Your privacy.

1. Who we are

StatementPro is operated by AX Studio Labs Ltd (Company No. 17076527), the data controller for the personal data described in this policy. Our registered address is 17 Oxhayes Close, Balsall Common, Solihull, CV7 7PS, United Kingdom. For any data protection query, email privacy@statementpro.co.uk.

We are registered with the UK Information Commissioner's Office (ICO) as a data controller.

2. What this policy covers

This policy covers the personal data we process when you create an account and use StatementPro to convert bank statement PDFs into structured analytics. It does not cover third-party websites you reach via links from our service.

3. The personal data we process

Account data. Your email address, your plan, and usage counters. At present, email is the only personal identifier we collect at registration.

Statement-derived data. When you upload a bank statement PDF, we extract its transactions and produce structured output. We retain the structured output (extracted transactions and per-statement metadata, in JSON form) so you can re-download past conversions without re-uploading the source PDF; for multi-statement periods, a stitched view of the combined transaction stream and period-level metadata, for the same purpose; and a conversion record for each conversion (filename, page count, bank name, transaction count, date).

This structured output includes the account-holder name, the account number where it appears on the statement, and transaction-level detail (descriptions, amounts, dates, running balances). These appear on the exports you download and re-download. We do not extract or store payment-card numbers or banking login credentials, and we have no access to your online banking. Source PDFs are processed in memory and are not retained at any point after conversion completes.

We do not access the contents of your conversions except where strictly necessary to operate the service, respond to a support request you have raised, or meet a legal obligation; such access is restricted to authorised personnel and logged.

Payment data. Billing is handled by Stripe. We do not see or store your card details; we hold only the billing records Stripe returns to us (such as plan and payment status).

Technical data. Our hosting provider processes request logs and IP addresses for routing and security. We do not run analytics or behavioural tracking, and we set no non-essential cookies.

4. Special category and third-party data

Bank transaction data can incidentally reveal sensitive information (for example, payments to a healthcare provider, place of worship, political party, or trade union). We do not seek out or intentionally process special-category data; any such content is processed only as part of the structured output, on your instruction, to provide the service.

Statements you upload may also contain personal data about other people (such as payees). You are responsible for ensuring you have a lawful basis to upload that data; we process it solely to deliver the conversion you request.

5. Why we process your data, and our lawful basis

We do not use your data for marketing without your consent, and we do not sell personal data.

6. AI processing and model training

The extraction step sends statement contents to Anthropic’s API. Under Anthropic’s commercial terms, content submitted via the API is processed transiently and is not used to train AI models. We do not use your statement contents to train any model of our own.

7. Where your data is stored, and international transfers

Account data, conversion metadata, and persisted structured output are stored on Supabase infrastructure in London (AWS eu-west-2), United Kingdom. Two processing steps involve transfers outside the UK: Anthropic (United States) receives statement contents for transient AI extraction, and Stripe (United States) receives billing data only and has no access to statement contents.

These transfers are covered by appropriate safeguards under UK GDPR — the UK International Data Transfer Agreement, or the Addendum to the EU Standard Contractual Clauses, as provided in each provider’s Data Processing Agreement.

8. Sub-processors

We use four sub-processors, each a major provider with published security and DPA documentation:

9. How long we keep your data

Account metadata, conversion records, and structured output are retained for 90 days by default, enforced by a daily automated cleanup job with audit logging. Source PDF contents are not retained after conversion completes.

You can delete any individual conversion (single statement or period) from the dashboard — immediate and permanent, removing both the conversion record and its structured output. You can also delete your account and all associated data from Account Settings — immediate, with no support ticket required. Out-of-band deletion requests are completed within 7 working days. Billing records may be retained longer where required by law (for example, UK tax record-keeping).

10. Data minimisation controls

You can opt to anonymise the account-holder name in generated Excel and CSV downloads, replacing it with the placeholder “Account Holder”. This applies at download time and is intended to let you share exported analytics with advisors, brokers, or auditors without disclosing the account-holder identity.

11. Security

All data in transit is encrypted via TLS 1.2 or higher, and all data at rest is encrypted via AES-256 within Supabase infrastructure. Production data access follows least privilege: service-role keys are server-side only, and per-user data access is enforced at the database level by Row-Level Security. Our infrastructure providers (Supabase, Vercel) are SOC 2 Type II certified. Authentication uses Supabase Auth with industry-standard password hashing and session management; we do not store passwords ourselves.

12. Data breaches

Our sub-processors commit to notifying us within 48 hours of becoming aware of an incident affecting our data. We commit to notifying affected users within 72 hours of confirming any incident affecting their account, by email. Where notification to the ICO is required under UK GDPR, we will do so within 72 hours of becoming aware.

13. Your rights under UK GDPR

You have the right to access, rectify, erase, and port your personal data, and to object to or restrict certain processing. Most rights can be exercised immediately via Account Settings or the dashboard. For anything not covered by the in-app flow, email privacy@statementpro.co.uk; we respond within 7 working days. If you are unhappy with how we handle your data, you may complain to the Information Commissioner’s Office (ico.org.uk), though we’d ask you to contact us first.

14. Cookies

We use only strictly necessary cookies for authentication and session management. We do not use analytics, advertising, or tracking cookies, so no consent banner is required.

15. Children

StatementPro is a tool for finance professionals and is not directed at, or intended for, anyone under 18.

16. Data processing agreement

A Data Processing Agreement is available on request for business customers. Email privacy@statementpro.co.uk to request a copy.

17. Changes to this policy

We may update this policy. Material changes will be notified by email or in-app. The version and date below the title reflect the current version.