Kelaro

Privacy Policy

Last Updated: May 2026


1. Introduction

Welcome to Kelaro ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we process your personal data when you use Kelaro's website and services, and describes your rights under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Portuguese data protection law.


2. Important Information and Who We Are

Kelaro is the controller responsible for your personal data. If you have any questions about this privacy policy or wish to exercise your rights, please contact us at support@kelaro.io.


3. The Data We Collect About You

We may collect, use, store and transfer the following categories of personal data:

  • Identity Data: first name, last name, username or similar identifier.
  • Contact Data: email address.
  • Account & Billing Data: subscription tier, credit balance, invoice history, and payment metadata (we never store full card numbers — Stripe handles all card data).
  • Bank Account Data (Open Banking): when you connect a bank account, we receive — through our regulated PSD2 provider — your IBAN, account holder name, balances and transaction history for the accounts you authorise. We act as an Account Information Service User; we do not initiate payments.
  • Cloud Storage Authorisation Tokens: when you connect Google Drive or Microsoft OneDrive as an export destination, we store OAuth refresh tokens (encrypted at rest) so we can write your exported files to the folder/file you nominate. We do not read other files in your drive.
  • Document Data (PDF Bank Statements): the contents of any PDF statement you upload for conversion. See Section 4 for how this is processed.
  • Technical Data: IP address, login data, browser type and version, time zone, operating system and platform used to access the service.
  • Usage Data: information about how you use the service, including number of conversions performed, sync events, and feature interactions used for billing and abuse prevention.

4. How We Use Your Personal Data

We rely on the following lawful bases under GDPR Article 6:

  • Performance of a contract — to provide the conversion, sync and export features you have subscribed to.
  • Legal obligation — to comply with Portuguese tax and accounting record-keeping requirements, and EU consumer law obligations.
  • Legitimate interests — to secure the service, prevent fraud and abuse, debug issues, and improve product quality (balanced against your rights).
  • Consent — for non-essential analytics cookies and for connecting third-party accounts (banks, cloud storage). Consent can be withdrawn at any time.

How PDF Bank Statement Conversion Works

When you upload a PDF bank statement, it is sent over HTTPS to our server and queued for extraction. Extraction runs on infrastructure we operate ourselves (a self-hosted document-parsing service on our EU-located server). The PDF content is not sent to any third-party AI service.

The uploaded PDF file is held only transiently on the server: it is deleted from the staging volume immediately after the extraction worker reads it. The resulting structured data (so you can preview and download your Excel file) is stored in our database for a maximum of 30 minutes, after which it is automatically purged. You can also delete it manually at any time.

We retain only billing metadata about the conversion (page count, timestamp, success/failure) for invoicing and abuse-prevention purposes — never the statement contents.


5. Data Retention

We retain your personal data only for as long as necessary:

  • Account Data: retained until you delete your account. On deletion, personal data is removed within 30 days, except where retention is legally required (see below).
  • Invoice & Billing Records: retained for 10 years as required by Portuguese tax law (Código do IVA, Art. 52).
  • Bank Transaction Data: retained while the corresponding bank connection is active. When you disconnect a bank or delete the connection, the associated transactions are removed within 30 days.
  • Cloud Storage Tokens: retained while the connection is active; revoked immediately on disconnection or account deletion.
  • PDF Extraction Results: auto-purged 30 minutes after extraction completes.
  • Uploaded PDF Files: deleted from staging immediately after extraction reads them — never archived.
  • Sync & Audit Logs: retained for up to 12 months for security and troubleshooting.
  • Technical Server Logs: retained for up to 90 days.

6. Cookies and Tracking

We use cookies and similar technologies:

  • Essential Cookies: required for authentication and core functionality. These cannot be disabled.
  • Preference Cookies: store your language preference and display settings.
  • Analytics Cookies: help us understand aggregate usage. These are only set with your consent and can be withdrawn via our cookie banner or your browser settings.

7. Disclosure of Your Personal Data — Subprocessors

We share personal data with the following third parties acting as processors on our behalf. We have Data Processing Agreements (DPAs) with each:

  • Hosting & Database: a European VPS hosting provider where we run our application servers, PostgreSQL database and self-hosted document-parsing service. All processing occurs in the EU.
  • Stripe Payments Europe, Ltd. (Ireland) — payment processing. Privacy policy: stripe.com/privacy.
  • GoCardless Ltd. (United Kingdom, FCA-regulated AISP) — Open Banking account information access under PSD2. Privacy policy: gocardless.com/legal/privacy.
  • Tink AB (Sweden, FSA-regulated AISP) — Open Banking access for selected jurisdictions. Privacy policy: tink.com/privacy-policy.
  • Google Ireland Ltd. — OAuth sign-in and Google Drive API for export destinations. Privacy policy: policies.google.com/privacy.
  • Microsoft Ireland Operations Ltd. — OAuth sign-in and Microsoft Graph API for OneDrive/Excel export destinations. Privacy policy: privacy.microsoft.com.
  • Sendinblue SAS (Brevo) (France) — transactional email delivery (account confirmation, sync notifications). Privacy policy: brevo.com/legal/privacypolicy.

We do not sell your personal data and do not share it with advertising networks. All subprocessors are required to process data only on our documented instructions and to apply appropriate security measures.


8. Open Banking (PSD2)

Bank connections are established through a regulated Account Information Service Provider (AISP) — currently GoCardless, with Tink for additional jurisdictions. Authorisation is given by you directly on your bank's website using their authentication flow; we never see or store your bank credentials.

Under PSD2, bank connections expire after 90 days. To continue syncing transactions, you will be prompted to re-authorise the connection. You can revoke a bank connection at any time from your dashboard or directly with your bank.


9. Data Security

We apply appropriate technical and organisational measures, including HTTPS/TLS encryption in transit, encryption at rest for credentials and OAuth tokens, role-based access controls, isolated worker processes, audit logging, and least-privilege subprocessor scopes. Access to production systems is limited to personnel with a documented need.


10. International Transfers

Personal data is processed primarily within the European Economic Area (EEA). Where a subprocessor transfers data outside the EEA (e.g. Stripe's US affiliates for fraud prevention), the transfer is protected by Standard Contractual Clauses approved by the European Commission and, where applicable, supplementary technical safeguards.


11. Your Legal Rights

Under GDPR, you have the following rights:

  • Access — request copies of your personal data.
  • Rectification — request correction of inaccurate data.
  • Erasure — request deletion ("right to be forgotten"), subject to legal retention requirements.
  • Restriction — request temporary halt of processing.
  • Portability — request transfer of your data to another provider in a machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw Consent — where processing relies on consent, you may withdraw at any time without affecting prior lawful processing.
  • Automated Decision-Making — we do not perform automated decision-making with legal or similarly significant effects on you.

To exercise any of these rights, contact us at support@kelaro.io. We will respond within one month.


12. Right to Lodge a Complaint

You have the right to lodge a complaint at any time with the Portuguese Data Protection Authority (CNPD - Comissão Nacional de Proteção de Dados) at cnpd.pt, or with the supervisory authority in the EU Member State of your habitual residence. We would appreciate the opportunity to address your concerns before you approach the authority — please contact us first at support@kelaro.io.


13. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be notified by email and by a notice on this page at least 14 days before they take effect. The date at the top of this page reflects the latest update.