Data Security & Privacy Policy

Effective: May 25, 2026  ·  Last updated: May 25, 2026  ·  Version: 1.0

The short version: Your bank statements are encrypted in transit and at rest, processed by Anthropic's Claude API (which does not use your data to train any AI model), and stored on Render's SOC 2 Type II–certified infrastructure in the United States. We target a 3-day rolling delete on our own disk; Anthropic, as our AI sub-processor, retains API inputs and outputs on their backend for up to 30 days as a standard fallback under their commercial terms. End-to-end your data is therefore typically gone from every system within a few days and definitively gone within 30 days. We never sell or share your data outside the small list of sub-processors named below, you can export or delete your account on request, and we will notify you within 72 hours of any confirmed data breach affecting you.

1. Who we are and our role

YourStatementConverter is operated by Chowdhury Labs LLC, a New York limited liability company (EIN 42-2721053). Throughout this policy, "we," "us," "our," and "YourStatementConverter" refer to Chowdhury Labs LLC.

For the purposes of GDPR, UK GDPR, CCPA/CPRA, and similar privacy regulations, we act as the data controller for personal data processed through our service. The sub-processors listed in Section 4 act as data processors on our behalf.

If you are a bookkeeper, CPA, or accountant using our service to process your own clients' bank statements, you remain the data controller for your client relationships and are responsible for ensuring you have the authority and consent to upload those statements to our service.

2. What data we collect

2.1 Account information

2.2 Statement content you upload

Your bank statements may contain personally identifiable information (PII) such as account holder names, account numbers, addresses, and transaction history. We treat this information as sensitive financial data under all applicable laws (see Section 13).

2.3 Payment information

We do not collect, see, or store your credit card number, CVV, or bank account number used for payment. All payment instruments are collected directly by Stripe on Stripe's hosted checkout page; Stripe returns only a tokenized customer reference to us.

2.4 Usage data

2.5 Analytics

We use Google Analytics 4 with IP-anonymization on our marketing site (yourstatementconverter.com) to understand traffic sources and on-page engagement. GA4 does not have access to your uploaded statement content or your in-app activity.

3. Why we collect each category

CategoryPurposeLegal basis (GDPR)
Account infoProvide the service, authenticate youContract
Statement PDFsExtract transactions, reconcile, generate Excel outputContract
Extracted transaction dataDeliver the converted Excel, let you re-download for 3 daysContract
Payment infoProcess subscriptions and top-upsContract; legal obligation (tax/IRS)
Usage logsRate limiting, abuse prevention, debuggingLegitimate interest
Support ticket contentResolve your issue, improve the productLegitimate interest
Analytics (marketing site)Understand site traffic, improve copy and SEOLegitimate interest

4. Sub-processors (who handles your data)

We use the following sub-processors to deliver the service. Each is bound by a data processing agreement (DPA) requiring them to handle your data only on our instructions and apply appropriate security measures.

Sub-processorRoleLocationComplianceReference
Anthropic, PBC AI extraction (Claude Haiku 4.5 + Claude Sonnet 4.6) reads the PDF and returns structured transaction data United States SOC 2 Type II, HIPAA-eligible, ISO 27001 trust.anthropic.com
Render Services, Inc. Hosts our application, database, and file storage Oregon, USA (us-west) SOC 2 Type II, HIPAA-eligible render.com/security
Stripe, Inc. Processes all payments (credit cards, ACH). We never see your card data. United States (global) PCI DSS Level 1, SOC 1 / SOC 2 Type II stripe.com/privacy
Hostinger International Ltd. Hosts our marketing site (yourstatementconverter.com) and delivers transactional email via SMTP European Union ISO 27001 (parent group certifications) hostinger.com/privacy-policy
Google LLC Google Analytics 4 on the public marketing site only (no access to in-app data or uploaded PDFs) United States (global) SOC 2/3, ISO 27001, ISO 27017, ISO 27018 policies.google.com/privacy

We will update this list and notify you by email at least 30 days before adding any new sub-processor that materially changes how your data is handled.

5. Where your data is stored

6. Retention by data category

We retain personal data only as long as needed for the purposes described in this policy, or as required by law. Specific retention periods:

A note on the gap between "our retention" and "Anthropic's retention": Our own retention target is 3 days for uploaded PDFs and generated Excel files. However, when your PDF is processed, the contents are transmitted to Anthropic for AI extraction, and Anthropic — as our sub-processor — retains the API input and output on their backend for up to 30 days under their standard commercial terms. So while your data is typically purged from our systems within 3 days, the absolute outside ceiling for it being deleted from every system in the chain is up to 30 days. We do not store your PDF on our side for that 30-day window — only Anthropic does, and only in the form of the API call log they retain for abuse-prevention and debugging purposes. Anthropic does not use this stored data for model training (see Section 7).
Data categoryRetention periodWhy
Uploaded PDFs (on our disk)3 days from upload (target)Gives you a re-download window; auto-purged on day 3
Generated Excel files (on our disk)3 days from generation (target)Same as above; auto-purged on day 3
Statement content on Anthropic's API backendUp to 30 daysAnthropic's standard commercial-API retention. Not used for training. Anthropic's documented ceiling — many calls are deleted sooner.
Extracted transaction data (in DB)72 hours from generation, then row removedMatches the file purge window
Conversion summary metadata (filename, page count, status)Lifetime of your accountLets your dashboard show your history; contains no transaction content
Account informationUntil you delete your accountRequired to provide the service
Payment records and invoices7 yearsU.S. tax law / IRS recordkeeping
Support tickets2 yearsCustomer service continuity; quality assurance
Application logs30 daysOperational debugging window
Anthropic API logs (on Anthropic's side)Maximum 30 daysAnthropic's published commercial retention policy

When you delete your account, we remove your account information and any retained extracted transaction data within 30 days. Payment records and audit logs may be retained as listed above to comply with legal obligations, but they are not used for any purpose other than meeting those obligations.

7. AI training: we never opt in

Your statements are never used to train Anthropic's models, anyone else's models, or our own. We use Anthropic's commercial API, which by default does not train on customer inputs or outputs. We have explicitly not opted into Anthropic's Development Partner Program and have user-feedback collection disabled at the account level.

Anthropic's published policy on this is here: How do you use personal data in model training? — under "Data usage for Anthropic Commercial Offerings" Anthropic states: "We will not use your chats or coding sessions to train our models, unless you choose to participate in our Development Partner Program."

8. Encryption and access controls

9. Our access to your data and our commitment

You should know exactly who can see your data and under what circumstances.

What we want you to know: Chowdhury Labs LLC personnel — meaning the founder and any authorized engineers, contractors, or support staff operating on our behalf — technically have administrative access to the systems your data flows through and is stored on. We use that access only when needed to operate the service, debug an incident, investigate suspected abuse, respond to your support requests, or comply with a lawful legal demand. We do not browse your statements for any other reason.

9.1 When we actually look at your data

The honest list of times we may view the contents of an uploaded PDF or extracted transaction set:

Every administrative access to production systems is logged. Routine processing of your statement does not involve a human looking at it — the AI extraction, reconciliation, and Excel rendering pipeline runs end-to-end without human review.

9.2 Our commitment if a data security issue affects you

If a data security issue arises — whether caused by us, a sub-processor, or an attacker — Chowdhury Labs LLC commits to:

If you believe a data security issue is affecting you right now, email hello@yourstatementconverter.com with "SECURITY" in the subject line — we will respond within one business day.

10. SOC 2 and compliance posture

Chowdhury Labs LLC is not itself currently SOC 2 certified. We are an early-stage company and have not yet completed a formal SOC 2 Type II audit. We expect to pursue certification as the customer base grows.

However, every sub-processor that touches your data is independently certified to a recognized security standard:

This means the operational infrastructure your data passes through and rests on is held to SOC 2 Type II controls. We design our application layer to match those controls: principle of least privilege, encryption at rest and in transit, audit logging, separation of test/production credentials, and timely patching.

If you require formal evidence of a sub-processor's compliance posture (e.g., for your firm's vendor review), each sub-processor publishes its security report — see the references in Section 4 — or contact us at hello@yourstatementconverter.com and we'll help.

11. Your rights as a customer

Depending on where you live, you may have the right to:

To exercise any of these rights, email hello@yourstatementconverter.com. We will respond within 30 days. For deletion requests we will confirm completion within 30 days of receipt; certain records (payment history, audit logs) may be retained as required by law as described in Section 6.

If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local data protection authority. If you are in California, you have additional rights under CCPA/CPRA; we do not sell personal information and do not share it for cross-context behavioral advertising.

12. Data breach notification

If we become aware of a confirmed security incident that has resulted in unauthorized access to, disclosure of, or destruction of your personal data, we will:

We maintain a written incident response process; we test it; and we expect — and require — our sub-processors to notify us promptly of any security incident affecting your data on their systems.

13. Sensitive financial data

Bank statements contain information that several U.S. state laws (including New York's SHIELD Act, California's CCPA/CPRA, Massachusetts' 201 CMR 17, and others) and the EU's GDPR treat as sensitive. We treat all uploaded statement content as sensitive by default and apply the following extra precautions:

14. International transfers

Your data is primarily stored and processed in the United States (Render's Oregon region). If you are accessing the service from outside the U.S., you understand and consent to your data being transferred to and processed in the U.S.

For transfers of personal data subject to GDPR or UK GDPR, we rely on the European Commission's Standard Contractual Clauses (SCCs) and applicable supplementary measures, included in our agreements with U.S.-based sub-processors.

15. Children

YourStatementConverter is a business tool not directed at children. We do not knowingly collect personal information from anyone under the age of 16. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will delete that information promptly.

16. Cookies and tracking

We use a small number of cookies:

We do not use cross-site advertising or behavioral tracking pixels (no Facebook Pixel, no LinkedIn Insight Tag, no TikTok pixel).

17. Changes to this policy

We may update this policy from time to time. Material changes — anything that meaningfully expands what data we collect, who we share it with, or how long we keep it — will be announced by email to active customers at least 30 days before taking effect.

Minor changes (clarifications, formatting, fixing typos) will be silently updated, and the "Last updated" date at the top of this page will reflect the change.

The current version is always available at yourstatementconverter.com/data-security.html.

18. Contact us

For any privacy-related question, data subject request, breach concern, or general inquiry:

By creating an account on YourStatementConverter you confirm that you have read this Data Security & Privacy Policy, that you understand how your data and any client data you upload will be handled, and that — if you are a bookkeeper, CPA, or accounting professional uploading your clients' statements — you have the authority and consent to do so.