Privacy Policy

wikbriefversturen.nl is a service of Credifin Nederland B.V. (hereinafter: "we", "us", or "our"). We attach great importance to the protection of your personal data and process it in accordance with the General Data Protection Regulation (GDPR).

1. Data Controller

The data controller for the processing of personal data via wikbriefversturen.nl is:

• Credifin Nederland B.V.
• Leijenberghlaan 199D, 1082 GG Amsterdam
• CoC: 34226691
• E-mail: [email protected]
• Phone: +31 20 345 2675

2. What personal data do we collect?

We collect and process the following categories of personal data:

Your account data

• E-mail address and password (encrypted)
• Company name, address details, and CoC number
• IBAN (for inclusion in the WIK letter)

Debtor data

• Name, address, and e-mail address of your debtor
• Invoice number, invoice amount, and due date

Usage data

• Creation and dispatch date of WIK letters
• Delivery status of sent e-mails
• Payment transactions (credits and subscriptions)

3. Purposes and legal bases

We process your personal data for the following purposes:

• Performance of the contract (Art. 6(1)(b) GDPR) — Creating, generating, and sending WIK letters, processing payments, and managing your account.
• Legal obligation (Art. 6(1)(c) GDPR) — Maintaining financial records in accordance with fiscal retention obligations.
• Legitimate interest (Art. 6(1)(f) GDPR) — Securing our service and preventing misuse.

4. Uploaded invoices

When you upload an invoice, our AI system reads it to automatically extract the relevant data (company details, debtor details, invoice amount, due date). After extraction, the uploaded file is immediately and automatically deleted from our servers. We do not store your invoices. Only the extracted data is retained for creating the WIK letter.

5. Retention periods

• Uploaded invoices — Deleted immediately after extraction (not stored).
• WIK letters and debtor data — Automatically deleted after 2 months. After this period, the letters and associated data are removed from your account. Only an anonymised monthly summary is retained (number of letters, total amounts).
• Payment data — 7 years in accordance with the statutory fiscal retention obligation.
• Account data — Until you delete your account.

6. Third parties and processors

We only share your personal data with third parties that are necessary for delivering our service. We have appropriate agreements or data processing agreements in place with all these parties.

• Supabase (EU) — Database hosting and authentication. Data is stored within the European Union.
• Cloudflare (EU/US) — Website and API hosting. Processing primarily takes place in European data centres.
• Stripe (EU/US) — Payment processing. Stripe is certified under the EU-US Data Privacy Framework.
• Resend (US) — Sending WIK letters by e-mail and transactional e-mails. E-mail addresses and letter content are processed for dispatch.
• Anthropic (US) — AI processing for reading uploaded invoices. Invoice data is processed via the Anthropic API; the uploaded file is not stored by Anthropic after processing. Anthropic does not use this data to train their AI models.

For the transfer of personal data to the United States, we rely on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), and/or the data processing agreements of the relevant parties.

7. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or theft:

• All connections are encrypted via HTTPS/TLS
• Passwords are stored in hashed form (never in plain text)
• Row-Level Security (RLS) at the database level — you can only access your own data
• Optional two-factor authentication (2FA/MFA) for additional account security
• Rate limiting on sensitive API endpoints to prevent misuse

8. Your rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — You can request which personal data we process about you.
• Right to rectification — You can have incorrect data corrected. You can do this yourself via your account settings.
• Right to erasure — You can have your account and all associated data deleted via the delete function in your account settings.
• Right to data portability — You can request a copy of your data in a common format.
• Right to restriction — You can request the restriction of the processing of your data.
• Right to object — You can object to the processing of your data.

You can exercise your rights by sending an e-mail to [email protected]. We will respond to your request within 30 days.

9. Cookies

We only use strictly necessary cookies for the functioning of the website. We do not place any analytical, marketing, or tracking cookies. For more information, please refer to our Cookie Policy.

10. Changes

We may amend this privacy policy from time to time. In the event of material changes, we will inform you by e-mail or via a notification on the website. The most recent version is always available on this page.

11. Filing a complaint

Do you disagree with the way we process your personal data? Please contact us first at [email protected]. If we are unable to resolve the matter together, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

• Website: autoriteitpersoonsgegevens.nl
• Phone: +31 88 1805 250

12. Contact

Do you have questions about this privacy policy or about the processing of your personal data? Please contact us:

• E-mail: [email protected]
• Phone: +31 20 345 2675
• Address: Leijenberghlaan 199D, 1082 GG Amsterdam

Credifin Nederland B.V. — CoC: 34226691