Privacy Policy
Last updated: 1 May 2026
1. Who are we?
StatementBridge is a service provided by FIDURO B.V., located at Stephensonweg 6, 4207 HB Gorinchem, the Netherlands. Chamber of Commerce (KvK) number: 78200695. VAT number: NL861300221B01.
For questions about this privacy policy or your personal data, please contact us at info@fiduro.nl or by phone at +31 183 201077.
2. What personal data do we process?
We process the following categories of personal data:
2.1 Account data
- Email address — for authentication and account management
- Password — stored as a bcrypt hash (not readable)
- Display name — optional, for personalisation
- Language preference and theme setting — for user experience
2.2 Conversion data
- Uploaded files — deleted from our servers immediately after processing; the content (transaction lines, counter-parties, amounts, names) is not stored.
- Generated files — available for download during your session, then automatically deleted.
- Conversion metadata — for each conversion we record: date/time, source and target format, transaction count, status, any error message (including technical location and stack-trace for monitoring), and the import settings you chose, including the account IBAN you entered yourself, split mode, payout preference and chosen file extensions. Purpose: enforcing plan limits, monitoring errors, and qualitative improvement of the Service. We do not record transaction content, counter-party accounts, names or file names.
2.3 Technical data
- IP address — recorded when accepting the terms and conditions (legal proof of consent)
- User agent — recorded when accepting the terms and conditions
- Session information — for the functioning of the application
2.4 Payment data
- Stripe customer ID — for managing your subscription
- Payment details (credit card, iDEAL) are processed exclusively by Stripe. We do not store any payment details.
2.5 API keys (optional)
- LLM API key — if you use AI PDF extraction, your API key is stored in encrypted form (AES-128/Fernet)
3. What do we use your data for?
| Purpose | Legal basis (GDPR) | Retention period |
|---|---|---|
| Creating and managing your account | Performance of contract (Art. 6.1b) | Until you delete your account |
| Performing file conversions | Performance of contract (Art. 6.1b) | Files: immediately after processing. Conversion counter: as long as the account is active. |
| Subscription management and billing | Performance of contract (Art. 6.1b) | Until you delete your account |
| Recording acceptance of terms and conditions | Legal obligation (Art. 6.1c) | Until you delete your account |
| Technical functioning and security | Legitimate interest (Art. 6.1f) | Session data: 24 hours |
4. Two processing flows
StatementBridge has two processing flows with different risk profiles:
4.1 Deterministic conversion (default)
When converting structured formats (MT940, CAMT.053, CSV, Excel, OFX, CODA), your files are processed exclusively on our EU servers (Frankfurt). No data is sent to external parties. The conversion is deterministic: transactions are transferred exactly without interpretation.
4.2 AI PDF extraction (optional)
With AI PDF extraction, the full text content of your PDF file — including transaction descriptions, amounts, dates, account numbers and names — is sent to an external AI provider for processing:
- Anthropic (San Francisco, USA) — if you select Anthropic as your provider
- OpenAI (San Francisco, USA) — if you select OpenAI as your provider
These service providers are based in the United States. The transfer takes place on the basis of Standard Contractual Clauses (SCCs) maintained by these parties in accordance with Art. 46.2c GDPR.
Important: You choose whether to use this feature. When using AI extraction, your own API key is used. The processing takes place under your own agreement with the relevant AI provider. We recommend that you do not process files containing sensitive personal data (such as credit card numbers, personal names in transaction descriptions) through AI extraction.
5. Third parties and sub-processors
| Party | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription management | USA (SCCs apply) |
| Render.com | Application hosting | EU (Frankfurt) |
| Anthropic (optional) | AI PDF extraction (only at user's request) | USA (SCCs apply) |
| OpenAI (optional) | AI PDF extraction (only at user's request) | USA (SCCs apply) |
| Resend | Email delivery (verification, password reset, notifications) | United States (SCCs apply) |
For the formal data processing agreement, see our Data Processing Agreement.
6. Your rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15) — You may request an overview of the personal data we process about you.
- Right to rectification (Art. 16) — You may have incorrect data corrected through your account settings.
- Right to erasure (Art. 17) — You may delete your account and all associated data through the account settings in the application.
- Right to data portability (Art. 20) — You may request an export of your personal data in JSON format through the application.
- Right to restriction of processing (Art. 18) — You may request that we restrict the processing of your data.
- Right to object (Art. 21) — You may object to processing based on legitimate interest.
- Right to object to marketing — You may opt out of onboarding and tip emails via the unsubscribe link at the bottom of any marketing-bearing email or via the “Receive tips & onboarding emails” toggle in your account settings. Important transactional emails (password reset, payment confirmation, account notifications) will still be sent.
To exercise these rights, please contact us at info@fiduro.nl. We will respond to your request within 30 days.
7. Security
We take appropriate technical and organisational measures to protect your personal data:
- All communication is conducted over HTTPS (TLS encryption)
- Passwords are stored as bcrypt hashes
- API keys are stored encrypted with AES-128 (Fernet)
- Uploaded files are deleted immediately after processing
- Session cookies are secured (HttpOnly, Secure, SameSite=Strict)
- Rate limiting protects against abuse
- Content Security Policy (CSP) prevents unauthorised scripts
- Server log files contain no financial data and are retained for a maximum of 30 days
8. Cookies
StatementBridge uses the following cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| session | Essential | Login status and application functionality | 24 hours |
| session_token | Essential | Identification for conversion limit (anonymous users) | 30 days |
| cookie_consent | Essential | Remembering your cookie preferences | 1 year |
| csrf_token | Essential | Protection against cross-site request forgery (CSRF) | 24 hours |
We do not use tracking or advertising cookies.
9. Complaints
If you have a complaint about the processing of your personal data, please contact us at info@fiduro.nl. You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, www.autoriteitpersoonsgegevens.nl).
10. Data breaches
In the event of a security incident involving personal data, FIDURO will report this to the Dutch Data Protection Authority within 72 hours if the incident poses a risk to the rights and freedoms of data subjects (Art. 33 GDPR). Data subjects will be informed if the incident poses a high risk (Art. 34 GDPR). You can report security incidents to info@fiduro.nl.
11. Changes
We reserve the right to amend this privacy policy. Significant changes will be communicated through the application. The most recent version is always available on this page.