Privacy Policy

This Privacy Policy explains how bankstatement.ai ("we," "us," or "our") collects, uses, and shares information when you use our website and services (the "Service").

1. Information we collect

Account information. When you register, we collect your email address and a hashed password. We do not store plaintext passwords.

Payment information. Subscriptions are processed by Stripe. We receive subscription status, customer identifiers, and billing metadata from Stripe; we do not store full payment card numbers on our servers.

Uploaded statements. When you process a file, we temporarily store the upload and generated outputs to complete your request. Uploads and results are deleted according to our retention policy.

Usage and device data. We collect operational data such as IP address, browser type, request timestamps, job status, page usage against your plan, and anonymous device tokens used to enforce trial limits and abuse prevention.

Support and email. If you contact us or email a result link, we process the email addresses involved to deliver that message.

2. How we use information

• Provide, secure, and improve the Service;
• Authenticate users and enforce plan limits;
• Process payments and manage subscriptions;
• Detect fraud, abuse, and security incidents;
• Send transactional messages such as password resets and result links;
• Comply with legal obligations.

We do not use your uploaded bank statements to train general-purpose machine learning models. Merchant matching may use derived, normalized merchant descriptors and embeddings to improve matching quality within the Service, as described on our No Data Retention page.

3. How we share information

We share information only as needed to operate the Service:

• Stripe — subscription billing and customer portal;
• Cloudflare — hosting, CDN, and Turnstile bot protection;
• Email provider (SMTP) — delivery of transactional email;
• Object storage (S3-compatible) — temporary file storage;
• AI and OCR providers — Mistral, Vercel AI Gateway, and Zyte for document processing and merchant enrichment;
• Error monitoring — GlitchTip/Sentry for aggregated diagnostics without statement content in routine error reports.

We may also disclose information if required by law or to protect rights, safety, and the integrity of the Service.

4. Cookies and local storage

The Service uses browser local storage for session tokens and anonymous device identifiers. We do not use third-party advertising cookies. Cloudflare and Stripe may set cookies or similar technologies when you interact with their features embedded in the Service.

5. Retention

We minimize retention of financial documents. See our dedicated No Data Retention policy for details on upload deletion, result expiry, and account data.

6. Security

We use encryption in transit (HTTPS), access controls, signed result links, and industry-standard infrastructure practices. No method of transmission or storage is completely secure; please use strong passwords and protect your devices.

7. Your choices and rights

Depending on where you live, you may have rights to access, correct, delete, or export personal information, or to object to certain processing. To make a request, email [email protected]. We may need to verify your identity before responding.

8. International users

If you access the Service from outside the United States, you understand that information may be processed in the United States and other countries where our providers operate, which may have different data protection laws.

9. Children

The Service is not directed to children under 18, and we do not knowingly collect personal information from children.

10. Changes

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be posted on this page.

11. Contact

Privacy questions: [email protected].