← Back to home

Privacy Policy

Last updated: March 29, 2026

Our privacy commitment in plain English

  • We never store your uploaded PDF or image files — they are processed in memory and discarded immediately.
  • We never sell, share, or monetize your financial data — our only revenue is subscriptions.
  • We never store your raw IP address — only a one-way SHA-256 hash for rate limiting.
  • Anonymous analyses are automatically deleted after 7 days. Free account data after 30 days.
  • You can delete your data at any time — instantly, no questions asked.
  • Support chat and marketing analytics are limited to selected public pages; Sourcebeam pageview analytics load across the site.

1. Introduction

mybankstatementanalysis ("we", "our", "us") operates the mybankstatementanalysis.com website and bank statement analysis service. This Privacy Policy explains how we collect, use, and safeguard your information when you use our service.

2. What We Collect

Account information (if you sign up): Your email address and name. Payment information is collected and processed entirely by Stripe — we never see or store your card number, CVC, or billing details.

Bank statement data: When you upload a PDF, we extract transaction data (dates, descriptions, amounts) to generate your analysis. The uploaded file itself is processed in server memory and never written to disk or stored. Only the structured, categorized transaction data is saved to our database so you can view your results.

IP address: We hash your IP address using SHA-256 with a private salt for rate limiting purposes. The raw IP address is never stored in our database — only the irreversible hash.

Usage data: We collect basic usage information to improve our service. We use Sourcebeam for pageview analytics across the site, and we use Tawk.to support chat across both the marketing site and the logged-in app.

3. How We Use Your Data

  • To generate your spending analysis, categorization, and visualizations
  • To manage your subscription and process payments (via Stripe)
  • To enforce fair usage limits
  • To send essential service communications (e.g., billing confirmations)

We do not use your financial data for advertising, profiling, credit scoring, or any purpose other than providing you with your analysis results.

4. Third-Party Services

We use the following third-party services. Your data is sent to them only as needed to operate the service:

  • Google Gemini AI — Transaction descriptions are sent to the Gemini API for categorization. Google processes this data under their API Terms of Service, which state that API data is not used to train their models.
  • Google Cloud Vision — For scanned/image-based PDFs, page images are sent for text extraction (OCR). Processed under Google Cloud's data processing terms.
  • Stripe — For payment processing. We never handle your card details — Stripe does this directly. See Stripe's Privacy Policy.
  • Turso — Database hosting. Transaction data is stored in a Turso (libsql) database. Data is encrypted in transit (TLS). See Turso's Privacy Policy.
  • Vercel — Application hosting and infrastructure. See Vercel's Privacy Policy.
  • Tawk.to — Optional support chat available across the site, including app pages.
  • Simple Analytics, Google Analytics, and Datafa.st — Limited analytics on selected marketing and pricing pages only. Not loaded on upload, results, dashboard, settings, login, or signup pages.
  • Sourcebeam — Pageview analytics and attribution across the site.

We do not use any advertising networks, social media trackers, or data brokers.

For the current operational list, see our subprocessors page and trust center.

5. Data Security

We take reasonable measures to protect your data:

  • All data is encrypted in transit using TLS (HTTPS)
  • Uploaded files are processed in server memory and never written to persistent storage
  • IP addresses are stored as irreversible SHA-256 hashes — the original IP cannot be recovered
  • Passwords are hashed using bcrypt before storage
  • Payment data is handled entirely by Stripe (PCI DSS Level 1 certified)

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security — but we do our best and are transparent about our practices.

6. Data Retention & Automatic Deletion

Uploaded files: Your PDF or image file is never stored. It is processed in server memory and discarded immediately after analysis — typically within seconds.

Transaction data retention:

  • Anonymous users (no account): Analysis results are automatically deleted after 7 days.
  • Free plan accounts: Analysis results are automatically deleted after 30 days.
  • Paid plans (Basic & Pro): Analysis results are retained until you delete them or close your account. You can set a custom auto-delete timer (24 hours, 7 days, 30 days) on any individual analysis.

Automatic deletion is enforced by a daily cleanup process that permanently removes expired data from our database. This is not a soft delete — the data is gone.

Rate limiting data: IP hashes and usage counts are stored per calendar month and become irrelevant after the month ends.

7. Your Rights

You have the right to:

  • Delete your data — delete any individual analysis from your dashboard, or request full account deletion
  • Export your data — download your transaction data in CSV, Excel, QIF, OFX, QBO, or IIF format
  • Access your data — view all data we hold about you from your dashboard
  • Set retention — choose how long we keep each analysis (24 hours to forever)

To exercise any of these rights, use your dashboard or contact us at the email below. We respond to all requests within 48 hours.

8. Cookies

We use only essential cookies:

  • Session cookie — keeps you logged in (httpOnly, secure)
  • Usage cookie — tracks free page usage for anonymous users (httpOnly)

On selected public marketing and pricing pages, third-party analytics or attribution providers may also set cookies or similar identifiers. Those scripts are not loaded on upload, results, dashboard, settings, login, or signup pages.

We do not use advertising cookies, social media pixels, or ad-network trackers.

9. Children's Privacy

Our service is not intended for individuals under the age of 18. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on our website. Your continued use of the service after changes constitutes acceptance.

11. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:

Email: contact@mybankstatementanalysis.com

Operator: DPmedia, Poland (EU)