Privacy Policy
Last Updated: February 14, 2026
Overview
Billow AI Companion (“the Add-in”) is a Microsoft Excel Add-in that provides AI-powered assistance for spreadsheet tasks. This Privacy Policy describes how we collect, use, and protect your information.
SOC 2 Compliance
This application is designed to comply with SOC 2 Trust Service Criteria:
- Security (CC6):Logical and physical access controls
- Availability (A1):System availability for operation
- Processing Integrity (PI1):Complete, valid, and accurate processing
- Confidentiality (C1):Confidential information protection
- Privacy (P1-P8):Personal information protection
Information We Collect
1. Spreadsheet Data
When you use the Add-in, we process your active selection, workbook structure (sheet names, table names, column headers), and cell values within ranges you interact with.
Purpose: To provide contextual AI assistance for your spreadsheet tasks.
Retention: Spreadsheet data is processed in memory and not permanently stored.
2. Usage Data
We collect execution history (a log of actions performed, stored for 7 days) and user preferences (settings, stored for 30 days) to maintain context across sessions and improve user experience.
3. Anonymous Identifiers
We generate anonymous user IDs and workbook IDs to associate preferences with your session without identifying you personally. We do not collect names, email addresses, or other personal identifiers.
Data Processing
Third-Party AI Services
Your prompts and spreadsheet context are sent to our AI providers for processing:
| Service | Purpose | Data Sent |
|---|---|---|
| OpenAI | GPT model responses | User prompts, cell context |
| Anthropic | Claude model responses | User prompts, cell context |
Both providers operate under zero-retention agreements and do not train on or retain customer data.
Infrastructure
| Service | Purpose |
|---|---|
| Cloudflare | Serverless compute (Workers), API proxy, edge security (WAF, DDoS), data storage (KV) |
| Supabase (AWS) | Database layer, encrypted at rest |
| Vercel | Web hosting |
| Microsoft Azure | Office Add-in hosting |
Data Retention
All stored data has automatic expiration (TTL) configured and is automatically deleted after the retention period.
| Data Type | Retention | Auto-Delete |
|---|---|---|
| Execution History | 7 days | Yes (TTL) |
| Session Data | 24 hours | Yes (TTL) |
| User Preferences | 30 days | Yes (TTL) |
| Financial Model Context | 180 days | Yes (TTL) |
| Spreadsheet Data | Session only | Immediate |
Data Security
Encryption
All data in transit is encrypted using TLS 1.2+. Data at rest is encrypted using AES-256-GCM via the Web Crypto API with PBKDF2 key derivation, with AWS-managed encryption at the database layer.
Access Controls
API keys are stored as encrypted secrets in Cloudflare Workers. CORS is restricted to specific trusted domains. Production access follows least-privilege principles with MFA enforcement.
Audit Logging
Request metadata is logged for security monitoring. PII is automatically redacted from logs. No raw user content is logged.
Your Rights
Data Access
You can view your stored memory data using the memory viewer in the Add-in.
Data Deletion
Use the “Clear Memory” button in the memory viewer, or contact us at privacy@thebillow.ai for complete data deletion. Users can fully disable server-side memory persistence via an opt-out toggle in Settings.
Data Portability
Contact us to request an export of your stored data.
Children's Privacy
This Add-in is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted with an updated “Last Updated” date.
Regulatory Compliance
This policy is designed to comply with:
- GDPR:General Data Protection Regulation
- CCPA:California Consumer Privacy Act
- SOC 2:Trust Service Criteria
Contact Us
For privacy-related questions or concerns, email us at privacy@thebillow.ai