← BackFR

Privacy Policy

Last updated: May 24, 2026

Summary. Tier 0: your statement never leaves your computer. Tier 1 (AI): your PDF is sent temporarily to our servers and to Anthropic Claude for extraction, then deleted immediately after the response, never stored, never used to train any model.

1. Data controller

Walid El Omari, sole trader registered in Morocco. Contact: contact@walidelomari.com. Target compliance: Law 09-08 (Morocco, protection of natural persons with regard to the processing of personal data) and GDPR (EU Regulation 2016/679) for European users.

2. Tier 0: 100% local processing

On the pages for supported banks (Attijariwafa, CIH, etc.), your PDF bank statement is read and parsed entirely in your browser using the pdf.js library. No statement data, no metadata, no excerpt of the content is sent to our servers or to any third party.

Usage counter (anti-abuse). Before each conversion, a single HTTP request is sent to our server to increment a counter (5 conversions/day for guests, 15/day for signed-in users). This request contains only your IP address (guest mode) or your account identifier. The PDF content is never sent.

You can verify this claim by opening the “Network” tab of your browser developer tools, the only observable request is the POST to /api/tier0 which carries no body.

3. Tier 1: AI processing (server)

On the /conversion-ia page, the PDF is sent to our server (Vercel, Frankfurt region fra1) then to the Anthropic Claude API (Haiku 4.5) for structured extraction.

Retention:

  • The PDF is handled in RAM only, never written to disk.
  • It is removed from memory immediately after the JSON response is sent, i.e. in practice within 30 seconds.
  • No copy is kept by our servers.
  • Anthropic does not store API requests to train its models (no-training-on-API policy by default).
  • Anthropic may retain requests for up to 30 days for abuse detection, see their policy.

If you process statements containing personal data of third parties (clients of an accounting firm, for example), you are the primary data controller and we act as processor within the meaning of the GDPR. A Data Processing Agreement (DPA) can be signed on request.

4. Account data

To use Tier 1, an account is created through Clerk. Data collected:

  • Email address (identifier)
  • Name (optional)
  • Profile photo (if sign-in via Google/Microsoft/Apple)
  • Sign-up date, last sign-in, sign-in IP address

This data is stored by Clerk Inc. (United States), with Standard Contractual Clauses (SCC) for transfer outside the EU. See the Clerk policy.

5. Billing data

Payments are processed by Paddle.com Market Limited (United Kingdom), Merchant of Record. Paddle collects your billing data (name, address, tokenized card number, country for VAT). We only receive a customer identifier and subscription status, never the card number. See the Paddle policy.

6. Usage counters

To enforce quotas (3 free AI conversions/month, 20/month for Tier 1), we store in a Redis database (Upstash, EU region):

  • Your Clerk user identifier
  • Conversion counter for the current month (rolling 30-day window)
  • Timestamp of the last conversion

No statement content is stored in Redis. Counters expire automatically after 30 days of inactivity.

7. Cookies and trackers

Strictly necessary cookies:

  • Clerk session cookies (authentication)
  • Paddle cookies (payment, only on the checkout page)

No analytics, advertising, or social-network cookies are set on the conversion pages. This is deliberate to protect the confidentiality of statements displayed on screen.

8. Your rights

Under Law 09-08 and the GDPR, you have rights of access, rectification, erasure, portability, restriction, and objection. To exercise these rights, write to contact@walidelomari.com from the email address tied to your account. Response within 30 days.

You can also delete your account at any time from your customer portal (immediate deletion of all account data and Redis counters).

Complaint: National Commission for the Protection of Personal Data (CNDP, Morocco) or the data-protection authority of your country of residence in the EU.

9. Security

Forced HTTPS (HSTS), strict security headers (CSP, X-Frame-Options, Referrer-Policy), authentication by Clerk (SOC 2 certified provider). No secret is exposed on the client. API keys are stored in encrypted environment variables on Vercel.

10. Sub-processors

To deliver the Service, we rely on:

  • Vercel Inc. (United States): hosting, edge network. Execution region: Frankfurt (fra1).
  • Anthropic PBC (United States): Claude API for AI extraction (Tier 1 only).
  • Clerk Inc. (United States): authentication.
  • Upstash Inc. (United States, EU data region): Redis quota counters.
  • Paddle.com Market Limited (United Kingdom): billing, Merchant of Record.

11. Changes

Any substantial change to this policy will be notified by email to registered users, with 30 days’ notice.