Data Security & Privacy Policy
- Who we are and our role
- What data we collect
- Why we collect each category
- Sub-processors (who handles your data)
- Where your data is stored
- Retention by data category
- AI training: we never opt in
- Encryption and access controls
- Our access to your data and our commitment
- SOC 2 and compliance posture
- Your rights as a customer
- Data breach notification
- Sensitive financial data
- International transfers
- Children
- Cookies and tracking
- Changes to this policy
- Contact us
1. Who we are and our role
YourStatementConverter is operated by Chowdhury Labs LLC, a New York limited liability company (EIN 42-2721053). Throughout this policy, "we," "us," "our," and "YourStatementConverter" refer to Chowdhury Labs LLC.
For the purposes of GDPR, UK GDPR, CCPA/CPRA, and similar privacy regulations, we act as the data controller for personal data processed through our service. The sub-processors listed in Section 4 act as data processors on our behalf.
If you are a bookkeeper, CPA, or accountant using our service to process your own clients' bank statements, you remain the data controller for your client relationships and are responsible for ensuring you have the authority and consent to upload those statements to our service.
2. What data we collect
2.1 Account information
- Email address (required)
- Password (stored only as a bcrypt hash — we never see your plaintext password)
- Full name (optional)
- Firm name (optional)
- Account creation date, last login timestamp
2.2 Statement content you upload
- The original PDF file you upload
- Extracted transaction data: dates, descriptions, debit/credit amounts, running balances
- Statement metadata: bank name, account holder name, last 4 digits of account number, statement period, beginning and ending balances
Your bank statements may contain personally identifiable information (PII) such as account holder names, account numbers, addresses, and transaction history. We treat this information as sensitive financial data under all applicable laws (see Section 13).
2.3 Payment information
- Subscription tier (Solo, Practice, Catch-up project, etc.)
- Stripe customer ID (used to look up your invoices and subscription status)
- Billing email, plan renewal date
We do not collect, see, or store your credit card number, CVV, or bank account number used for payment. All payment instruments are collected directly by Stripe on Stripe's hosted checkout page; Stripe returns only a tokenized customer reference to us.
2.4 Usage data
- IP address (used for rate-limiting, abuse prevention, and security auditing)
- Browser user-agent string
- Conversion history (PDFs uploaded, pages used, reconciliation status, timestamps)
- Support ticket content you submit through the "Report a problem" button, including a contextual snapshot of your account state at submission time
2.5 Analytics
We use Google Analytics 4 with IP-anonymization on our marketing site (yourstatementconverter.com) to understand traffic sources and on-page engagement. GA4 does not have access to your uploaded statement content or your in-app activity.
3. Why we collect each category
| Category | Purpose | Legal basis (GDPR) |
|---|---|---|
| Account info | Provide the service, authenticate you | Contract |
| Statement PDFs | Extract transactions, reconcile, generate Excel output | Contract |
| Extracted transaction data | Deliver the converted Excel, let you re-download for 3 days | Contract |
| Payment info | Process subscriptions and top-ups | Contract; legal obligation (tax/IRS) |
| Usage logs | Rate limiting, abuse prevention, debugging | Legitimate interest |
| Support ticket content | Resolve your issue, improve the product | Legitimate interest |
| Analytics (marketing site) | Understand site traffic, improve copy and SEO | Legitimate interest |
4. Sub-processors (who handles your data)
We use the following sub-processors to deliver the service. Each is bound by a data processing agreement (DPA) requiring them to handle your data only on our instructions and apply appropriate security measures.
| Sub-processor | Role | Location | Compliance | Reference |
|---|---|---|---|---|
| Anthropic, PBC | AI extraction (Claude Haiku 4.5 + Claude Sonnet 4.6) reads the PDF and returns structured transaction data | United States | SOC 2 Type II, HIPAA-eligible, ISO 27001 | trust.anthropic.com |
| Render Services, Inc. | Hosts our application, database, and file storage | Oregon, USA (us-west) | SOC 2 Type II, HIPAA-eligible | render.com/security |
| Stripe, Inc. | Processes all payments (credit cards, ACH). We never see your card data. | United States (global) | PCI DSS Level 1, SOC 1 / SOC 2 Type II | stripe.com/privacy |
| Hostinger International Ltd. | Hosts our marketing site (yourstatementconverter.com) and delivers transactional email via SMTP | European Union | ISO 27001 (parent group certifications) | hostinger.com/privacy-policy |
| Google LLC | Google Analytics 4 on the public marketing site only (no access to in-app data or uploaded PDFs) | United States (global) | SOC 2/3, ISO 27001, ISO 27017, ISO 27018 | policies.google.com/privacy |
We will update this list and notify you by email at least 30 days before adding any new sub-processor that materially changes how your data is handled.
5. Where your data is stored
- Uploaded PDFs and generated Excel files: Persistent disk mounted to our Render web service in Oregon, USA. Encrypted at rest by Render. Auto-deleted on a rolling 3-day window.
- Database (account info, extracted transaction data, subscription state): Managed PostgreSQL on Render in Oregon, USA. Encrypted at rest. Daily backups retained by Render for point-in-time recovery.
- Application logs: Render's log retention pipeline. Logs are scrubbed of PDF content and exclude sensitive fields; they retain request paths, IP addresses, status codes, and stack traces only.
- Payment records: Stripe's PCI-compliant infrastructure. We retain only a tokenized customer reference and subscription metadata in our own database.
- Transactional email (signup confirmations, support replies, billing receipts): Sent through Hostinger SMTP from
hello@yourstatementconverter.com.
6. Retention by data category
We retain personal data only as long as needed for the purposes described in this policy, or as required by law. Specific retention periods:
| Data category | Retention period | Why |
|---|---|---|
| Uploaded PDFs (on our disk) | 3 days from upload (target) | Gives you a re-download window; auto-purged on day 3 |
| Generated Excel files (on our disk) | 3 days from generation (target) | Same as above; auto-purged on day 3 |
| Statement content on Anthropic's API backend | Up to 30 days | Anthropic's standard commercial-API retention. Not used for training. Anthropic's documented ceiling — many calls are deleted sooner. |
| Extracted transaction data (in DB) | 72 hours from generation, then row removed | Matches the file purge window |
| Conversion summary metadata (filename, page count, status) | Lifetime of your account | Lets your dashboard show your history; contains no transaction content |
| Account information | Until you delete your account | Required to provide the service |
| Payment records and invoices | 7 years | U.S. tax law / IRS recordkeeping |
| Support tickets | 2 years | Customer service continuity; quality assurance |
| Application logs | 30 days | Operational debugging window |
| Anthropic API logs (on Anthropic's side) | Maximum 30 days | Anthropic's published commercial retention policy |
When you delete your account, we remove your account information and any retained extracted transaction data within 30 days. Payment records and audit logs may be retained as listed above to comply with legal obligations, but they are not used for any purpose other than meeting those obligations.
7. AI training: we never opt in
Anthropic's published policy on this is here: How do you use personal data in model training? — under "Data usage for Anthropic Commercial Offerings" Anthropic states: "We will not use your chats or coding sessions to train our models, unless you choose to participate in our Development Partner Program."
8. Encryption and access controls
- In transit: All connections between you and our service are protected by TLS 1.2 or higher (HTTPS). Connections between our service and our sub-processors are similarly encrypted in transit.
- At rest: Render encrypts persistent disks and managed PostgreSQL databases at rest using AES-256.
- Passwords: Hashed using bcrypt with a per-password salt. We cannot recover your plaintext password — if you lose it, you reset it through the email verification flow.
- Session security: JWT-based session tokens, served only over HTTPS, scoped to your account.
- Administrative access: Only authorized personnel of Chowdhury Labs LLC have administrative access to production systems, and only when needed to operate, debug, or improve the service. Administrative access is logged.
- Rate limiting: Per-IP throttles on login, signup, code redemption, and conversion endpoints to mitigate brute-force and abuse.
9. Our access to your data and our commitment
You should know exactly who can see your data and under what circumstances.
9.1 When we actually look at your data
The honest list of times we may view the contents of an uploaded PDF or extracted transaction set:
- You opened a support ticket referencing a specific conversion and we need to reproduce the issue to fix it.
- Active debugging of an extraction failure, reconciliation bug, or AI mis-classification, where we need to inspect the input that triggered it.
- Abuse or security investigation — for example, if our anti-abuse systems flag an account, or if we have a reasonable belief that the service is being used in violation of our Terms of Service.
- Lawful legal process — we will tell you about any subpoena, warrant, or government request for your data unless we are legally prohibited from doing so.
Every administrative access to production systems is logged. Routine processing of your statement does not involve a human looking at it — the AI extraction, reconciliation, and Excel rendering pipeline runs end-to-end without human review.
9.2 Our commitment if a data security issue affects you
If a data security issue arises — whether caused by us, a sub-processor, or an attacker — Chowdhury Labs LLC commits to:
- Treat the incident as our top operational priority until it is resolved.
- Investigate the root cause promptly and transparently, including coordinating with any affected sub-processor (Anthropic, Render, Stripe, Hostinger, Google) and pursuing their incident-response procedures on your behalf.
- Communicate with you in plain English, on the timeline described in Section 12 (Data Breach Notification), explaining what happened, what data was affected, what we did about it, and what — if anything — you need to do.
- Apply remediation: account credits, free re-runs, full refunds, identity-monitoring support, or whatever specific remedy fits the situation. We will not hide behind contractual caps when the right thing to do is more.
- Fix the underlying cause so the same issue cannot happen again, and document the fix in writing.
If you believe a data security issue is affecting you right now, email hello@yourstatementconverter.com with "SECURITY" in the subject line — we will respond within one business day.
10. SOC 2 and compliance posture
Chowdhury Labs LLC is not itself currently SOC 2 certified. We are an early-stage company and have not yet completed a formal SOC 2 Type II audit. We expect to pursue certification as the customer base grows.
However, every sub-processor that touches your data is independently certified to a recognized security standard:
- Anthropic — SOC 2 Type II, HIPAA-eligible, ISO 27001 (see trust.anthropic.com)
- Render — SOC 2 Type II (see render.com/security)
- Stripe — PCI DSS Level 1, SOC 1 / SOC 2 Type II
- Google (Analytics) — SOC 2/3, ISO 27001 family
This means the operational infrastructure your data passes through and rests on is held to SOC 2 Type II controls. We design our application layer to match those controls: principle of least privilege, encryption at rest and in transit, audit logging, separation of test/production credentials, and timely patching.
If you require formal evidence of a sub-processor's compliance posture (e.g., for your firm's vendor review), each sub-processor publishes its security report — see the references in Section 4 — or contact us at hello@yourstatementconverter.com and we'll help.
11. Your rights as a customer
Depending on where you live, you may have the right to:
- Access — Request a copy of the personal data we hold about you.
- Correct — Update or correct inaccurate data.
- Delete — Request deletion of your account and associated data ("right to be forgotten").
- Portability — Receive your data in a structured, machine-readable format.
- Object / Restrict — Object to or restrict processing under certain circumstances.
- Withdraw consent — Where processing is based on consent, withdraw it at any time.
- Not be discriminated against — We will not deny service, charge different prices, or provide a different quality of service because you exercised these rights.
To exercise any of these rights, email hello@yourstatementconverter.com. We will respond within 30 days. For deletion requests we will confirm completion within 30 days of receipt; certain records (payment history, audit logs) may be retained as required by law as described in Section 6.
If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local data protection authority. If you are in California, you have additional rights under CCPA/CPRA; we do not sell personal information and do not share it for cross-context behavioral advertising.
12. Data breach notification
If we become aware of a confirmed security incident that has resulted in unauthorized access to, disclosure of, or destruction of your personal data, we will:
- Notify affected customers by email within 72 hours of confirming the incident, providing the nature of the breach, what data was affected, what we are doing in response, and recommended steps for you.
- Notify the relevant supervisory authority within applicable statutory windows (72 hours under GDPR; varies by U.S. state under state breach-notification laws).
- Maintain a written incident response record for our internal audit.
We maintain a written incident response process; we test it; and we expect — and require — our sub-processors to notify us promptly of any security incident affecting your data on their systems.
13. Sensitive financial data
Bank statements contain information that several U.S. state laws (including New York's SHIELD Act, California's CCPA/CPRA, Massachusetts' 201 CMR 17, and others) and the EU's GDPR treat as sensitive. We treat all uploaded statement content as sensitive by default and apply the following extra precautions:
- Per-customer access scoping in the database — your conversions are never visible to another customer through the application.
- No transaction-content data is included in our application logs.
- The 3-day file retention window is shorter than industry standard specifically to minimize the blast radius of any incident.
- Account numbers are stored only as last-4-digit truncations in our database after extraction; the full PDF (which may contain the full account number) is deleted on the 3-day cycle.
14. International transfers
Your data is primarily stored and processed in the United States (Render's Oregon region). If you are accessing the service from outside the U.S., you understand and consent to your data being transferred to and processed in the U.S.
For transfers of personal data subject to GDPR or UK GDPR, we rely on the European Commission's Standard Contractual Clauses (SCCs) and applicable supplementary measures, included in our agreements with U.S.-based sub-processors.
15. Children
YourStatementConverter is a business tool not directed at children. We do not knowingly collect personal information from anyone under the age of 16. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will delete that information promptly.
16. Cookies and tracking
We use a small number of cookies:
- Authentication cookie (essential): the signed JWT that keeps you logged in. Strictly necessary; you can't use the service without it.
- Google Analytics cookies (marketing site only): drop on yourstatementconverter.com to measure traffic. Not present inside the application. You can opt out via Google's opt-out browser add-on or via your browser's "Do Not Track" / privacy controls.
We do not use cross-site advertising or behavioral tracking pixels (no Facebook Pixel, no LinkedIn Insight Tag, no TikTok pixel).
17. Changes to this policy
We may update this policy from time to time. Material changes — anything that meaningfully expands what data we collect, who we share it with, or how long we keep it — will be announced by email to active customers at least 30 days before taking effect.
Minor changes (clarifications, formatting, fixing typos) will be silently updated, and the "Last updated" date at the top of this page will reflect the change.
The current version is always available at yourstatementconverter.com/data-security.html.
18. Contact us
For any privacy-related question, data subject request, breach concern, or general inquiry:
- Email: hello@yourstatementconverter.com
- Mailing address: Chowdhury Labs LLC, New York, NY, United States
- Privacy contact: Same email — we treat all inbound mail as potentially privacy-related and route accordingly.