Privacy Policy
Last updated: June 30, 2026
The short version
StatementSheet converts PDF bank and credit-card statements to Excel and CSV. For digital (text-based) PDFs, the entire conversion happens inside your browser. The PDF file and the transactions it contains are never uploaded to our servers. They stay on your device.
What we never receive
- Your statement PDF files.
- The transaction rows, balances, account numbers, or any financial content of your statements.
- The generated Excel/CSV files — they are created and downloaded locally in your browser.
Parsing, optical character recognition (OCR) for scanned pages, reconciliation, and file generation all run client-side using technology that executes on your device.
What we do collect
- Account data (only if you create an account): your email address, your plan, your remaining page credits, and a Stripe customer reference if you purchase credits.
- Usage metadata for the free-tier limit: to enforce free daily/monthly limits we store non-content metadata — a page count, a bank label (e.g. "chase"), a timestamp, and a salted, irreversible hash of your IP address for anonymous users. We do not store raw IP addresses, and this metadata never includes statement content.
- Payment data: purchases are processed by Stripe. We never see or store your full card number. See Stripe's privacy policy for how they handle payment data.
- Sign-in: we use one-time email "magic links." We store a short-lived, hashed token to verify the link, and a session cookie to keep you signed in.
The one optional exception: scanned-image OCR
If a page is a low-quality scanned image that on-device OCR cannot read confidently, signed-in users with credits may opt into an AI vision fallback when that feature is enabled on the deployment. Only in that case is the image of that single page sent to our AI provider to extract its text. The image is processed transiently to return the transactions and is not stored. Digital PDFs never use this path and never leave your device.
Cookies
We use a single first-party, HttpOnly session cookie to keep you signed in. We do not use third-party advertising or cross-site tracking cookies.
Bot protection
We use Cloudflare Turnstile to protect sign-in and conversion endpoints from automated abuse. Turnstile is a privacy-preserving alternative to traditional CAPTCHAs.
Data retention
Account records persist while your account is active. Free-tier usage counters reset on their daily/monthly cycle. You can request deletion of your account and associated data at any time by contacting us.
Your rights
You may request access to, correction of, or deletion of the limited account data we hold. Email us at [email protected] and we'll help.
Contact
Questions about this policy? Reach us at [email protected].