller?

3docs is the data controller for personal data processed through this service. We are registered in England and Wales and can be contacted at hello@3docs.co.uk.

2. What data we collect

We collect only what is necessary to provide the service:

  • Account data — your email address, used to create and secure your account.
  • Profile data — your name or trading name, business address, email address, VAT number (if applicable), and bank account details (bank name, sort code, account number) that you choose to save for inclusion on invoices.
  • Invoice data — invoice numbers, line items, dates, totals, and the names, email addresses, and addresses of your clients.
  • Payment data — if you subscribe to Pro or buy a pay-as-you-go credit, Stripe processes your card details directly. We never see or store your full card number. We receive a Stripe customer ID and subscription reference from Stripe.
  • Usage data — basic server logs (IP address, browser type, pages visited) retained for up to 30 days for security and debugging purposes.

3. Why we process your data

  • To provide the service — generating PDFs, sending invoices by email, and storing your data so you can access it later. Legal basis: contract performance.
  • To process payments — charging for Pro subscriptions and pay-as-you-go credits via Stripe. Legal basis: contract performance.
  • To send transactional emails — invoice delivery and overdue reminders sent on your behalf to your clients, and billing notifications sent to you. Legal basis: contract performance.
  • To keep the service secure — detecting abuse, preventing fraud, and maintaining server logs. Legal basis: legitimate interests.
  • To comply with legal obligations — such as retaining records for tax purposes. Legal basis: legal obligation.

4. Your clients’ data

When you enter a client’s name, email, or address into 3docs, you become the data controller for that data and we act as your data processor. You are responsible for ensuring you have a lawful basis for storing and processing your clients’ personal data. We process it solely to provide the invoicing service to you and will never use it for our own marketing or share it with third parties beyond the processors listed below.

5. Third-party processors

We share data with the following sub-processors to operate the service:

  • Supabase (database and file storage) — your account, invoice, and client data is stored on Supabase infrastructure hosted in the EU. Supabase is GDPR-compliant and operates under Standard Contractual Clauses. Supabase Privacy Policy.
  • Stripe (payments) — processes card payments and manages subscriptions. Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy.
  • Resend (email delivery) — sends invoice and reminder emails to your clients on your behalf. Email content may be temporarily stored for delivery. Resend Privacy Policy.

We do not sell your data. We do not share it with advertisers. We do not use it for any purpose other than operating 3docs.

6. Cookies

We use only strictly necessary cookies — small files placed on your device that are essential for the service to work. Specifically:

  • sb-access-token and sb-refresh-token — session cookies set by Supabase to keep you logged in. These expire when you sign out or after a short inactivity period.

We do not currently use analytics, advertising, or tracking cookies. If this changes in the future, we will update this policy and ask for your consent before setting any non-essential cookies.

7. How long we keep your data

  • Account and profile data — retained for as long as your account is active. You can delete your account at any time from Settings.
  • Invoice and client data — retained for as long as your account is active. HMRC recommends keeping business records for at least 5 years after the relevant tax return deadline; we recommend you export or retain copies before deleting your account.
  • Payment records — retained for 7 years to comply with UK financial record-keeping obligations.
  • Server logs — retained for up to 30 days then automatically deleted.

8. Your rights under UK GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data (you can update most data directly in Settings).
  • Erasure — request deletion of your data. You can delete your account from Settings, which removes your profile and invoice data. Some data may be retained where we have a legal obligation to do so.
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — ask us to limit how we process your data in certain circumstances.
  • Object — object to processing based on legitimate interests.

To exercise any of these rights, email hello@3docs.co.uk. We will respond within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

9. Data security

All data is encrypted in transit (TLS) and at rest. Access to production data is restricted to authorised personnel only. We use row-level security on our database so each user can only access their own data. Stripe handles all card data and we never receive or store raw payment card numbers.

10. International transfers

Your data is stored on Supabase infrastructure located within the EU (covered by UK adequacy decisions). Stripe and Resend may process data in the United States under Standard Contractual Clauses approved by the UK ICO. We do not transfer data to countries without an adequate level of protection.

11. Children

3docs is a business tool intended for adults. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email or by placing a notice in the app. The date at the top of this page reflects the most recent revision. Continued use of 3docs after changes constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions or requests, please contact us at hello@3docs.co.uk.