Privacy Policy
Last updated: March 2026
1. Who we are
StatementCSV ("we", "us", "our") provides a document conversion service that transforms bank statement PDFs into structured CSV and Excel files. We act as a data controller for your account information and as a data processor for the documents you upload.
Contact: [email protected]
2. What data we collect
Account data
- Email address
- Password (hashed, never stored in plain text)
- Name and profile image (if you sign in via Google)
- Sign-in timestamps and IP addresses
Document data
- Uploaded PDF files
- OCR-extracted text from your documents
- Parsed transaction data (date, description, amount)
- Generated CSV and Excel output files
Billing data
- Payment method details are handled entirely by Stripe and are not stored on our servers
- We store subscription status and credit balance only
3. Why we collect it (legal basis)
| Data | Purpose | Legal basis |
|---|---|---|
| Email, password | Account creation and authentication | Contract performance |
| Uploaded documents | Providing the conversion service | Contract performance |
| Sign-in IP addresses | Security and fraud prevention | Legitimate interest |
| Payment information | Processing payments | Contract performance |
4. How long we keep it
- Uploaded documents and output files: Automatically and permanently deleted after 7 days. You may also delete them manually at any time.
- OCR text and parsed transaction data: Deleted alongside the document after 7 days.
- Account data: Retained while your account is active. Deleted immediately upon account deletion.
- Deletion audit records: Retained for up to 3 years as proof of compliance with data retention policies, then permanently deleted.
- Sign-in logs: Retained for 12 months for security purposes.
5. How we protect it
- All data in transit is encrypted with TLS 1.2 or higher
- All files are encrypted at rest using AES-256 volume-level encryption
- Sensitive database fields are additionally encrypted at the application level using AES-256-GCM
- Passwords are hashed using bcrypt and are never stored in plain text
- All infrastructure is hosted within the European Union
For full details, see our Security Policy.
6. Who we share it with
| Third party | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, tokenised payment method |
| Google (optional) | OAuth authentication | Email, name (only if you choose Google sign-in) |
| Google Cloud (Vertex AI Gemini) | OCR and transaction extraction from uploaded documents | Uploaded PDF content and OCR/parsed extraction output needed to provide the conversion service |
We do not sell or rent your data. We only share data with the service providers listed above where necessary to provide authentication, billing, and document conversion.
7. Your rights under GDPR
If you are in the UK or European Economic Area, you have the following rights:
- Right to access — You can view all your stored data through your account dashboard, or request a full export of your data.
- Right to rectification — You can update your account details at any time through your account settings.
- Right to erasure — You can delete individual documents at any time, or delete your entire account. All associated data will be permanently removed.
- Right to data portability — You can download your converted files in CSV or Excel format. You can also request a full export of your account data.
- Right to restrict processing — You can contact us to request that we limit how we process your data.
- Right to object — You can object to processing based on legitimate interest by contacting us.
- Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Cookies
We use only essential cookies required for the service to function:
- Session cookie — Keeps you signed in. Expires when you close your browser or sign out.
- CSRF token cookie — Protects against cross-site request forgery attacks.
We do not use any analytics, tracking, or advertising cookies.
9. International transfers
All data is stored and processed within the European Union. We do not transfer your data outside of the EU.
10. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by email or by a notice on our website. Continued use of the service after changes constitutes acceptance of the updated policy.
11. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.