Privacy Policy

StatementEdge converts PDF bank statements into structured data for accountants, bookkeepers, and finance teams. We're an Ireland-based service and our default storage region is the EU (Frankfurt).

We collect only what we need to provide the service:

• Source PDFs. The bank-statement files you upload. Stored encrypted at rest in Supabase Storage (EU).
• Extracted data. The structured transactions and statement metadata produced from your PDFs. Stored in our database (EU).
• Account data. Email address (if you sign in), Stripe customer ID (if you subscribe), API keys you create.
• Usage metadata. Page counts, job statuses, timestamps. We use this for quota enforcement and operational metrics.
• Technical telemetry.Server-side error events sent to Sentry (EU region) when something fails. We strip Authorization headers, cookies, and request bodies before sending — see “Sub-processors” below.
• Anonymous analytics. Aggregate page views via Plausible. No cookies, no cross-site tracking, no personal identifiers.

• We do not train AI models on your uploaded PDFs or extracted data.
• We do not sell, rent, or share your data with third parties for marketing.
• We do not set any tracking cookies for advertising. The only cookies we set are for authentication, theme preference, and the upload zone's session state.

• Source PDFs: auto-deleted within one hour of a successful conversion.
• Extracted data: retained on your account until you delete it or close your account.
• Account data: retained while your account exists. Deleted within 30 days of account closure, except where retention is required for legal or billing purposes (e.g. Irish/EU tax law on invoice retention — 6 years).
• Sentry events: 90 days, then deleted.

We rely on the following sub-processors to operate the service. Each handles a limited slice of your data:

• Supabase (EU, Frankfurt) — auth + database + storage. Stores source PDFs and extracted data.
• Trigger.dev — durable background job execution. Source PDFs are streamed through during conversion; not persisted.
• Google (Gemini API)— the AI extraction model. PDFs are sent for processing under Google's API terms; Google states they do not use API input for model training.
• Stripe — payments and billing. Stripe is the data controller for your payment instrument (card number etc.); we never see or store full card details.
• Resend — transactional email (sign-in links, receipts).
• Sentry (EU region) — error monitoring. PII (cookies, auth headers, request bodies) is stripped before sending.
• Vercel (Frankfurt deployment region) — application hosting.
• Plausible — privacy-friendly analytics. Cookie-less, no cross-site tracking.

If you're in the EU/UK, you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data deleted (the “right to be forgotten”);
• export your data in a machine-readable format;
• object to processing, or restrict it;
• lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us via the Contact formand we'll respond within 30 days.

If you're processing personal data of EU residents and need a signed DPA, we can provide one. Reach out via Contact → Legal with your company name and EU representative details.

We encrypt data in transit (TLS 1.2+) and at rest (Supabase + Vercel managed encryption). API keys are stored as SHA-256 hashes; we cannot recover a lost key. Source PDFs auto-delete after conversion. Access to production data is restricted and audited.

We may update this policy as the service evolves. Material changes will be announced by email (to registered users) or by a notice on the site.

Questions, concerns, or data-rights requests? Use the Contact form— that's the official channel and we read every submission.