Privacy Policy

Last updated: March 2026

What we collect

When you create an account, we store your email address and basic profile information (name, profile picture if you sign in with Google). We use this to manage your account and send transactional emails (sign-in links, receipts).

Bank statement data

By default, ConvertStatement processes uploaded PDF files entirely in memory. Your bank statement data is not written to disk, stored in a database, or logged. Once processing completes and the result is returned to your browser, the data is deleted from server memory, and we cannot access, recover, or share it.

There is one exception, and it only happens if you choose it: when a conversion fails(for example, an unsupported bank or a statement we couldn't read), we offer to let you share a redacted, PII-free skeleton of the statement so we can add support for it. This skeleton preserves only the layout the parser needs — section headers, date and column structure — and removes names, addresses, account, IBAN and card numbers, and real amounts (digits are masked). You see the exact skeleton before deciding, and nothing is shared unless you click “Share.” When you do, we store only that redacted skeleton, solely to improve the parser, and we delete it within 30 days. The original PDF and your real statement data are still never stored.

Payments

Payments are processed by Stripe. We do not see or store your credit card number, CVV, or full billing details. Stripe handles all payment data in compliance with PCI DSS. We only store your Stripe Customer ID to manage your subscription.

Cookies and analytics

We use essential cookies to maintain your login session. We do not use third-party tracking cookies or advertising networks. We may use privacy-friendly analytics to understand usage patterns, but no personally identifiable information is shared with analytics providers.

Data security

All data in transit is encrypted using HTTPS/TLS. Authentication is handled via NextAuth with secure, httpOnly session cookies. We follow industry-standard security practices to protect your account information.

Your rights

You can delete your account and all associated data at any time by contacting us at [email protected]. Since we do not store your bank statement data by default, there is generally nothing to delete beyond your account profile and subscription information. If you ever shared a redacted failure skeleton, it carries no personal data and is deleted automatically within 30 days; you can email us to have it removed sooner.

Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. Continued use of ConvertStatement after changes constitutes acceptance of the updated policy.

Contact

Questions about this privacy policy? Email us at [email protected].