Security & Data Protection

Privacy-first by design: minimize access, minimize retention, protect every file.

Bank statements are sensitive. Our approach is simple: encrypt data, limit access, and keep files only as long as you need.

Where your data is hosted

Our application servers are hosted in Germany (EU). If we use third-party subprocessors to provide the service, for example, payment processing or AI document parsing, we only send the minimum required data to deliver your requested output.

Encryption in transit

Connections to our website and APIs are protected with TLS encryption. This helps prevent interception while your files travel between your device and our servers.

Encryption at rest

Uploaded PDFs and generated outputs are encrypted at rest in storage. We use per-file encryption keys, which ensures that a compromise of one key does not expose other files. We protect and rotate keys through our key management controls.

Note: Files are decrypted only in memory while processing your conversion request.

Data retention (tier-based) & deletion

By default, we keep files only according to your plan so you can re-download past results. You can delete everything at any time from your account.

Plan Default retention Controls
Free 7 days Manual delete anytime
Starter 3 months Manual delete + optional daily auto-delete
Professional 1 year Manual delete + optional daily auto-delete
Business 2 years Manual delete + optional daily auto-delete

After deletion, we may keep limited metadata, such as filename, processing status, timestamps, and billing or audit records for operational and legal reasons. Deleted file contents are removed permanently.

AI processing & privacy

Conversions are automated. We do not manually review your bank statements by default. If you contact support and specifically ask us to investigate an issue, you can choose to share a file or allow temporary access so we can help.

We do not use your documents to train our models. When we use an AI provider through paid API services, we follow their published “training restriction” terms for customer content.

Analytics & tracking

We use minimal analytics to understand traffic and improve the product. We do not run ad pixels or behavioral tracking across other sites.

  • Cloudflare Web Analytics: privacy-focused, no cookie-based tracking.
  • Umami (self-hosted): first-party analytics for product usage trends.

Payment security

Payments are handled by Paddle. We do not store your card details on our servers.

Questions?

Contact us via /contact. For legal details, see our Privacy Policy and Terms of Service.