Security & privacy
Your uploaded files are never stored
Zero-retention processing, encrypted transit, SOC 2 compliant infrastructure. We built this for people who care about where their bank data goes.
How we protect your data
Six security practices built into every request.
Zero-retention processing
Your uploaded file is processed entirely in memory. It is never written to disk, never saved to a database, and never stored in any form. The moment your results are generated, the original file is gone.
Encrypted in transit
All data is transmitted over TLS 1.3 (HTTPS). Your file travels encrypted from your browser to our servers. No unencrypted connections are accepted.
SOC 2 compliant infrastructure
We run on Vercel (SOC 2 Type II), use Google Cloud services (SOC 2, ISO 27001), and process payments via Stripe (PCI DSS Level 1). Our infrastructure providers undergo independent security audits annually.
No third-party data sharing
Your financial data is never sold, shared, or provided to advertisers, data brokers, or any third party. AI processing uses Google Gemini with data processing agreements in place.
Minimal data collection
We only store the extracted transaction data (dates, descriptions, amounts) needed to display your results. No raw files, no images, no full-text PDF content is retained.
Authentication & access control
Passwords are hashed with bcrypt. Sessions use secure HTTP-only cookies with 30-day expiry. IP-based rate limiting prevents brute force. OAuth via Google is available.
GDPR aligned
We follow GDPR principles by design — not as an afterthought.
Right to access
View all data we hold about you from your dashboard settings.
Right to erasure
Delete your account and all associated data at any time.
Right to portability
Export your analysis history and transaction data.
Right to rectification
Edit or correct your account information.
Data minimization
We only process and store what is necessary to deliver the service.
Purpose limitation
Your data is used solely for statement analysis — nothing else.
Infrastructure security
Every provider in our stack is independently audited.
What happens to your file
The complete lifecycle of your uploaded bank statement.
Upload (encrypted)
Your file is sent over TLS 1.3. It arrives in server memory — never touches disk.
Process (in memory)
OCR reads the text (if scanned), AI extracts transactions and assigns categories. All in RAM.
Extract results
Only structured data is kept: dates, descriptions, amounts, categories. The original file is discarded.
Deliver & delete
Results are shown in your browser or downloaded as a file. The uploaded document no longer exists anywhere.
Third-party data processing
What data leaves our servers, where it goes, and how it's protected.
Google Gemini API
What is sent: Transaction descriptions and amounts are sent for AI categorization.
Protection: Google API Terms prohibit using API data to train models. Data is processed and discarded — not stored by Google. All requests over TLS.
Google Cloud Vision (OCR)
What is sent: Scanned/image PDFs are sent for text extraction.
Protection: Processed in memory by Google, not stored. Covered by Google Cloud data processing agreement.
Stripe
What is sent: Payment card details (we never see or store these).
Protection: PCI DSS Level 1 certified. Card data goes directly from your browser to Stripe.
Public-site scripts
Sourcebeam runs site-wide, and Tawk support chat is available across both public and app pages.
The site uses Sourcebeam for pageview analytics and attribution across the site. Tawk support chat is available across both public and app pages, while the other marketing analytics tools remain limited to selected public-facing pages. For the current provider list, see Subprocessors and Trust Center.
Who operates this service
Transparency about who handles your data.