Privacy Policy

1. Who We Are

Bank Statement Parser (“we”, “our”, or “us”) is a service operated from Australia. We operate the website at smartstatementparser.com and any associated subdomains (collectively, the “Service”). For privacy enquiries, contact us at support@smartstatementparser.com.

2. What Personal Information We Collect

We collect only what is necessary to provide the Service:

• Account information: your email address and password (hashed) when you register.
• Uploaded documents: the bank statement PDF you upload for conversion. See Section 4 for how this is handled.
• Payment information: processed by Stripe. We do not store credit card numbers or bank account details on our servers.
• Usage data: IP address, browser type, pages visited, and general usage patterns, collected via privacy-preserving analytics (Vercel Analytics — no cookies, no persistent identifiers).
• Communications: any messages you send us by email or support requests.

3. How We Use Your Information

4. Your Bank Statement Documents — Special Notice

We understand that bank statements contain highly sensitive financial information. We treat uploaded documents with the highest level of care:

• Your PDF is processed solely to produce the CSV output. It is not analysed, mined, profiled, or used for any secondary purpose.
• Uploaded PDFs are automatically deleted from all production storage within 24 hours of upload.
• No employee reads or accesses the contents of your uploaded documents except with your explicit permission for technical support.
• We do not sell, share, or derive commercial value from the content of your documents.
• The generated CSV output is available to you for download and is deleted from our systems within 24 hours of generation.

Under the California Consumer Privacy Rights Act (CPRA), financial transaction data constitutes “sensitive personal information”. We limit our use of such data strictly to performing the conversion service — nothing more.

5. How Long We Keep Your Data

6. Who We Share Your Data With

We share your data only with the following service providers (“subprocessors”) who help us deliver the Service:

• Supabase (authentication, database, file storage) — servers located in the United States. Supabase processes your account data and temporarily stores uploaded files.
• Vercel (hosting and serverless functions) — servers located in the United States and globally distributed CDN. Vercel Analytics collects anonymised, cookie-free usage statistics.
• Stripe (payment processing) — US-based, EU-US Data Privacy Framework certified. Stripe is the data controller for payment card data. See Stripe's Privacy Policy.
• Google (optional OAuth login) — if you choose to sign in with Google, Google processes your authentication data under Google's Privacy Policy.

We do not sell, rent, or trade your personal information to any third party for marketing or commercial purposes.

7. International Data Transfers

Our subprocessors (Supabase, Vercel, Stripe) are based in the United States. Your data may therefore be transferred outside Australia, the European Economic Area, or the United Kingdom.

• EU/UK users: Transfers are protected by EU Standard Contractual Clauses (2021 version) with Supabase and Vercel. Stripe is covered by the EU-US Data Privacy Framework adequacy decision.
• Australian users: We take reasonable steps under Australian Privacy Principle 8 to ensure our overseas subprocessors handle your data consistently with the Australian Privacy Principles.
• Canadian users: Transfers to the US are governed by contractual safeguards consistent with PIPEDA requirements.

8. Security

We implement appropriate technical and organisational measures to protect your personal information, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Role-based access controls — employees cannot access document content
• Automatic deletion of uploaded files and generated outputs within 24 hours
• Regular security reviews of our subprocessors' infrastructure

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the relevant regulatory authorities as required by law — within 72 hours under GDPR, and in accordance with the Australian Notifiable Data Breaches scheme.

9. Your Rights

Depending on where you are located, you may have the following rights regarding your personal information:

All users

• Right to access your personal information
• Right to correct inaccurate information

EU and UK users (GDPR / UK GDPR)

• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent (where consent is the lawful basis)
• Right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, your national DPA in the EU)

Australian users (Privacy Act 1988)

• Right to access and correction (APPs 12–13)
• Right to erasure, right to object, and right to data portability (effective under 2024–2026 reforms)
• Right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

California users (CCPA / CPRA)

• Right to know what data we collect and why
• Right to delete your personal information
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing of personal information (we do not sell or share personal information)
• Right to limit use of sensitive personal information (including financial data) to what is necessary to provide the service
• Right to non-discrimination for exercising your rights

Canadian users (PIPEDA)

• Right to access and correction
• Right to withdraw consent

To exercise any of these rights, email support@smartstatementparser.com. We will respond within 30 days (or a shorter period where required by law).

10. Cookies and Analytics

We use Vercel Analytics for usage statistics. Vercel Analytics is designed to be privacy-preserving: it does not use cookies and does not collect personally identifiable information. No consent banner is required for this analytics tool.

If you use Google Sign-In, Google may set cookies in your browser as part of the authentication process. These are governed by Google's cookie policy.

We use essential session cookies for authentication (to keep you logged in). These cookies are strictly necessary and cannot be disabled without affecting the functionality of the Service.

11. Children's Privacy

The Service is not directed at individuals under the age of 18 (or 16 where required by applicable law). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email and update the “Last updated” date at the top of this page at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions, requests, or complaints, contact our Privacy Officer:

If you are an EU or UK resident and we are unable to resolve your complaint, you have the right to escalate to your local data protection supervisory authority.

If you are an Australian resident, you may also contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.