Privacy Policy
Last updated: 31 May 2026
3docs (“we”, “our”, “us”) is a UK-based invoicing service for freelancers and sole traders, operated from Nottingham, England. This policy explains what personal data we collect, why we collect it, and your rights under UK GDPR and the Data Protection Act 2018.
If you have any questions, email us at hello@3docs.co.uk.
1. Who is the data controller?
3docs is the data controller for personal data processed through this service. We are registered in England and Wales and can be contacted at hello@3docs.co.uk.
2. What data we collect
We collect only what is necessary to provide the service:
- Account data — your email address, used to create and secure your account.
- Profile data — your name or trading name, business address, email address, VAT number (if applicable), and bank account details (bank name, sort code, account number) that you choose to save for inclusion on invoices.
- Invoice data — invoice numbers, line items, dates, totals, and the names, email addresses, and addresses of your clients.
- Payment data — if you subscribe to Pro or buy a pay-as-you-go credit, Stripe processes your card details directly. We never see or store your full card number. We receive a Stripe customer ID and subscription reference from Stripe.
- Usage data — basic server logs (IP address, browser type, pages visited) retained for up to 30 days for security and debugging purposes.
3. Why we process your data
- To provide the service — generating PDFs, sending invoices by email, and storing your data so you can access it later. Legal basis: contract performance.
- To process payments — charging for Pro subscriptions and pay-as-you-go credits via Stripe. Legal basis: contract performance.
- To send transactional emails — invoice delivery and overdue reminders sent on your behalf to your clients, and billing notifications sent to you. Legal basis: contract performance.
- To improve the service — we use product analytics to understand how registered users interact with the app, so we can fix problems and prioritise improvements. This only applies to authenticated users who have accepted these terms. Legal basis: legitimate interests.
- To keep the service secure — detecting abuse, preventing fraud, and maintaining server logs. Legal basis: legitimate interests.
- To comply with legal obligations — such as retaining records for tax purposes. Legal basis: legal obligation.
4. Your clients’ data
When you enter a client’s name, email, or address into 3docs, you become the data controller for that data and we act as your data processor. You are responsible for ensuring you have a lawful basis for storing and processing your clients’ personal data. We process it solely to provide the invoicing service to you and will never use it for our own marketing or share it with third parties beyond the processors listed below.
5. Third-party processors
We share data with the following sub-processors to operate the service:
- Supabase (database and file storage) — your account, invoice, and client data is stored on Supabase infrastructure hosted in the EU. Supabase is GDPR-compliant and operates under Standard Contractual Clauses. Supabase Privacy Policy.
- Stripe (payments) — processes card payments and manages subscriptions. Stripe is PCI-DSS Level 1 certified. Stripe Privacy Policy.
- Resend (email delivery) — sends invoice and reminder emails to your clients on your behalf. Email content may be temporarily stored for delivery. Resend Privacy Policy.
- PostHog (product analytics) — we use PostHog to understand how logged-in users interact with the app (pages visited, features used). Analytics are only active for authenticated users; anonymous visitors are not tracked and no data is sent to PostHog before you sign in. Data is stored on PostHog’s EU-region infrastructure. PostHog Privacy Policy.
Your data is never sold, never shared with advertisers, and never used for anything beyond operating 3docs.
6. Cookies
We use two categories of cookies:
Strictly necessary (all visitors)
- sb-access-token and sb-refresh-token — session cookies set by Supabase to keep you logged in. These expire when you sign out or after a short inactivity period. No consent is required as they are essential for the service to function.
Analytics (authenticated users only)
- PostHog sets a ph_* cookie and local storage entry to track product usage across sessions. This is only activated once you sign in — anonymous visitors to the marketing pages are not tracked and no PostHog cookie is written before authentication. By creating an account and accepting these terms you consent to this analytics tracking. You can withdraw consent at any time by contacting us at hello@3docs.co.uk.
We don't use advertising or third-party tracking cookies of any kind.
7. How long we keep your data
- Account and profile data — retained for as long as your account is active. You can delete your account at any time from Settings.
- Invoice and client data — retained for as long as your account is active. HMRC recommends keeping business records for at least 5 years after the relevant tax return deadline; we recommend you export or retain copies before deleting your account.
- Payment records — retained for 7 years to comply with UK financial record-keeping obligations.
- Server logs — retained for up to 30 days then automatically deleted.
8. Your rights under UK GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data (you can update most data directly in Settings).
- Erasure — request deletion of your data. You can delete your account from Settings, which removes your profile and invoice data. Some data may be retained where we have a legal obligation to do so.
- Portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to limit how we process your data in certain circumstances.
- Object — object to processing based on legitimate interests.
To exercise any of these rights, email hello@3docs.co.uk. We'll respond within 30 days. If you're unhappy with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
9. Data security
All data is encrypted in transit (TLS) and at rest. Access to production data is restricted to authorised personnel only. We use row-level security on our database so each user can only access their own data. Stripe handles all card data and we never receive or store raw payment card numbers.
10. International transfers
Your data is stored on Supabase infrastructure located within the EU (covered by UK adequacy decisions). Stripe and Resend may process data in the United States under Standard Contractual Clauses approved by the UK ICO. We do not transfer data to countries without an adequate level of protection.
11. Children
3docs is a business tool intended for adults. We don't knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we'll delete it promptly.
12. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify you by email or by placing a notice in the app. The date at the top of this page reflects the most recent revision. Continued use of 3docs after changes constitutes acceptance of the updated policy.
13. Contact
For any privacy-related questions or requests, please contact us at hello@3docs.co.uk.