How we handle your data.

1. Data we process

When a user uploads a bank statement PDF, StatementPro processes the document’s contents in memory to extract transactions and produce structured output. The original PDF is not retained at any point after conversion completes.

We hold limited account metadata (user email, plan, usage counters) and a record of each conversion (filename, page count, bank name, transaction count, date). We also retain the structured output — the extracted transactions and per-statement metadata, in JSON form — so users can re-download past conversions as Excel or CSV without re-uploading the source PDF. Where a user uploads multiple statements as a single period, we additionally retain a stitched view of the period (the combined transaction stream and period-level metadata) for the same purpose. Both are subject to the retention window in §4.

The structured output we store includes the account-holder name and, where it appears on the statement, the account number, because these are shown on the exports our users download and re-download. We do not extract or store payment-card numbers or banking login credentials, and we have no access to your online banking. We do not access the contents of your conversions except where strictly necessary to operate the service, respond to a support request you have raised, or meet a legal obligation; such access is restricted to authorised personnel and logged.

2. Where data is processed and stored

All user account data, conversion metadata, and persisted structured output is stored on Supabase infrastructure hosted in London (AWS eu-west-2). Statement PDFs are sent to Anthropic’s API for the AI-driven extraction step; the contents are processed transiently and are not used to train AI models. Per Anthropic’s Commercial Terms, customer content from API services is not used for model training. Application hosting and request routing is provided by Vercel. Payment processing is handled by Stripe, which has no access to statement contents.

3. Sub-processors

We use four sub-processors. Each is a major provider with published security and DPA documentation:

4. Retention

Account metadata, conversion records, and the structured output described in §1 are retained for 90 days by default, enforced by a daily automated cleanup job with audit logging. Enterprise customers may configure alternative retention periods by agreement. Statement PDF contents are not retained at any point after conversion completes.

Users can delete any individual conversion (single statement or multi-statement period) directly from the in-app dashboard. Deletion is immediate, permanent, and removes both the conversion record and its persisted structured output. Account deletion is also self-service: users can delete their account and all associated data immediately from within Account Settings — no support ticket required. Out-of-band deletion requests are completed within 7 working days.

5. Data minimisation controls

Users can opt to anonymise the account holder name from generated Excel and CSV downloads. When enabled, the placeholder “Account Holder” replaces the real name in both single-statement and multi-statement period downloads. The toggle applies at download time and does not modify the stored record. This is intended to support users sharing exported analytics with third parties (advisors, brokers, auditors) without disclosing the underlying account-holder identity.

6. Security commitments

All data in transit is encrypted via TLS 1.2 or higher. All data at rest is encrypted via AES-256 within Supabase infrastructure. Access to production data is restricted under principle-of-least-privilege: service-role keys are server-side only, and user-data access is enforced at the database level by Row-Level Security policies. Our infrastructure providers (Supabase, Vercel) are SOC 2 Type II certified. Authentication is provided by Supabase Auth with industry-standard password hashing and session management. We do not store passwords ourselves.

7. Incident response

Our sub-processors commit to notifying us within 48 hours of becoming aware of a security incident affecting our data. In turn, we commit to notifying affected users within 72 hours of confirmation of any incident affecting their account, by email to the address on file. Where the ICO requires notification under UK GDPR, we will do so within 72 hours of becoming aware, in line with statutory obligations.

8. Your rights under UK GDPR

Users have the right to access, correct, delete, and port their personal data, and to object to processing or restrict it in certain circumstances. To exercise any of these rights, email support@statementpro.co.uk. Most rights can be exercised immediately via Account Settings or the in-app dashboard; for requests not covered by the in-app flow, we respond within 7 working days. Users may also lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) if dissatisfied with how we handle their data.

9. Data processing agreement

A Data Processing Agreement is available on request for business and Enterprise customers. Bespoke DPA arrangements are available for Enterprise customers by agreement. Contact support@statementpro.co.uk to request a copy.