Effective Date: 3 May 2026
Last Updated: 3 May 2026
Service: BIQE handwritten text recognition SaaS at
ocr-handwriting.online
Operator: BIQE V.O.F. (Netherlands)
1. Introduction
This Privacy Policy explains how BIQE V.O.F. (“we”, “us”, “our”)
collects, uses, stores, and protects personal data when you use the BIQE
handwritten text recognition service at
ocr-handwriting.online (the “Service”).
We are committed to handling your data responsibly, transparently, and in line with the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
This policy applies to the SaaS at
ocr-handwriting.online. Our marketing website
biqe.biz and our parent brand site
ocr-handwriting.com (also operated by BIQE V.O.F.) have
their own privacy disclosures regarding cookies and analytics on those
sites.
2. Data We Collect
2.1 Account data
When an account is set up for your organization, we store:
- Organization name and contact email
- For each user: first name, last name, email address, hashed password (using bcrypt — we never store plaintext passwords)
- Optional: TOTP secret for two-factor authentication (encrypted at rest using Fernet)
- API keys (cryptographically random, used to authenticate programmatic access)
- Preferred language (
nl,en,de, orfr) for outgoing email communications
2.2 Uploaded content
When you submit scans for processing through the Service:
- The image files you upload (typically scans of handwritten or historical documents)
- The OCR/HTR results produced by our pipeline
- Metadata about each job: submission time, processing duration, page count, the processing tier you selected, the preset used
2.3 Billing data
- Stripe customer ID and subscription ID (we do not store payment card numbers — Stripe holds those)
- Usage records: pages processed per scan, tier selected, calculated billing amounts
- Invoice history
2.4 Authentication and security logs
- Login events (success, failure, denial reasons)
- Session metadata (IP address, user agent, login timestamp)
- Audit log entries for actions taken in the customer portal and admin operations
- 2FA verification events
2.5 Communications
- Contact form submissions on our marketing website
- Customer support email correspondence (when you contact us at
info@biqe.biz)
3. Purpose of Processing and Legal Basis
| Purpose | Legal basis under GDPR Art. 6 |
|---|---|
| Creating and managing your account | Performance of contract (Art. 6(1)(b)) |
| Performing OCR/HTR processing on your uploaded scans | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (scan completed, invoice paid, etc.) | Performance of contract (Art. 6(1)(b)) |
| Maintaining authentication and security logs | Legitimate interest (Art. 6(1)(f)) — protecting the service and customers from abuse |
| Retaining billing records | Legal obligation (Art. 6(1)(c)) — Dutch fiscal law (Art. 52 AWR) requires 7-year retention |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) |
4. Data Retention and Deletion
| Data | Retention period |
|---|---|
| Uploaded scan files (in cloud storage) | Automatically deleted 30 days after upload (lifecycle rule on the storage bucket) |
| OCR/HTR results in the customer portal | Available 30 days after job completion, then automatically removed |
| Account data | Retained while your account is active. Deleted within 90 days after account closure, except where legal retention applies |
| Billing records and invoices | 7 years (Dutch fiscal law — Art. 52 AWR) |
| Authentication and authorization logs | 13 months |
| Lifecycle audit events (e.g. login, payment-method-changes) | 13 months |
| Data-mutation audit events (account changes, jobs, billing) | 7 years |
| Some critical security events (admin actions, API key creation/revocation, password resets) | Permanent (kept indefinitely as security record) |
When data is deleted, deletion is final — we do not maintain backups containing personal data after the retention period.
5. Sub-processors
To deliver the Service, we use a limited number of third-party providers (“sub-processors”). They each process specific data on our behalf, under data processing agreements (DPAs) where required.
| Sub-processor | Role | Data shared | Location |
|---|---|---|---|
| Google Cloud Platform (Google LLC / Google Ireland Ltd.) | Hosting (compute and storage for the SaaS) | All Service data | United States (us-east1 region) — see §6 |
| OpenRouter, Inc. | LLM-based correction step in our HTR pipeline. The OCR’d text from your scans is sent to a Large Language Model (e.g. Anthropic Claude, OpenAI GPT, Google Gemini) routed via OpenRouter, which improves the result | OCR’d text from your scans (not the images themselves) | United States, with onward routing to the selected LLM provider |
| Stripe Payments Europe, Ltd. (for EU customers) / Stripe, Inc. (non-EU) | Payment processing, invoicing, VAT calculation | Customer name, billing address, email, payment-method tokens (we do not see card numbers) | Ireland (EU) for EU customers; US for non-EU |
| Resend (Drift.com, Inc.) | Transactional email delivery (scan-completed notifications, password resets, invoices) | Recipient email address, email content | United States |
We do not share data with any other third parties for marketing, analytics, or advertising purposes.
6. International Data Transfers
Personal data and uploaded content are processed and stored on
servers in the United States (Google Cloud’s
us-east1 region). This means your data may be transferred
outside the European Economic Area (EEA).
We rely on the following transfer mechanisms under GDPR Chapter V:
- EU-U.S. Data Privacy Framework (DPF) — Google LLC and several other sub-processors are certified under the DPF. This provides an adequacy basis under GDPR Art. 45 for transfers to certified U.S. organizations.
- Standard Contractual Clauses (SCCs) — for transfers to providers not covered by the DPF, or as a backup mechanism, we rely on the European Commission’s SCCs (2021/914 modules) embedded in our sub-processor agreements.
We are aware of the limitations these mechanisms have following the
Schrems II judgment (CJEU C-311/18). We are evaluating
migration of the production environment to a European Google Cloud
region (e.g. europe-west4) to keep data within the EEA.
Customers with strict data-residency requirements should contact us
before signing up.
7. Cookies and Tracking
The BIQE SaaS at ocr-handwriting.online uses
only essential cookies required for the Service to
function:
- Session cookie — keeps you logged in after
authentication. Expires when you log out or after a period of
inactivity. Marked
HttpOnly,Secure,SameSite=Lax. - CSRF token cookie — protects forms against cross-site request forgery. Same security flags.
We do not use: - Analytics cookies (no Google Analytics, no Plausible, no Matomo, no Hotjar) - Advertising cookies or ad-network trackers - Social-media trackers (no Facebook pixel, no LinkedIn Insight Tag) - Behavioural profiling
Because all our cookies are strictly necessary for the operation of the Service, no cookie consent banner is required under the ePrivacy Directive (Art. 5(3)) and GDPR.
If you visit our marketing website biqe.biz or our
parent brand site ocr-handwriting.com, those sites may set
additional cookies (analytics, etc.) — see the cookie settings on those
sites.
8. Security
We take the security of your data seriously. Measures include:
- ISO 27001 certified (DigiTrust certificate available on request — also linked from our marketing site)
- All connections use HTTPS with TLS 1.2 or higher (Let’s Encrypt certificates)
- Passwords are hashed with bcrypt; we do not store or transmit plaintext passwords
- Two-factor authentication (TOTP) available for admin accounts; recovery codes provided
- Audit logging of authentication and authorization events
- Sub-processors are selected for their security posture and held to written agreements
- Access to production servers is restricted to authorized personnel and requires SSH key authentication
No system is 100% secure. If you become aware of a security issue,
please contact us immediately at info@biqe.biz.
9. Your Rights under GDPR
If you are located in the EU, UK, or another jurisdiction with similar laws, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure (“right to be forgotten”) — request deletion, subject to legal retention obligations
- Restriction of processing — limit how we use your data
- Data portability — receive your data in a structured, machine-readable format
- Object — to processing based on legitimate interest
- Withdraw consent — where processing is based on consent (note: most of our processing is based on contract, not consent)
- Lodge a complaint with a supervisory authority — in
the Netherlands, this is the Autoriteit Persoonsgegevens
(
autoriteitpersoonsgegevens.nl)
To exercise these rights, contact us at info@biqe.biz.
We will respond within one month, as required by GDPR Art. 12(3).
10. Data Controller and Contact
Data Controller: BIQE V.O.F. Nijstad 14 8281 BB Genemuiden Netherlands
KvK: 69268916 VAT: NL857810546B01
Contact for privacy matters:
info@biqe.biz Phone: +31 (0) 617 776
076
We do not currently have a designated Data Protection Officer (DPO). If our data processing scale ever requires one under GDPR Art. 37, we will designate one and update this notice.
11. Updates to this Policy
We may update this Privacy Policy from time to time as our service evolves or as legal requirements change.
When we make material changes, we will: - Update the “Last Updated” date at the top - Notify active customers by email at least 30 days before the change takes effect - Keep an archive of previous versions available on request
For non-material changes (typo fixes, clarifications), we update the date but do not separately notify.
End of Privacy Policy — BIQE V.O.F. — Last updated 3 May 2026.