Legal

Privacy Policy

Effective date: June 25, 2026

1. Data we collect

We collect account data such as your email address, authentication identifiers, subscription status, and usage counters. When you upload a document, we receive the PDF file you submit and generate structured outputs from it (JSON, CSV, Excel).

2. What is uploaded

Uploaded files may contain bank transaction data, account holder names, account numbers, balances, references, and other personal or financial information present in the source statement. We receive exactly what you choose to upload.

3. How processing works

Every uploaded PDF goes through a multi-stage pipeline designed to extract and normalize your data accurately:

  1. Text extraction — Native digital PDF text is read directly. Scanned or image-only pages are sent to Mistral OCR for optical character recognition.
  2. LLM normalization — Extracted text is sent to our LLM provider (DeepInfra, running DeepSeek-V4-Flash) which identifies dates, amounts, descriptions, and classifies each transaction.
  3. Bank identification — The first page of your statement is analyzed to detect which bank issued it, so we can tailor processing and track supported institutions.
  4. Balance verification — We automatically check whether running balances are consistent: opening balance plus inflows minus outflows should equal closing balance. This is a quality check, not an audit.
  5. Format validation — We verify every transaction row has the expected fields (date, description, amount) and flag anything unusual.
  6. Export generation — The normalized data is rendered as CSV, Excel, and JSON for you to download.

These stages are fully automated. No human reads your document during normal operation.

4. Third-party processors

We use third-party subprocessors to provide the service:

  • DeepInfra — LLM inference for transaction extraction, merchant classification, and bank detection (DeepSeek-V4-Flash model).
  • Mistral AI — OCR for scanned or image-only PDF pages.
  • Cloud infrastructure providers — Hosting, PostgreSQL database, Redis queue, and object storage for application delivery and temporary document persistence.
  • Authentication and billing providers — When you create an account or subscribe to a paid plan.

We do not sell your data to any third party. We do not share uploaded documents with unauthorized parties.

5. What we retain and why

Different categories of data are retained for different durations:

  • Uploaded PDFs and outputs (24 hours) — Your statement file and generated CSV/Excel/JSON are stored for up to 24 hours so you can preview results, download exports, and access history. After that, they are automatically and permanently deleted.
  • Account data (indefinite) — Your email, subscription status, and usage counters are kept while your account exists so we can manage billing and access.
  • Anonymous quality metrics (permanent) — After each conversion, we permanently store non-identifying statistics: number of pages, transaction count, processing speed, whether the bank was detected, and whether balances were consistent. This data contains zero personal information — no account numbers, no names, no transaction descriptions, no file names.

6. Quality-assurance analytics

We operate an automated evaluation system that permanently stores anonymized conversion metrics to monitor and improve service quality. The data we keep is strictly limited to: number of pages, transaction count, processing speed, detected bank name, whether balances were consistent, and whether the output passed format validation. This data powers our public accuracy dashboard and helps us detect regressions across model updates. No personal data is stored in this system.

7. AI provider processing

Extracted statement text is transmitted to DeepInfra and (when OCR is needed) Mistral AI as part of the conversion workflow. These providers may retain logs of API requests according to their own terms and policies. We do not send raw uploaded PDFs to any AI provider — only the text content extracted from each page. We configure our API calls to minimize provider-side retention where supported.

8. AI training

We do not use uploaded documents, extracted outputs, or any customer data to train our own AI models. Third-party AI providers process data according to their API terms; their policies are independent of ours and are disclosed in this document.

9. Security measures

Data is transmitted over TLS and stored using encrypted infrastructure controls. Where supported by the hosting provider, storage encryption uses AES-256-class protection at rest. We do not perform routine human review of uploaded documents as part of normal product operation. See the Security page for additional details.

10. Your choices and rights

Depending on your jurisdiction, you may have rights to request access, correction, deletion, or restriction of personal data. You may also stop using the service at any time. To exercise any of these rights, contact us through the channels provided on our website.

11. Updates

We may update this Privacy Policy from time to time. Material changes take effect when posted with a revised effective date on this page. We encourage you to review it periodically.