Built for documents you actually care about.

EU data residency

Your PDFs, extracted data, and authentication state live exclusively in the European Union (Frankfurt). Application functions run in the same region — your data never crosses the Atlantic.

Encrypted in transit and at rest

All traffic is HTTPS / TLS 1.3. Source PDFs are encrypted at rest in Supabase Storage. Database connections use enforced TLS.

Auto-delete uploads

Source PDFs are deleted automatically after conversion (default: 1 hour). We keep only the extracted, normalised data tied to your account — nothing more.

No training on your data

We use Google Gemini's API with strict no-training settings. Your statements are never used to improve any AI model.

Row-level security from day one

Every database table that holds user data is RLS-protected. A user can only ever read or modify their own rows, even if a future bug forgot the where-clause.

API keys are hashed, not stored

We store only the SHA-256 hash of each API key. The raw token is shown to you once at creation; we couldn't show it again even if we wanted to.

The full data path

1. 1Upload. Browser uploads the PDF directly to private Supabase Storage in EU-Frankfurt over TLS 1.3. The file is encrypted at rest. RLS allows only the owning user to read it back.
2. 2Queue. A Trigger.dev task runs in the EU region. It downloads the PDF using a service-role key (never exposed to the browser), processes it in memory, and writes the extracted data back to Postgres.
3. 3Extract. Pages with text layers are read directly. Pages without are rasterised in memory and sent to Gemini's EU endpoint with no-training enabled. Inference is short-lived; no PDF data is retained by the model provider beyond the response.
4. 4Reconcile. Locale-aware normalisation + balance-chain verification. Output is structured JSON, validated against a strict schema.
5. 5Persist. Statement and transaction rows are written to Postgres with RLS. Only the owning user can read them.
6. 6Delete. The source PDF and any rasterised page images are deleted automatically — default 1 hour after the job completes, configurable up to 24 hours on Business.

FAQ

Where is my data stored?

All data lives in our Supabase EU project (Frankfurt). Vercel functions run in fra1. Gemini inference is routed through Google's EU endpoints. The data path stays inside the EU.

Do you train AI models on my statements?

No. We use the Gemini API with no-training settings explicitly enabled, and our own pipeline doesn't retain anything beyond the extracted structured data you can already see and export.

How long do you keep my source PDFs?

By default, 1 hour after conversion. On the Business plan you can extend this up to 24 hours if you need to re-export. After the window expires, the original PDF is permanently deleted from storage.

What about the extracted data?

Extracted statements and transactions are kept until you delete them or close your account. You can export everything and delete it from the dashboard at any time.

Is the API equally secure?

Yes. The REST API uses the same encrypted transit, the same RLS-scoped data access, and the same auto-deletion lifecycle. The only addition is bearer-token authentication for programmatic clients.

Do you support DPA / GDPR contracts?

Yes. Send us a message via the Contact page with the topic set to Legal / GDPR DPA. We'll send the Data Processing Agreement and sub-processor list within one business day.

What if you find a security issue?

Responsible disclosure: use the Contact form with the topic set to Security. We commit to a 24-hour acknowledgement and a patch timeline scoped to severity.

Want the technical guarantees? See the API docs.