Legal

Data Processing Addendum Summary

Updated: June 25, 2026

1. Roles

For customer-uploaded documents, the customer acts as the data controller and Parse My Statement acts as the data processor. Parse My Statement determines the technical means of processing but does not determine the purposes beyond providing the conversion service.

2. Subject matter and duration

Processing covers uploaded statement files and derived structured outputs for the purpose of document conversion, export generation, account administration, billing, service security, and quality-assurance analytics. Processing continues only for the duration needed to provide the service.

Retention schedule:

  • Uploaded PDFs and generated outputs: up to 24 hours, then permanently deleted.
  • Account data (email, subscription, usage counters): retained while account is active, deleted upon account deletion or within a reasonable period thereafter.
  • Anonymous quality metrics (zero PII — no names, account numbers, descriptions, or file names): retained permanently for service improvement and public dashboard accuracy reporting.

3. Categories of data

Data categories processed may include:

  • Account data: email address, authentication tokens, subscription plan, usage counters.
  • Statement data (ephemeral, 24h): full PDF content including account holder names, account numbers, transaction descriptions, dates, amounts, balances, and references.
  • Derived outputs (ephemeral, 24h): normalized JSON, CSV, and Excel files generated from the statement.
  • Processing metadata (permanent, anonymized): page count, transaction count, processing time, detected bank name, balance consistency result, and format validation result. This data is stripped of all personal identifiers.

4. Processing stages

Each uploaded document passes through the following automated processing stages:

  1. Text extraction — Native PDF text is read via pdfplumber. Scanned pages are processed by Mistral AI OCR.
  2. LLM normalization — Extracted text is sent to DeepInfra (DeepSeek-V4-Flash) which identifies transaction fields and classifies each row.
  3. Bank identification — The first page text is analyzed by the LLM to detect the issuing bank. No raw PDF is sent; only extracted text.
  4. Balance reconciliation — Running balances are checked for consistency: opening balance plus credits minus debits should equal closing balance.
  5. Quality validation — Transaction row count is sanity-checked and each row is verified to contain expected fields.
  6. Export generation — Data is rendered as CSV, Excel, and JSON for user download.

5. Subprocessors

The following subprocessors handle customer data in the course of providing the service:

  • DeepInfra — LLM inference service. Receives extracted text for transaction normalization, merchant classification, and bank detection. Data: text content of statement pages. Location: United States.
  • Mistral AI — OCR service. Receives the full PDF for optical character recognition of scanned pages. Data: full PDF for scanned pages only. Location: European Union.
  • Cloud infrastructure providers — Hosting, PostgreSQL database, Redis queue, and object storage. Data: all uploaded documents, derived outputs, and account data. Location: selected data centers based on customer region.
  • Authentication provider — Handles login credentials and session management. Data: email, password hash, session tokens.
  • Payment processor — Handles billing and subscription payments. Data: payment method, billing address, transaction amounts. We do not store full payment card numbers.

6. Processor commitments

Parse My Statement will:

  • Process customer data only to provide the conversion service and related account management.
  • Follow documented customer instructions as reflected in normal product use.
  • Apply reasonable technical and organizational security measures.
  • Delete short-lived data (PDFs and outputs) according to the 24-hour retention schedule.
  • Not access customer documents for any purpose other than providing the service, abuse prevention, or legal compliance.
  • Not sell customer data to any third party.

7. Customer responsibilities

Customers are responsible for:

  • Ensuring they have a lawful basis to upload and process the data they submit.
  • Configuring their own downstream storage and deletion practices for downloaded files.
  • Reviewing AI-generated outputs for accuracy before operational use, particularly for bookkeeping, reconciliation, tax, compliance, lending, or legal purposes.

8. Anonymized quality data

Parse My Statement permanently retains anonymized processing metrics that contain zero personally identifiable information. This data (page count, transaction count, processing latency, detected bank name, balance consistency flag) cannot be linked back to a specific user, file, or account. It is used to power public accuracy dashboards and to detect regressions across model and software updates. Because this data is fully anonymized and does not constitute personal data, it falls outside the scope of standard data subject requests and deletion rights.

9. Formal DPA requests

If your procurement or legal team requires a signed DPA, use this page as the public summary and provide your contract contact through the support or founder contact channel for a formal review. We are happy to sign standard DPAs based on the practices described here.