Privacy Policy
Last updated: 1 March 2026
1. Who are we?
StatementBridge is a service provided by FIDURO B.V., located at Stephensonweg 6, 4207 HB Gorinchem, the Netherlands. Chamber of Commerce (KvK) number: 78200695. VAT number: NL861300221B01.
For questions about this privacy policy or your personal data, please contact us at info@fiduro.nl or by phone at +31 183 201077.
2. What personal data do we process?
We process the following categories of personal data:
2.1 Account data
- Email address — for authentication and account management
- Password — stored as a bcrypt hash (not readable)
- Display name — optional, for personalisation
- Language preference and theme setting — for user experience
2.2 Conversion data
- Uploaded files — deleted from our servers immediately after processing
- Conversion counter — the number of conversions performed per month, used to enforce plan limits. No substantive data (no IBANs, file names or transaction details).
- Generated files — available for download during your session, then automatically deleted
2.3 Technical data
- IP address — recorded when accepting the terms and conditions (legal proof of consent)
- User agent — recorded when accepting the terms and conditions
- Session information — for the functioning of the application
2.4 Payment data
- Stripe customer ID — for managing your subscription
- Payment details (credit card, iDEAL) are processed exclusively by Stripe. We do not store any payment details.
2.5 API keys (optional)
- LLM API key — if you use AI PDF extraction, your API key is stored in encrypted form (AES-128/Fernet)
3. What do we use your data for?
| Purpose | Legal basis (GDPR) | Retention period |
|---|---|---|
| Creating and managing your account | Performance of contract (Art. 6.1b) | Until you delete your account |
| Performing file conversions | Performance of contract (Art. 6.1b) | Files: immediately after processing. Conversion counter: as long as the account is active. |
| Subscription management and billing | Performance of contract (Art. 6.1b) | Until you delete your account |
| Recording acceptance of terms and conditions | Legal obligation (Art. 6.1c) | Until you delete your account |
| Technical functioning and security | Legitimate interest (Art. 6.1f) | Session data: 24 hours |
4. Two processing flows
StatementBridge has two processing flows with different risk profiles:
4.1 Deterministic conversion (default)
When converting structured formats (MT940, CAMT.053, CSV, Excel, OFX, CODA), your files are processed exclusively on our EU servers (Frankfurt). No data is sent to external parties. The conversion is deterministic: transactions are transferred exactly without interpretation.
4.2 AI PDF extraction (optional)
With AI PDF extraction, the full text content of your PDF file — including transaction descriptions, amounts, dates, account numbers and names — is sent to an external AI provider for processing:
- Anthropic (San Francisco, USA) — if you select Anthropic as your provider
- OpenAI (San Francisco, USA) — if you select OpenAI as your provider
These service providers are based in the United States. The transfer takes place on the basis of Standard Contractual Clauses (SCCs) maintained by these parties in accordance with Art. 46.2c GDPR.
Important: You choose whether to use this feature. When using AI extraction, your own API key is used. The processing takes place under your own agreement with the relevant AI provider. We recommend that you do not process files containing sensitive personal data (such as credit card numbers, personal names in transaction descriptions) through AI extraction.
5. Third parties and sub-processors
| Party | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription management | USA (SCCs apply) |
| Render.com | Application hosting | EU (Frankfurt) |
| Anthropic (optional) | AI PDF extraction (only at user's request) | USA (SCCs apply) |
| OpenAI (optional) | AI PDF extraction (only at user's request) | USA (SCCs apply) |
For the formal data processing agreement, see our Data Processing Agreement.
6. Your rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15) — You may request an overview of the personal data we process about you.
- Right to rectification (Art. 16) — You may have incorrect data corrected through your account settings.
- Right to erasure (Art. 17) — You may delete your account and all associated data through the account settings in the application.
- Right to data portability (Art. 20) — You may request an export of your personal data in JSON format through the application.
- Right to restriction of processing (Art. 18) — You may request that we restrict the processing of your data.
- Right to object (Art. 21) — You may object to processing based on legitimate interest.
To exercise these rights, please contact us at info@fiduro.nl. We will respond to your request within 30 days.
7. Security
We take appropriate technical and organisational measures to protect your personal data:
- All communication is conducted over HTTPS (TLS encryption)
- Passwords are stored as bcrypt hashes
- API keys are stored encrypted with AES-128 (Fernet)
- Uploaded files are deleted immediately after processing
- Session cookies are secured (HttpOnly, Secure, SameSite=Strict)
- Rate limiting protects against abuse
- Content Security Policy (CSP) prevents unauthorised scripts
- Server log files contain no financial data and are retained for a maximum of 30 days
8. Cookies
StatementBridge uses the following cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| session | Essential | Login status and application functionality | 24 hours |
| session_token | Essential | Identification for conversion limit (anonymous users) | 30 days |
| cookie_consent | Essential | Remembering your cookie preferences | 1 year |
| csrf_token | Essential | Protection against cross-site request forgery (CSRF) | 24 hours |
We do not use tracking or advertising cookies.
9. Complaints
If you have a complaint about the processing of your personal data, please contact us at info@fiduro.nl. You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, www.autoriteitpersoonsgegevens.nl).
10. Data breaches
In the event of a security incident involving personal data, FIDURO will report this to the Dutch Data Protection Authority within 72 hours if the incident poses a risk to the rights and freedoms of data subjects (Art. 33 GDPR). Data subjects will be informed if the incident poses a high risk (Art. 34 GDPR). You can report security incidents to info@fiduro.nl.
11. Changes
We reserve the right to amend this privacy policy. Significant changes will be communicated through the application. The most recent version is always available on this page.