Security & privacy

Your financial data is never stored

Zero-retention processing, encrypted transit, SOC 2 compliant infrastructure. We built this for people who care about where their bank data goes.

How we protect your data

Six security practices built into every request.

Zero-retention processing

Your uploaded file is processed entirely in memory. It is never written to disk, never saved to a database, and never stored in any form. The moment your results are generated, the original file is gone.

Encrypted in transit

All data is transmitted over TLS 1.3 (HTTPS). Your file travels encrypted from your browser to our servers. No unencrypted connections are accepted.

SOC 2 compliant infrastructure

We run on Vercel (SOC 2 Type II), use Google Cloud services (SOC 2, ISO 27001), and process payments via Stripe (PCI DSS Level 1). Our infrastructure providers undergo independent security audits annually.

No third-party data sharing

Your financial data is never sold, shared, or provided to advertisers, data brokers, or any third party. AI processing uses Google Gemini with data processing agreements in place.

Minimal data collection

We only store the extracted transaction data (dates, descriptions, amounts) needed to display your results. No raw files, no images, no full-text PDF content is retained.

Authentication & access control

Passwords are hashed with bcrypt. Sessions use secure HTTP-only cookies with 30-day expiry. IP-based rate limiting prevents brute force. OAuth via Google is available.

GDPR aligned

We follow GDPR principles by design — not as an afterthought.

Right to access

View all data we hold about you from your dashboard settings.

Right to erasure

Delete your account and all associated data at any time.

Right to portability

Export your analysis history and transaction data.

Right to rectification

Edit or correct your account information.

Data minimization

We only process and store what is necessary to deliver the service.

Purpose limitation

Your data is used solely for statement analysis — nothing else.

Infrastructure security

Every provider in our stack is independently audited.

Provider

Certification

Role

Vercel

SOC 2 Type II

Application hosting & edge network

Google Cloud

SOC 2, ISO 27001, SOC 3

AI processing (Gemini) & OCR (Cloud Vision)

Turso (libSQL)

Encrypted at rest

Database storage

Stripe

PCI DSS Level 1

Payment processing

Better Auth

bcrypt + secure cookies

Authentication

What happens to your file

The complete lifecycle of your uploaded bank statement.

Upload (encrypted)

Your file is sent over TLS 1.3. It arrives in server memory — never touches disk.

Process (in memory)

OCR reads the text (if scanned), AI extracts transactions and assigns categories. All in RAM.

Extract results

Only structured data is kept: dates, descriptions, amounts, categories. The original file is discarded.

Deliver & delete

Results are shown in your browser or downloaded as a file. The uploaded document no longer exists anywhere.