GDPR Compliance

BankStatementLab is fully committed to the General Data Protection Regulation (EU) 2016/679. As a service that processes bank statements — highly sensitive financial documents — we hold ourselves to the highest standards of data protection. We act as a data processor on behalf of our users (data controllers). We process your documents solely for the purpose of converting them to structured formats (Excel, CSV, JSON). We do not analyze, profile, or repurpose your financial data in any way. Our approach is simple: collect only what is strictly necessary, process it as quickly as possible, and delete it as soon as the job is done.

We follow the principle of data minimization. We collect only what is strictly necessary to provide the service: • Account information: email address, hashed password, language preference • Billing data: managed entirely by Stripe — we never store credit card numbers • Uploaded files: bank statement PDFs — never stored on our servers, processed in memory only • Extraction results: structured transaction data (columns, amounts, dates) stored only as long as you need them • Technical logs: anonymized usage metrics for service improvement, with no personally identifiable information We do NOT collect: your IP address for tracking, browsing history, device fingerprints, or any data beyond what is listed above.

When you upload a bank statement PDF, here is exactly what happens: 1. Your file is uploaded via an encrypted TLS 1.3 connection 2. The PDF is processed in memory on our server 3. Our AI extraction engine reads and structures the data 4. The structured data (transactions, columns) is saved to your account 5. The original PDF is never stored on our servers This entire process typically takes a few seconds. Your source PDF is never stored on our infrastructure. For guest users (without an account), PDFs are retained for a maximum of 24 hours to allow extraction completion, then permanently deleted.

We implement multiple layers of security to protect your data: • Transport encryption: all communications between your browser and our servers use TLS 1.3, the latest encryption standard • Password security: all passwords are hashed using bcrypt with salt — we never store passwords in plain text • Secure authentication: JWT-based authentication with secure, httpOnly cookies • Access control: strict role-based access — only you can access your extractions • Infrastructure security: our servers run on hardened environments with automatic security updates • Dependency monitoring: we regularly audit and update all software dependencies

File deletion is not optional — it's automatic and systematic: • PDF source files: never stored on our servers. Processed in memory only. • Temporary processing files (sliced pages): cleaned up automatically within 24 hours • Guest extractions: fully deleted after 24 hours • Errored or ephemeral extractions: cleaned up automatically within 24 hours Our automated cleanup system runs daily to ensure no file is ever forgotten. Each run is logged and monitored to guarantee reliability.

For registered users, we give you full control over your data retention: • Auto-delete OFF (default): your extraction results are kept until you manually delete them • Auto-delete ON: choose a retention period from 1 to 30 days. Extractions older than your chosen period are automatically and permanently deleted You can configure your retention policy at any time from your profile settings. Changes apply immediately — if you reduce your retention period, extractions that exceed the new limit will be deleted at the next automated cleanup. For billing data, we retain invoices for 7 years as required by French tax law. Account information is deleted 30 days after account closure.

Under the GDPR, you have the following rights, and we make it easy to exercise them: • Right of access (Art. 15): request a copy of all data we hold about you • Right to rectification (Art. 16): correct any inaccurate personal data • Right to erasure (Art. 17): delete your account and all associated data at any time — directly from your profile, no request needed • Right to restriction (Art. 18): request that we limit processing of your data • Right to data portability (Art. 20): export your extraction data in standard formats (Excel, CSV, JSON) at any time • Right to object (Art. 21): object to any processing of your data To exercise any of these rights, contact us at support@bankstatementlab.com. We respond to all requests within 30 days, as required by the GDPR.

We use a limited number of trusted sub-processors to provide our service. Each one is carefully selected and contractually bound to GDPR compliance: • Hosting & infrastructure: our servers are located in the European Union • Payment processing: Stripe (PCI DSS Level 1 certified) — we never see or store your card details • AI extraction: we use AI models to process document content. The data sent for extraction is limited to the document content and is not used to train models • Email: transactional emails only (account verification, password reset) We do not use any advertising networks, social media trackers, or third-party analytics that share data outside the EU.

In the unlikely event of a data breach, we commit to: • Notifying the relevant supervisory authority (CNIL in France) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR • Notifying affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34) • Documenting all breaches, their effects, and the remedial actions taken We maintain incident response procedures and regularly test our systems to prevent breaches. To date, we have not experienced any data breach.

When you delete your account from your profile: • All your extraction data (transactions, columns, amounts) is permanently wiped • All associated PDF files are deleted from disk (if any remain) • Your account information (email, settings) is anonymized • Only anonymized analytics metadata is retained (page counts, processing times) — with no link to your identity This process is immediate and irreversible. It fully satisfies Article 17 of the GDPR (right to erasure). You do not need to contact us — you can do it yourself, at any time, from your account settings.

For enterprise and business customers who need a formal Data Processing Agreement (DPA) as required by Article 28 of the GDPR, we provide a standard DPA upon request. Our DPA covers: • Nature and purpose of processing • Types of personal data processed • Categories of data subjects • Sub-processor obligations • Data security measures • Breach notification procedures • Data deletion upon contract termination To request a DPA, contact us at support@bankstatementlab.com.

For any questions about our data protection practices, GDPR compliance, or to exercise your rights: • Email: support@bankstatementlab.com • Contact form: available on our contact page We strive to respond to all privacy-related inquiries within 30 days. For urgent matters related to data security, we aim to respond within 24 hours. If you believe your data protection rights have been violated, you also have the right to lodge a complaint with your local supervisory authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés).