Privacy Policy
Last updated: February 16, 2026
This Privacy Policy explains how Rivofin (“we”, “us”, or “our”) collects, uses, stores, and protects your personal data when you use our bank statement management platform (the “Service”). We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Scope and Applicability
This Privacy Policy applies to all personal data processed by Rivofin in connection with the Service, including data you provide directly, data collected automatically, and data received from your organization.
Rivofin acts as a data controller for personal data related to your account, usage of the Service, and our business relationship with you. When you upload bank statements or financial documents containing personal data of your clients or third parties, Rivofin acts as a data processor on your behalf. The processing of such data is governed by our Data Processing Agreement.
Key Definitions
The following terms are used throughout this Privacy Policy:
- “Service” means the Rivofin bank statement management platform, including the website, application, and API.
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- “Data Controller” means the entity that determines the purposes and means of processing Personal Data.
- “Data Processor” means the entity that processes Personal Data on behalf of a Data Controller.
- “Sub-processor” means a third party engaged by Rivofin to process Personal Data.
- “Client Data” means Personal Data contained in bank statements, financial documents, and related content that you upload to the Service.
1. Data Controller
Rivofin is the data controller responsible for your personal data. If you have questions about this Privacy Policy or our data practices, you can contact us at:
- Email: privacy@rivofin.com
1.1 Data Protection Officer
We have appointed a Data Protection Officer (DPO) in accordance with Albanian Law No. 124/2024 on Personal Data Protection. You can contact our DPO for any questions regarding the processing of your personal data or the exercise of your rights:
- Email: dpo@rivofin.com
2. Personal Data We Collect
We only collect personal data that is necessary for the purposes described in this policy (GDPR Art. 5(1)(c) — data minimization). We collect the following categories of personal data:
2.1 Account Information
- Name and email address
- Password (stored in hashed form using industry-standard algorithms)
- Organization name and details
- Billing information (if applicable)
2.2 Uploaded Content
- Bank statements (PDF files)
- Transaction data extracted from statements
- Client and counterparty information you create
- Reference documents (invoices, payments) you upload
- Any other data you choose to upload
2.3 Usage Data
- Log data (IP address, browser type, access times)
- Device information
- Pages viewed and features used
- Error reports and performance data
2.4 Cookies and Local Storage
We use the following cookies and similar technologies:
| Cookie | Type | Purpose | Duration | Legal Basis |
|---|---|---|---|---|
| Session cookie | Essential (first-party) | Authentication and session management | 7 days (renewed on activity) | Necessary for service operation |
| CSRF token | Essential (first-party) | Cross-site request forgery protection | Session | Necessary for service operation |
| Sidebar state | Essential (first-party) | Remembers sidebar open/closed preference | 7 days | Necessary for service operation |
| Locale preference | Local storage | Stores your language preference in browser local storage | 1 year | Necessary for service operation |
The Service uses only essential cookies strictly necessary for its operation. We do not use analytics, marketing, or tracking cookies. Because these cookies are essential for the Service to function, they are exempt from consent requirements under the ePrivacy Directive (2002/58/EC). If we introduce non-essential cookies in the future, we will update this policy and obtain your explicit consent before setting them.
2.5 Categories of Data Sources
We collect personal data from the following sources:
- Directly from you: Account registration, profile updates, uploaded documents, support requests, and feedback
- From your organization: If your account is created or managed by an organization administrator, they may provide your name and email address
- Automatically via the Service: Log data, device information, cookies, and local storage as described in Section 2.3 and 2.4
- From third-party service providers: Authentication providers (if you sign in via a third-party service), payment processors (transaction confirmation)
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing and operating the Service | Performance of contract |
| Processing your bank statements and extracting transaction data using AI | Performance of contract |
| Account management and authentication | Performance of contract |
| Sending service-related communications | Performance of contract |
| Billing and payment processing | Performance of contract |
| Improving and developing the Service | Legitimate interest (our interest in understanding usage patterns to improve service reliability and user experience, balanced against the minimal privacy impact of aggregated usage data) |
| Security and fraud prevention | Legitimate interest (our interest in protecting our infrastructure and users from unauthorized access, fraud, and abuse) |
| Compliance with legal obligations | Legal obligation |
| Newsletter communications | Consent (opt-in via signup form) |
| Marketing communications (if opted in) | Consent |
3.1 Legitimate Interest Balancing
We conduct documented balancing tests for each legitimate interest purpose, weighing our interests against the impact on your rights and freedoms. These assessments are available upon request by contacting privacy@rivofin.com.
3.2 Statutory and Contractual Requirements
Providing your name and email address is a contractual requirement necessary to create and maintain your account. Without this information, we cannot provide the Service to you. Providing billing information is required if you subscribe to a paid plan. All other data you upload (bank statements, reference documents) is provided voluntarily and at your discretion.
4. AI and Automated Processing
The Service uses artificial intelligence to automatically extract transaction data from uploaded bank statements. This includes:
- Optical character recognition (OCR) to read PDF documents
- AI-powered extraction of transaction details (dates, amounts, descriptions)
- Automated counterparty matching and categorization
This processing is performed solely to provide the Service and is based on the performance of our contract with you (GDPR Art. 6(1)(b)). The AI processing does not make decisions that produce legal effects or similarly significantly affect you. All extracted data is presented for your review and can be corrected or deleted at any time.
Rivofin's AI is used primarily for document parsing, data extraction, and related processing tasks. The Service does not perform credit scoring, creditworthiness assessment, risk evaluation, or any form of automated decision-making that produces legal effects concerning individuals. The Service is not classified as a high-risk AI system under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689).
In accordance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we disclose that AI-generated or AI-assisted content is used in the document processing pipeline of the Service. Specifically, transaction data, counterparty names, and categorizations extracted from uploaded bank statements are produced with the assistance of AI systems. Users should review all AI-extracted data before relying on it. The term “artificial intelligence system” is used in this policy as defined in Article 3 of the EU AI Act.
In any event, you retain the right to obtain human intervention, to express your point of view, and to contest any automated decision. To exercise these rights, contact us at privacy@rivofin.com.
We do not use your uploaded content to train AI models. Your financial data is processed only to deliver results to you and is not shared with AI model providers for training purposes.
4.1 AI Service Providers
The Service currently uses the following AI providers for document processing:
- Google Gemini (accessed via OpenRouter): Used for OCR and transaction data extraction from bank statements. Bank statement content is transmitted to the AI provider for processing and is not retained by the AI provider after processing is complete. Google's data handling is governed by their data processing terms, which prohibit the use of customer data for model training.
We will update this section if we change or add AI providers. AI inputs and outputs are logged within the Service for quality assurance and debugging purposes, and are subject to the same retention periods as uploaded content (see Section 7).
Bank statements uploaded to the Service may contain personal data of third parties (such as counterparty names and account numbers). Rivofin processes this data as a processor on behalf of the uploading user (the data controller). If you believe your personal data has been processed through our Service by another user, please contact the user who uploaded the data or reach out to us at privacy@rivofin.com so we can assist in directing your request.
5. Data Sharing and Sub-processors
We do not sell your personal data. We may share your data with:
5.1 Sub-processors
We use the following third-party service providers (sub-processors) to operate the Service:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Vercel Inc. | Application hosting, deployment, and edge network | All application data in transit, server logs | United States |
| Neon Inc. | Database hosting (PostgreSQL) | All persistent application data (encrypted at rest) | United States |
| Vercel Blob Storage | File storage for uploaded documents | Uploaded bank statements (PDF files) | United States |
| OpenRouter Inc. | AI model routing and orchestration | Bank statement content for document processing | United States |
| Google LLC (Gemini) | AI-powered document processing and data extraction | Bank statement content for OCR and transaction extraction (accessed via OpenRouter) | United States |
| Stripe Inc. | Payment processing and subscription billing | Email address, billing details, payment method | United States |
| Resend Inc. | Transactional email delivery | Email addresses, user names, email content | United States |
| Inngest Inc. | Background job orchestration | Event metadata, job identifiers | United States |
All sub-processors are bound by data processing agreements that require them to protect your data to the same standards as this Privacy Policy. We conduct transfer impact assessments for all non-EEA transfers. We will notify registered users by email at least 30 days before adding or replacing a sub-processor. You may object to a sub-processor change on reasonable data protection grounds by contacting privacy@rivofin.com.
5.2 Legal Requirements
We may disclose your data if required by law, court order, or governmental authority, or to protect our rights, property, or safety.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you at least 30 days in advance and provide the option to delete your account before the transfer.
6. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States (see sub-processor list above). When we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfers to countries with an EU adequacy decision
- Supplementary measures where necessary, as recommended by the European Data Protection Board
For transfers of UK personal data, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.
For transfers of Swiss personal data, we rely on the Swiss Federal Data Protection and Information Commissioner (FDPIC) recognized Standard Contractual Clauses.
Where applicable, we also rely on the EU-US Data Privacy Framework (DPF) for transfers to certified US organizations. You can verify the DPF certification status of our sub-processors at www.dataprivacyframework.gov.
The following sub-processors are certified under the EU-US Data Privacy Framework: Vercel Inc., Google LLC, Stripe Inc., and Inngest Inc. You can verify their certification status at the link above. Sub-processors that are not DPF-certified are covered by Standard Contractual Clauses as described above.
You can request a copy of the safeguards we use by contacting privacy@rivofin.com.
7. Data Retention
We retain your personal data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account; deleted immediately upon account deletion |
| Uploaded bank statements and extracted data | 90 days from upload, or immediately upon account deletion |
| Audit logs | 2 years from creation |
| Server/access logs | 90 days |
| Billing records | As required by tax law (typically 5-7 years) |
| Support correspondence | 2 years from last interaction |
| Database backups | 30 days (rolling) |
When you delete your account, we will delete or anonymize your personal data within 30 days, unless we are required to retain it for legal purposes. Data in rolling backups will be purged as backups naturally expire.
7.1 Records of Processing Activities
We maintain Records of Processing Activities (ROPA) in accordance with GDPR Article 30 and Albanian Law No. 124/2024. A summary of our processing activities is available upon request by contacting privacy@rivofin.com.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256-GCM with managed encryption keys stored securely and separately from the encrypted data)
- Passwords hashed using scrypt with per-user salts
- Two-factor authentication (TOTP) available for all accounts
- Regular security assessments and monitoring
- Role-based access controls
- Secure data centers with physical security measures (SOC 2 certified providers)
- Data Protection Impact Assessments (DPIAs) conducted for high-risk processing activities, including AI-powered document processing, in accordance with GDPR Article 35
- A vulnerability disclosure policy for responsible reporting of security issues
9. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
- Provide details of the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to address the breach
- Document all breaches, including those that do not require notification, in an internal breach register
10. Your Rights (GDPR)
Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:
10.1 Right of Access
You have the right to request a copy of the personal data we hold about you.
10.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data.
10.3 Right to Erasure (“Right to be Forgotten”)
You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
10.4 Right to Restriction of Processing
You have the right to request that we limit the processing of your personal data in certain circumstances.
10.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format (CSV, JSON) and to transmit it to another controller. You can export your data from the Service at any time using the built-in export features.
10.6 Right to Object
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
10.7 Right to Withdraw Consent
Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
10.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The relevant supervisory authority for Rivofin is the Information and Data Protection Commissioner of Albania (Komisioneri për të Drejtën e Informimit dhe Mbrojtjen e të Dhënave Personale, IDP), website: www.idp.al. If you are located in another EU/EEA country, you may also contact your local supervisory authority.
To exercise any of these rights, please contact us at privacy@rivofin.com. We will respond to your request within 30 days, as required by GDPR. If we need additional time (up to 60 more days for complex requests), we will inform you within the initial 30-day period.
11. Your Choices and Controls
You can exercise the following privacy controls directly through the Service without needing to contact us:
- Data export: Export your data at any time in CSV, JSON, or XLSX format using the built-in export features
- Account deletion: Delete your account through the account settings. This will trigger deletion of your personal data as described in Section 7
- Communication preferences: Unsubscribe from marketing emails using the link provided in each email
- Profile updates: Update or correct your account information at any time through the account settings
For rights that require our assistance (such as data access requests or objections to processing), please contact privacy@rivofin.com.
12. Region-Specific Rights
12.1 United Kingdom
If you are located in the United Kingdom, your personal data is protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. You have the same rights as listed in Section 10 above. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
12.2 Switzerland
If you are located in Switzerland, your personal data is protected under the Swiss Federal Act on Data Protection (FADP). You have comparable rights to those listed in Section 10. You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch.
12.3 United States
We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), or other applicable US state privacy laws.
If you are a resident of California, Virginia, Colorado, Connecticut, or another US state with a comprehensive privacy law, you may have the following additional rights:
- Right to know: Request details about the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it
- Right to delete: Request deletion of your personal information, subject to certain exceptions
- Right to correct: Request correction of inaccurate personal information
- Right to opt-out of sale/sharing: We do not sell or share your personal information, so no opt-out is necessary
- Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights
To exercise these rights, contact us at privacy@rivofin.com. We will verify your identity before processing your request. If we decline your request, you may appeal by contacting us at the same address, and we will respond to your appeal within the timeframe required by applicable law.
12.4 Do Not Track and Global Privacy Control
Our Service currently does not respond to Do Not Track (DNT) browser signals. We honor the Global Privacy Control (GPC) signal as a valid opt-out request where required by applicable law.
13. Data Processing Agreement
When you use the Service to process bank statements or financial data belonging to your clients or other third parties, you act as the data controller for that data and Rivofin acts as a data processor on your behalf. Our Data Processing Agreement governs this relationship and is incorporated into our Terms of Service.
14. Children's Privacy
The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately and we will delete it.
15. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on our website at least 30 days before they take effect. We review this Privacy Policy at least annually to ensure it remains accurate and compliant with applicable laws. We encourage you to review this policy periodically.
17. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- Email: privacy@rivofin.com
Version History
| Version | Date | Changes |
|---|---|---|
| 1.0 | February 16, 2026 | Initial version |
This document is also available in Shqip (Albanian).