Purpose-limited
Submitted invoice data is used to produce the requested DBX ONE invoice report and communicate about that report.
Confidentiality and data handling
This page explains what DBX ONE processes, why it is processed, how long it is kept, how AI is used, and what security and sub-processor controls apply.
Submitted invoice data is used to produce the requested DBX ONE invoice report and communicate about that report.
Customer invoice data is not used to train shared or general AI models and is not reused for other clients.
The free report is designed around last month’s supplier invoices, not historical bulk uploads.
Processor contract
Where DBX ONE processes personal data in invoice files for an organisation, DBX ONE acts on the organisation’s documented instructions and can provide a Data Processing Agreement before processing starts.
AI use
DBX ONE may use AI to help extract, structure and review invoice information. Customer invoice data is not used to train DBX ONE models, shared AI models or general AI models, and is not reused for other clients.
Security
DBX ONE’s security approach is based on restricting access, encrypting data in transit and at rest, and keeping invoice files in controlled cloud storage rather than scattered across unmanaged devices.
Cyber Essentials or Cyber Essentials Plus certification is not claimed unless separately confirmed in writing.
Sub-processors
DBX ONE will maintain a sub-processor list for organisations that require a DPA. Sub-processors are used only where needed to host the website, store submitted files, operate email or support AI-assisted invoice processing.
DBX ONE will not add a new sub-processor for client invoice data without the authorisation process set out in the DPA.
Data minimisation
The report usually needs supplier, date, category, item description, quantity, net/VAT/gross cost and delivery charges. If possible, remove anything that is not needed for invoice review.
Retention
For free reports, invoice files are intended to be retained only for the time needed to prepare, quality-check and deliver the report. A standard retention period can be agreed in the DPA; for most free-report submissions, DBX ONE’s default target is deletion within 30 days after report delivery unless an ongoing service is agreed.
For practices and clinics
If your organisation has a DPO, IG lead, Caldicott Guardian equivalent, finance lead or procurement owner, run the submission past them before sending invoice data. If the invoice files contain personal data, your organisation may also need to record the processing in its ROPA.
Apply free todayOperator and accountability
Reports are handled through DBX ONE by Dillon, the founder of the service and a UK medical student with experience in GP practice settings. Practices can request a signed DPA and additional supplier information before sending invoice files.