Privacy Policy
Last updated: June 21, 2026
StatementTidy ("StatementTidy," "we," "us," or "our") operates statementtidy.com (the "Service"). This Privacy Policy explains what data we collect, how we use it, and the architectural choices we've made to minimize what we collect in the first place.
If you have questions, contact us at privacy@statementtidy.com.
1. The short version
- Your bank statement never leaves your browser. Conversion (PDF → CSV/Excel/QBO) happens entirely on your device. We do not receive, see, store, or transmit your statement files or the transaction data inside them.
- We only collect an email address if you voluntarily submit it (e.g., to be notified about upcoming features), and only with your explicit consent.
- We use PostHog for basic product analytics (page views, button clicks) to understand how the tool is used. This does not include your statement contents.
- If you later subscribe to a paid plan, we collect standard account and billing information needed to provide that service (see Section 6).
2. Data we do not collect
This section exists because it's the most important part of how StatementTidy is built.
- We do not upload your bank statement. All parsing — reading the PDF, identifying transactions, reconciling balances, generating your CSV/Excel/QBO file — runs as JavaScript in your browser. There is no server-side code path that accepts a statement file. This is not just a policy; it's a structural property of how the converter is built (no upload endpoint exists in our free tier).
- We do not store the transactions you convert. Once you close the tab or refresh the page, the parsed data is gone. Nothing is written to a database.
- We do not see the contents of your CSV, Excel, or QBO downloads. They're generated and saved directly to your device by your browser.
You can verify this yourself: open your browser's developer tools, go to the Network tab, and convert a statement. You will see no request carrying the file or its contents. You can also disconnect from the internet entirely after the page loads and still successfully convert a statement.
3. Data we do collect
a) Email address (only if you provide it)
If you choose to submit your email — for example, to be notified when batch conversion, multi-file upload, or QuickBooks/Xero sync features launch — we collect:
- Your email address
- The page/feature you submitted it from (
source_slug) - UTM parameters, if you arrived via a tracked link
- Your consent confirmation and timestamp
We only store this if you affirmatively check the consent box. We do not pre-check it, and we do not collect your email any other way.
What we use it for: to notify you about features you expressed interest in, and to understand demand for those features. We do not sell, rent, or share your email with third parties for their marketing purposes.
b) Analytics data
We use PostHog to understand aggregate usage of the Service — for example, which export format is most popular, or whether visitors who try the converter go on to request the sync feature. This may include:
- Pages visited and buttons clicked
- General device/browser information (type, OS, screen size)
- Approximate location (derived from IP address, at a city/region level — we do not store full IP addresses)
- Anonymous/pseudonymous identifiers (not tied to your name unless you've also submitted your email)
This never includes the contents of any statement you convert. Analytics events track that you clicked "Download CSV," never what was in the file.
c) Account & billing data (paid tier only)
If you create an account and subscribe to a paid plan, we additionally collect:
- Name and email (for your account)
- Authentication data (passwords are hashed; we never store them in plain text)
- Billing information, processed by Stripe — we do not store your card number ourselves
- If you connect QuickBooks Online or Xero: connection metadata (which company/organization you connected, what permissions were granted, when) — never your QuickBooks/Xero login credentials, which you enter directly with Intuit or Xero, never with us
We do not have access to the categories of data covered by GLBA or banking regulations as a financial institution — we are a software tool, and the architecture above is designed so that the most sensitive data (your actual statement) never reaches us.
4. How we use data
| Data | Purpose | Legal basis (where applicable) |
|---|---|---|
| Email (opt-in) | Notify you about requested features; gauge demand | Consent |
| Analytics events | Improve the product, understand usage | Legitimate interest |
| Account/billing data | Provide the paid service you signed up for | Contract |
5. Cookies & tracking
PostHog may use cookies or local storage to distinguish unique visitors. You can use your browser's privacy controls or extensions to block this without affecting your ability to use the converter — the core conversion tool works with analytics blocked entirely.
We do not use third-party advertising trackers.
6. Third parties we use ("sub-processors")
| Provider | Purpose | What they receive |
|---|---|---|
| Vercel | Hosting | Standard web request metadata (IP, request logs) |
| Neon | Database (leads, accounts) | Email, account data — never statement contents |
| PostHog | Analytics | Usage events, approximate location |
| Stripe (paid tier) | Payment processing | Billing details — we don't store card numbers |
| Intuit (QuickBooks) / Xero (paid tier) | Accounting sync, if you connect it | Transactions you choose to sync, OAuth tokens |
We have data processing agreements with these providers where applicable.
7. Data retention
- Statement data: never stored, so there's nothing to retain or delete.
- Email/lead data: retained until you ask us to delete it, or 12 months of inactivity, whichever comes first.
- Account data (paid tier): retained while your account is active, and for 30 days after deletion to allow recovery, then permanently deleted.
- OAuth tokens (paid tier): deleted immediately upon disconnect, both from our systems and revoked at the provider.
8. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your data
- Object to or restrict certain processing
- Receive a copy of your data in a portable format
- Withdraw consent (e.g., unsubscribe from email) at any time
EU/UK residents (GDPR): the legal bases above apply, and you have the right to lodge a complaint with your local data protection authority.
California residents (CCPA/CPRA): we do not sell your personal information. You have the right to know, delete, and correct your data, and to opt out of "sharing" (we do not currently share data in a way that would trigger this, but we honor the right regardless).
To exercise any of these rights, email privacy@statementtidy.com.
9. Security
We use TLS encryption in transit, encryption at rest for stored data, and — for the paid tier's accounting integrations — envelope-encrypted token storage so that OAuth credentials are never stored or logged in plain text. See Section 2 for why the highest-risk data category (your raw statement) is structurally excluded from our systems entirely.
10. Children's privacy
The Service is not directed to children under 16, and we do not knowingly collect data from them.
11. Changes to this policy
We'll update the "Last updated" date above when this policy changes. Material changes (e.g., new data collection) will be communicated via the site or, where you've given us an email, via email.