Privacy Policy
Last updated: April 10, 2026
Billable CPQ ("Billable," "we," "us," or "our") is operated by Canopy Consulting Group LLC. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application, mobile applications, and related services (collectively, the "Service"). By using Billable CPQ you agree to the collection and use of information in accordance with this policy.
Plain-English summary: Billable CPQ is a business tool. We collect the minimum information needed to operate the Service for you and your company. We do not sell your data, we do not share it with advertisers, and we do not use it to train AI models. The data you create in Billable (quotes, products, customer records) belongs to you and your company.
1. Information We Collect
Information You Provide
- Account information: name, email address, and password when you create an account
- Company information: company name, website, industry, currency preference, and branding assets you upload
- Customer and contact data: account names, contact names, email addresses, phone numbers, and other business details you enter into the system
- Product and pricing data: product catalogs, pricing rules, bundles, tier pricing, SOW templates, and quoting configurations
- Quote and invoice data: quote line items, pricing, margins, statements of work, and invoice records you create
- Payment information: billing details processed securely through Stripe — we never see or store your full credit card number
- Integration credentials: OAuth tokens and API keys for third-party services you choose to connect (Salesforce, HubSpot, DocuSign, Anthropic Claude), encrypted at rest in our database
- Support communications: messages you send us via the in-app Contact Us feature or email
Information Collected Automatically
- Usage data: pages viewed, features used, quote creation activity, and general interaction patterns (used to improve the Service)
- Device information: browser type, operating system, screen size, and device identifiers
- Log data: IP addresses, access times, referring URLs, and error logs for debugging
- Cookies and local storage: used to keep you signed in and remember preferences
Information From Third-Party Integrations
When you connect Billable CPQ to third-party services, we access and store only the data necessary for the integration to function:
- Salesforce: accounts, contacts, opportunities, products, and pricebook entries you import or sync
- HubSpot: contacts, companies, and deals you import
- DocuSign: envelope and signing status for quotes sent for signature
- Anthropic Claude (BYOK): if you provide your own API key for AI-assisted quoting, your key is encrypted at rest and used only to call Claude on your behalf — we do not log your prompts or responses
2. How We Use Your Information
- To provide, maintain, and improve the Service
- To process your transactions and manage your account
- To generate quotes, invoices, statements of work, and PDF documents on your behalf
- To sync data with third-party services you have authorized
- To send you service-related communications (password resets, billing notices, important updates)
- To respond to your support requests and feedback
- To detect, prevent, and address technical issues, fraud, or abuse
- To comply with legal obligations
What we don't do: We do not sell your personal information. We do not share your data with advertisers. We do not use your data to train machine learning models. We do not read your quotes, SOWs, or customer records except when strictly necessary to provide support you have requested.
3. Data Sharing and Disclosure
We share your information only in these limited circumstances:
- Service providers: trusted third parties that help us operate the Service (Supabase for database and authentication, Cloudflare for hosting and CDN, Stripe for payments, Resend for transactional email). These providers are bound by contract to protect your information.
- Third-party integrations you authorize: when you connect Salesforce, HubSpot, DocuSign, or other services, we exchange data with them at your direction
- Legal requirements: if required by law, subpoena, or court order, or to protect our legal rights
- Business transfers: in connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction (you will be notified)
4. Data Security
We take the security of your data seriously. Our measures include:
- Encryption in transit: all communication with Billable CPQ uses HTTPS/TLS 1.2+
- Encryption at rest: databases are encrypted at rest using AES-256; sensitive credentials (OAuth tokens, API keys) are additionally encrypted at the column level using pgcrypto
- Access controls: Row Level Security (RLS) policies ensure that one customer's data is isolated from another's at the database level
- Authentication: JWT-based authentication with automatic session expiration
- Security headers: Content Security Policy, HSTS, X-Frame-Options, Permissions-Policy, and Subresource Integrity enforced on all pages
- Regular audits: we run Dynamic Application Security Testing (DAST) scans and review our Row Level Security policies periodically
No method of transmission or storage is 100% secure, but we use commercially reasonable efforts to protect your data.
5. Data Retention
We retain your information for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, accounting, or regulatory purposes.
6. Your Rights and Choices
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Request deletion of your personal information
- Export your data in a portable format
- Withdraw consent to data processing
- Object to certain processing activities
- File a complaint with a data protection authority
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
7. International Data Transfers
Billable CPQ is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.
8. Children's Privacy
Billable CPQ is a business tool intended for professional use and is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child, please contact us and we will delete it.
9. Third-Party Links
Billable CPQ may contain links to third-party websites, services, or resources. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with your information.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you via email or an in-app notice. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the revised terms.
11. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us: