HisabiHisabi
  1. Home
  3. Privacy Policy

Privacy Policy

Last updated: June 21, 2026

1. Overview

TechNova Solution FZCO (“we”, “us”, “Hisabi”) operates Hisabi, an AI-assisted invoicing platform used worldwide. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the Service.

We are the data controller for personal data processed about visitors and account holders. We comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, the “PDPL”), the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK GDPR for users in the European Economic Area, the United Kingdom and Switzerland, and other applicable data-protection laws of the regions in which our users are located.

1a. Controller, EU representative and data-protection contact

  • Controller: TechNova Solution FZCO, Dubai Silicon Oasis, United Arab Emirates.
  • Data-protection contact / DPO inbox: privacy@hisabi.ai.
  • EU / EEA representative under GDPR Art. 27: we have appointed a representative in the European Union and will publish the name and postal address here before our first paid GDPR-region customer goes live. Until then, EEA / UK users may contact us directly at privacy@hisabi.ai and we will respond within the GDPR statutory deadline.
  • UK representative under UK GDPR Art. 27: same as above; if a separate UK representative becomes mandatory we will list them here.

2. Data We Collect

  • Account data: name, email, hashed credentials, Google profile information when using Google Sign-In.
  • Business data: company name, address, TRN, logo, signature, banking details that you choose to display on invoices.
  • Invoice and expense data: client details, line items, amounts, payment status, notes, attachments.
  • AI inputs: natural-language prompts, pasted emails, uploaded receipt or invoice images, and voice clips that you submit to AI features.
  • Usage and device data: pages visited, features used, IP address, user-agent, request timestamps.
  • Billing data: Stripe customer ID, subscription status, last 4 digits of card and country, processed by Stripe (we do not store full card numbers).

3. How We Use Your Data and Lawful Bases

We process personal data for the purposes below. For users in the EEA, UK and Switzerland, the GDPR lawful basis (Art. 6 GDPR) is shown next to each purpose.

PurposeGDPR lawful basis
Create and operate your account, generate invoices, expenses, reports and PDFs on your instruction.Performance of a contract, Art. 6(1)(b).
Process AI requests (NL invoice creation, email/image/voice/bulk extraction, payment-reminder drafting) you submit.Performance of a contract, Art. 6(1)(b).
Bill subscriptions, take payments, prevent payment fraud.Contract, Art. 6(1)(b); legal obligation, Art. 6(1)(c).
Send payment reminders and nudges to your clients on rules you configure.Legitimate interest of you, our customer, in collecting receivables, Art. 6(1)(f); we are processor on your behalf for that mailing.
Secure the Service, detect and prevent abuse, impersonation, AI-cost runaway and fraud.Legitimate interest in protecting the Service and its users, Art. 6(1)(f).
Send service / security notices and legally required disclosures.Legal obligation, Art. 6(1)(c); legitimate interest in operating the Service, Art. 6(1)(f).
Send product or marketing updates to existing customers about similar features.Legitimate interest with right to object, Art. 6(1)(f); consent (Art. 6(1)(a)) where required by local law (e.g. ePrivacy).
Comply with tax, accounting and anti-money-laundering record-keeping (e.g. invoice retention).Legal obligation, Art. 6(1)(c).

We do not carry out solely automated decisions producing legal or similarly significant effects on you within the meaning of Art. 22 GDPR. AI-extracted fields below 0.7 confidence are flagged for your manual review before any document is sent.

4. AI Processing

AI features are powered by Google Gemini 2.5 Flash, with Google Gemini 2.5 Flash-Lite as a fallback, accessed through the Google AI API. When you use an AI feature, the relevant input (your prompt, an uploaded image or receipt, a voice clip, an email body, or a batch of items) is transmitted to Google for processing and a response is returned to Hisabi.

Per our use of the Google AI paid API, your inputs and outputs are not used to train Google's models. Google may retain limited request data for a short window for abuse-monitoring and service-operation purposes per its API terms. Hisabi does not sell your data, does not use your data to train any model, and does not share AI inputs with the marketplace consultants without your explicit instruction.

Voice clips and uploaded images are stored encrypted in our private S3 bucket only as long as needed to complete extraction and to let you correct the result. You may delete them at any time from the Service, and we delete them automatically after a defined retention window.

5. Data Storage and Security

Production data is hosted on Amazon Web Services, currently in the US East (N. Virginia) region (us-east-1). We plan to migrate to a Middle East AWS region once regional capacity and operational conditions allow; we will update this Privacy Policy and notify customers before any such migration. Data is encrypted in transit (TLS) and at rest. Access to production data is restricted to authorized personnel using role-based access. Brand assets (logos, signatures) and uploaded documents are stored in private, encrypted S3 buckets and are never publicly accessible; they are served via short-lived pre-signed URLs.

Hisabi has not yet completed independent security certifications such as SOC 2 or ISO 27001. We follow industry-standard practices but you should evaluate the Service against your own compliance requirements before uploading regulated or highly sensitive data.

6. Sub-processors

We share personal data with the following sub-processors, each under a written data-protection commitment:

Sub-processorPurposeRegion
Amazon Web ServicesHosting, database, storage, queues, email delivery (SES)United States (us-east-1), Middle East region migration planned
Google LLC (Google AI)Gemini API for AI extraction and generationUnited States
Stripe PaymentsSubscription billing for Hisabi plansUnited States / Ireland
Google (OAuth)Authentication when you sign in with GoogleUnited States
Sentry (Functional Software, Inc.)Application error monitoring, performance tracing and (when consented) session replay so we can diagnose crashes you experience. Replay scrubs input values and masks text by default.United States
Google Analytics (Google LLC / Google Ireland Ltd)Aggregate product and marketing analytics, page views, traffic sources, and conversion events, to understand how the Service is used and improve it. IP addresses are processed for geolocation only and are not stored in identifiable form.United States / European Union (Ireland)

We will update this list before adding any new sub-processor that materially affects your data.

7. Marketplace and Consultant Introductions

If you choose to be introduced to a tax consultant from our marketplace, we will share the minimum data needed to make the introduction, which typically includes your name, email, business name, and the topic you asked about. We do not share your invoice ledger, AI inputs, or banking details unless you explicitly instruct us to. Once you engage a consultant, that consultant becomes an independent data controller for the data you share with them directly.

8. International data transfers

Hisabi is operated from the United Arab Emirates by TechNova Solution FZCO. Our production database currently lives in the AWS US East (N. Virginia) region (us-east-1). When you use Hisabi from the EEA, UK or Switzerland your personal data is therefore transferred to the United States, a country that the European Commission and UK ICO consider adequate only for transfers to recipients certified under the EU-US Data Privacy Framework and the UK extension to it. AWS is certified under the Data Privacy Framework. When you use Hisabi from the UAE, your personal data is similarly transferred to the United States.

For these transfers, and for transfers to sub-processors that process data outside your home jurisdiction (notably Google AI in the United States and Stripe in the United States and Ireland), we rely on the safeguards in Chapter V GDPR / UK GDPR, in particular:

  • The European Commission's Standard Contractual Clauses (Decision 2021/914) for transfers from controllers and processors in the EEA to third countries, with the UK Addendum for UK transfers and the Swiss FDPIC supplementary protections for transfers from Switzerland; and reliance on the EU-US Data Privacy Framework where the recipient is DPF-certified.
  • A Transfer Impact Assessment, kept under review, of US law and of each sub-processor's jurisdiction; we apply additional technical measures (encryption in transit and at rest, role-based access, no public buckets, signed URLs for assets).
  • For UAE PDPL transfers, the safeguards in PDPL Articles 22 and 23.

You may request a copy of the SCCs and our Transfer Impact Assessment summary at privacy@hisabi.ai.

9. Data retention

We retain account and business data for as long as your account is active. Upon account deletion, we remove personal and business data within 30 days, except:

  • Invoice records and accounting books are retained for the period required by your local tax law (commonly 5-10 years; e.g. 5 years under UAE VAT Federal Decree-Law 8/2017, 10 years under § 147 AO Germany, 6 years under UK HMRC rules, 10 years under French CGI Art. L102B).
  • Abuse-prevention logs as described in Section 11, kept for up to 12 months.
  • Records we are legally required to keep (tax, AML, court orders).
  • Backups are overwritten in line with their rolling backup window (typically 30 days).

10. Your data-protection rights

Subject to the conditions in the law that applies to you, you have the rights set out below. Under the GDPR / UK GDPR (EEA, UK, Switzerland users), the rights are:

  • Access, Art. 15: get a copy of your data.
  • Rectification, Art. 16: correct inaccurate or incomplete data.
  • Erasure / “right to be forgotten”, Art. 17.
  • Restriction of processing, Art. 18.
  • Data portability, Art. 20: receive your data in a structured, machine-readable format and have it transferred where technically feasible.
  • Object to processing based on legitimate interest, including direct marketing, at any time, Art. 21.
  • Not be subject to a solely automated decision with legal or similarly significant effects, Art. 22 (we don't do this; AI is human-reviewed).
  • Withdraw consent, Art. 7(3), where processing is based on consent.
  • Lodge a complaint with your local supervisory authority, Art. 77. A list of EEA authorities is published by the European Data Protection Board; UK users can complain to the UK ICO.

Equivalent rights apply under the UAE PDPL (access, correction, deletion, restriction, portability, objection, withdrawal of consent, complaint to the UAE Data Office) and under other regional laws.

To exercise any right, email privacy@hisabi.ai. We will respond within one month of a verified request (extendable by two further months for complex requests, with notice), as required by Art. 12(3) GDPR. Exercising these rights is free of charge unless requests are manifestly unfounded or excessive.

11. Abuse Prevention and Law-Enforcement Cooperation

To protect the Service and its users from fraud, impersonation, and abuse, we process and may retain the following technical metadata for each request: IP address, user-agent, request timestamps, submitted content fields, and a hash of generated documents. This processing is based on our legitimate interest in preventing fraud and protecting users who may receive a misleading invoice.

If we receive a credible fraud report (for example via hisabi.ai/report-abuse) or a lawful request from UAE or foreign law-enforcement, we may: (a) review these logs to identify the source, (b) suspend the account or IP responsible, and (c) share relevant logs with law-enforcement where we are legally required or permitted to do so. We do not sell or share this data for any other purpose.

Hisabi does not verify user identity, invoice accuracy, or the legitimacy of any transaction, and does not authorise or endorse any user or invoice. Recipients of any invoice generated using Hisabi should independently verify the supplier through a channel they already trust before making any payment.

12. Cookies and similar technologies

We use a minimal set of cookies. Where required by the EU ePrivacy Directive and national implementations (e.g. TTDSG in Germany, the UK PECR), we ask for prior consent for any non-essential cookies via a cookie banner before they are set.

  • Strictly necessary (no consent required): NextAuth session cookie, CSRF token, locale and theme preferences. Without these the Service cannot function.
  • Aggregate analytics (consent required in EEA / UK): Google Analytics sets cookies (typically _ga and _ga_*) to measure page views, traffic sources, and conversion events. Where required by the EU ePrivacy Directive or PECR these cookies are only set after you grant consent via our cookie banner; consent can be withdrawn at any time from your account settings.
  • Error monitoring (consent required in EEA / UK for replay): Sentry captures crash and performance data via the SDK only, no marketing or advertising cookies. Sentry session replay (which records a masked playback of your session for diagnostics) is gated behind your cookie-banner consent and can be withdrawn at any time from your account settings.

We do not use advertising cookies, do not run third-party ad pixels, and do not sell personal data to advertisers.

13. Breach notification

In the event of a personal-data breach we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, in line with Art. 33 GDPR / Art. 33 UK GDPR and PDPL Article 9. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in line with Art. 34 GDPR. Notifications describe the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed.

14. Children

The Service is intended for users aged 18 and older. We do not knowingly collect personal data from children. If you believe we may have collected data from a person under 18, contact privacy@hisabi.ai and we will delete it.

15. Changes

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice in the Service. Continued use of the Service after changes take effect constitutes acceptance.

16. Data Processing Addendum (DPA) for business customers

When you use Hisabi to send invoices and reminders to your clients, you act as the controller of your clients' personal data and Hisabi acts as your processor under Art. 28 GDPR for that limited purpose. We offer a written Data Processing Addendum incorporating the European Commission Standard Contractual Clauses and the UK Addendum, available on request at privacy@hisabi.ai.

17. Contact

For privacy inquiries, contact privacy@hisabi.ai. TechNova Solution FZCO, Dubai Silicon Oasis, United Arab Emirates.

HisabiHisabi

AI-powered invoicing for freelancers and SMEs worldwide: any country, any currency, any tax system. VAT/GST/sales-tax line items, tax-ID fields, bilingual EN+AR PDFs, and a secure client portal. See our privacy notice for GDPR and UAE PDPL handling. Built by TechNova Solution FZCO.

support@hisabi.aiWhatsApp Hisabi.ai · +971 50 987 5239

Product

FeaturesPricingDeveloper API

Solutions

For freelancersFor SMEsFor accounting firmsPartners

Resources

GuidesUAE tax guideSaudi Arabia guideUnited Kingdom guideBlogFounding cohort

Company

ContactBook a callReport abuseTermsPrivacy

© 2026 TechNova Solution FZCO. All rights reserved.

TermsPrivacy

UAE Federal Tax Authority · TRN 104691123400001 · Corporate Tax AE337350104691123400001 · Registered 01 Aug 2024

Hisabi