What exactly does Credia analyze in my term sheet?

We analyze over 40 key terms including interest margins, fees, covenants, collateral requirements, prepayment conditions, and more.

How accurate is the benchmark data?

Our benchmarks are based on 500+ actual Belgian financing transactions across various industries and deal sizes.

Is my financial data secure?

Absolutely. We use bank-grade encryption (AES-256) for all data. We're fully GDPR compliant and based in Brussels.

Privacy Policy

March 5, 2026

Your Privacy Matters

Credia BV is a Brussels-based fintech SaaS platform that helps Belgian SMEs benchmark loan term sheets using artificial intelligence. We are committed to protecting your privacy and ensuring you have a positive experience on our platform. This privacy policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR).

What Data We Collect

We collect the following types of personal data:

Email address: Used for account authentication and communication.
IP address hash: For security and fraud detection, we hash your IP address using HMAC-SHA256 with a server-side secret. We do not store your actual IP address — only the hash output. The hash is used to detect suspicious login patterns and abuse. The hashing secret is stored securely (never logged) and rotated periodically. Hashed IP addresses are retained for 30 days and then deleted.
Device information (collected automatically): Browser type, operating system version, and screen resolution for security and platform optimization. We do not collect hardware identifiers (IMEI, serial numbers), advertising IDs, or browser fingerprinting data.
Usage data: Interactions with the platform, features used, and timestamps to improve our service.
Uploaded documents: Term sheet PDFs containing borrower names, bank names, VAT numbers, and loan amounts for analysis.
Extracted data: 78 standardized fields automatically extracted from your documents (margins, fees, covenants, tenor, and other loan characteristics).

Data minimization: We collect only data necessary for the service to function or for the legitimate purposes stated above. You may contact privacy@credia.pro to inquire about opting out of non-essential data collection.

How We Use Your Data

We use your personal data for the following purposes:

Account management and communication: Send service updates, respond to support requests, and notify you of changes.
Analyse term sheets and provide extraction results: Extract standardized fields from your documents and present them in a structured format.
Improve our AI model: Train and refine our extraction algorithms to provide more accurate benchmarking comparisons and scoring recommendations.
Generate benchmarking reports: Compare your loan terms against pseudonymized market data to provide scoring and recommendations.
Market intelligence and data products: Use anonymized, aggregated data (which contains no personal data per GDPR Recital 26) to produce benchmark reports, market intelligence products, and statistical analyses for third parties. Individual users and transactions are never identifiable in these products. You may opt out of contributing to aggregated datasets at any time via Settings > Privacy Center or by contacting privacy@credia.pro.

Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6: (1) Contract performance (Article 6(1)(b)) for AI-powered term sheet extraction and analysis, (2) Legitimate interest (Article 6(1)(f)) for benchmarking comparisons, service improvement, and production of anonymized market intelligence products (see Section 3), and (3) Consent (Article 6(1)(a)) only for future marketing communications. You may withdraw consent for marketing emails at any time without affecting other processing. Note: anonymized, aggregated data products do not constitute personal data processing (GDPR Recital 26) and are therefore not subject to consent withdrawal, though you may opt out of future data contribution.

AI Processing and Data Processors

We use the following third-party processors to deliver our AI-powered analysis. All processors have Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs) in place:

Anthropic (Claude API) – Anthropic (Claude API): Processes your term sheets for extraction. Located in USA. Our Data Processing Agreement with Anthropic (compliant with Art. 28 GDPR) explicitly prohibits use of your data for model training. All data is deleted within 30 days of processing. This restriction is contractually binding. DPA available upon request to privacy@credia.pro.
Vercel – Vercel: Hosts our frontend application. Located in USA. Standard Contractual Clauses apply.
Neon – Neon: Provides database hosting (free tier). Located in USA. Standard Contractual Clauses apply.
Google Cloud Platform – Google Cloud Platform (GCP): Backend services. Located in Belgium (EU). Standard Contractual Clauses apply.
Stripe – Stripe: Processes payments and billing. Located in USA and Ireland. Standard Contractual Clauses apply.
Sentry – Sentry: Error monitoring and debugging. Located in USA. Configured with PII scrubbing to prevent sensitive data logging. Standard Contractual Clauses apply.
Resend – Resend: Email delivery service. Located in USA. Standard Contractual Clauses apply.

All seven processors listed above have executed Data Processing Agreements (DPAs) as required by GDPR Article 28, including instructions to process data only per our direction, guarantees of confidentiality and security, restrictions on sub-processing, and Standard Contractual Clauses (SCCs) for transfers outside the EU/EEA. Contact privacy@credia.pro to request a copy of any processor's DPA. If we add or change processors, we will notify you by email at least 15 days in advance.

Pseudonymization and De-identification

We apply privacy-enhancing pseudonymization techniques to your extracted data: K-anonymity (k≥5) ensures that individual records cannot be singled out from at least 4 others in aggregated datasets. Bank names are replaced with HMAC-SHA256 hashes using a server-side secret, and loan amounts are banded into ranges to reduce re-identification risk. Important: pseudonymized data remains GDPR-regulated because re-identification is theoretically possible. Your data subject rights (access, erasure, portability) therefore apply to pseudonymized data. You may opt out of benchmarking and request deletion of your pseudonymized data at any time by contacting privacy@credia.pro.

Anonymized, aggregated data that meets our k-anonymity threshold (k≥5) and has been stripped of all direct and indirect identifiers qualifies as non-personal data under GDPR Recital 26. Such data may be used for market intelligence products without individual consent, as re-identification is not reasonably likely. You retain the right to opt out of future data contribution via Settings > Privacy Center.

Data Retention

We retain your personal data for the following periods: Account data is retained for the duration of your active account plus 30 days after deletion. Uploaded PDFs are retained for 30 days after extraction to allow you to review and re-download; after this period PDFs are automatically deleted unless you opt in to extended storage (up to 24 months for Pro, 12 months for free tier) for your convenience. Extended PDF retention is based on your explicit consent (Art. 6(1)(a)). Extracted data (78 fields) is retained for the duration of your account. Pseudonymized benchmarking data is retained for the duration of your account plus 30 days; you may opt out of benchmarking at any time. Error logs are retained for 30 days. Inactive accounts (no login for 18+ months) are deleted with 30 days' prior email notice, including instructions to export your data before deletion. After deletion, data is permanently purged within 30 days except for legally required records.

Your Rights

Under GDPR, you have the following rights:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate data.
Right to erasure: Request deletion of your data, subject to a 30-day grace period before permanent purge.
Right to data portability: Request your data in a machine-readable format for transfer to another service.
Right to restriction: Request that we limit processing of your data in certain circumstances.
Right to object: Object to benchmarking comparisons and legitimate interest processing.
Right to withdraw consent: Withdraw consent for marketing emails and non-essential processing.
Right to complain: You may lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit). Postal address: Drukpersstraat 35, 1000 Brussels, Belgium. Email: contact@apd-gba.be. Website: www.gegevensbeschermingsautoriteit.be. Complaints are free, confidential, and do not require a lawyer.

To exercise your rights, submit a request to privacy@credia.pro with your full name, email address associated with your Credia account, and a description of which right you are exercising. We will acknowledge receipt within 3 business days and verify your identity. For straightforward requests, we respond fully within 30 days. For complex requests, we may extend the response period by up to 2 months and will notify you within 30 days. Data access requests are provided in a machine-readable format (CSV, JSON, or PDF). For urgent matters, email privacy@credia.pro with 'URGENT DSAR' in the subject. All responses are free of charge. privacy@credia.pro

Cookies and Tracking

Credia uses technically essential cookies and local storage, which are exempt from consent requirements: (1) session_id — maintains your login state, expires at session end; (2) csrf_token — CSRF protection, expires at session end; (3) locale — stores your language preference, expires after 1 year. We also use Google Analytics (GA4) for anonymized usage insights — this is loaded only after you give explicit consent via our consent banner. We do not use advertising or marketing cookies, tracking pixels, fingerprinting scripts, or retargeting cookies. Our processors (Vercel, GCP) do not inject tracking cookies into your browser. We may store authentication tokens in your browser's localStorage; these are removed when you log out. If we introduce additional non-essential cookies in the future, we will provide explicit consent mechanisms and update this section with 30 days' notice.

International Data Transfers

Some of our processors are located in the United States. All US-based transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission. We maintain Data Processing Agreements with all seven processors that include SCCs and other safeguards. The Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) is our supervisory authority.

Automated Decision-Making

Credia's scoring algorithm calculates your loan characteristics against aggregated benchmarking data. The score is informational and advisory — Credia does not make binding decisions about your creditworthiness or loan eligibility. Under GDPR Art. 22, you have the right not to be subject to automated decision-making that produces legal or similarly significant effects. Credia's scoring does not directly produce such effects; the decision to approve or deny your loan remains with your bank or lender. However, if your bank uses Credia's score in an automated lending decision without human review, Art. 22 may apply to that decision. We recommend requesting human review from your bank if such a decision is made. Our scoring weights are: margin (35%), fees (15%), covenants (30%), structure (20%). You can review the underlying data and audit the scoring logic at any time. You may request manual review by contacting privacy@credia.pro. Credia does not engage in automated profiling for predicting financial behavior.

Data Breach Notification

If a personal data breach occurs that poses a risk to your rights or freedoms, we will notify you by email without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include: a description of the breach, its likely consequences, measures taken to address it, and your rights and contact information. We will also notify the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) within 72 hours if the breach poses significant risk. We will not notify you if the breach is unlikely to result in risk (e.g., a breach of encrypted data where the encryption key was not compromised).

Contact Us

For privacy inquiries, data subject access requests, or to exercise any of your rights, contact: Credia BV, Data Protection Contact: Luca Burigat, privacy@credia.pro. For legal inquiries: legal@credia.pro. Supervisory authority: Belgian Data Protection Authority (Gegevensbeschermingsautoriteit), Drukpersstraat 35, 1000 Brussel, Belgium, www.gegevensbeschermingsautoriteit.be.

Credia

Brussels, Belgium

privacy@credia.pro

Policy Updates

We may update this privacy policy to reflect changes in our practices or applicable law. We will notify you of material changes by email or through the platform. Your continued use of Credia constitutes acceptance of the updated policy.