Privacy Policy

This Privacy Policy (the “Policy”) describes the categories of information collected, derived, retained, processed, and disclosed by the operator of the website through which this Policy is made available (the “Operator”, “we”, “us”, or “our”) in connection with the operation of the website and the statement-parsing service made available thereon (collectively, the “Service”). This Policy is incorporated by reference into, and forms an integral part of, the Terms of Service published at /terms (the “Terms”). Capitalized terms used herein and not otherwise defined shall have the meanings ascribed to them in the Terms.

By accessing the Service, uploading any Content, or submitting any Email Identifier, you acknowledge that you have read, understood, and agreed to be bound by this Policy. If you do not agree, your sole and exclusive remedy is to discontinue Use of the Service. In the event of any conflict between this Policy and the Terms with respect to the existence, scope, irrevocability, or duration of the Diagnostic License or the Operator's status as an independent controller, the Terms shall control.

For purposes of this Policy, the following capitalized terms shall have the meanings set forth below; terms defined in Article 2 of the Terms (including “Content”, “Diagnostic Corpus”, “Diagnostic Purposes”, “Extracted Data”, “Output”, “Service”, and “Site”) carry the same meanings here:

“Personal Information”

Information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular natural person or household, as such term is defined under the California Consumer Privacy Act of 2018 and analogous state statutes; and, as the context requires, “personal data” as defined under Regulation (EU) 2016/679 (the “GDPR”) and the United Kingdom General Data Protection Regulation.

“Sensitive Personal Information”

The subset of Personal Information consisting of categories afforded heightened protection under applicable privacy law, including without limitation government-issued identifiers, precise geolocation, financial-account credentials, contents of communications, and similar categories.

“Processing”

Any operation or set of operations performed upon Personal Information or other data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

“Telemetry”

Operational, technical, and diagnostic data emitted by your interaction with the Service, including IP address, user-agent string, request timestamps, request headers, response codes, parse durations, parser version identifiers, error traces, and any other information generated as an incident of your access to the Service.

“Service Provider”

A third party engaged by the Operator to perform discrete functions in connection with the Service (including cloud-infrastructure providers, email-delivery providers, and security providers) and bound by contractual obligations restricting its use of information to those purposes.

We collect the following categories of information directly from you, in each case only as and when you submit them to the Service:

1. Content. Any file you upload to the Service, including, in particular, PDF, OFX, QFX, and image-based bank-account, brokerage-account, and credit-card statements, together with any data, metadata, headers, footers, watermarks, comments, embedded fonts, embedded images, embedded form data, embedded scripts, embedded files, and document-property fields appearing in or associated with such file.
2. Email Identifier. The electronic-mail address you provide at the time of Use for the purpose of receiving Output and related transactional communications.
3. Format and Delivery Preferences. The export format you select (CSV, XLSX, QBO, OFX, or successor formats) and any related delivery preferences you specify.
4. Opt-In Indications. Where the Service solicits affirmative opt-in to non-transactional communications, your affirmative or negative response and the date and time thereof.
5. Voluntary Submissions. Any other information you voluntarily transmit to the Service, including, without limitation, Feedback as defined in the Terms.

You are not obligated to submit any of the foregoing information; however, the Service cannot deliver Output to you without Content and an Email Identifier, and the submission of Content irrevocably triggers the Diagnostic License granted under Article 7 of the Terms.

We, and certain Service Providers acting on our behalf, collect Telemetry automatically when you interact with the Service. Telemetry may include, without limitation:

1. Network and device identifiers, including Internet Protocol address, autonomous-system number, approximate geolocation derived therefrom, user-agent string, accept-language and accept-encoding headers, screen dimensions, and device-class indicators;
2. Request and response metadata, including HTTP method, request path, request and response sizes, response codes, response latency, and timestamps;
3. Service-specific telemetry, including upload file size, file format, parser version invoked, parse duration, parse outcome, error class and stack trace (where applicable), and the identifier of the processing artifact generated;
4. Session indicia, including identifiers used to associate sequential requests with a single browsing session and, where applicable, with a single Email Identifier; and
5. Such additional operational, security, and abuse-prevention signals as we may from time to time determine to be necessary to the operation, integrity, security, and improvement of the Service.

Telemetry is collected as a necessary incident of Service operation, may be combined with Content and Extracted Data, may be retained within the Diagnostic Corpus, and may be used for any of the Purposes set forth in Article 6 below.

We derive additional information from the Content and Telemetry described above, including, without limitation: (a) Extracted Data, comprising the structured tabular representation of transactions, dates, amounts, descriptions, balances, account identifiers, currency codes, and inferred classifications produced by the parser; (b) layout, typographic, and schematic features extracted from Content for the purpose of heuristic and machine-learning parsing strategies; (c) model parameters, embeddings, weights, fine-tuning artifacts, and similar derivative computational objects produced from Content and Extracted Data; (d) aggregated and statistical reports concerning parser accuracy, format coverage, error frequency, and comparable engineering metrics; and (e) inferences regarding the issuing institution, statement period, account type, currency denomination, and other statement attributes.

You acknowledge and agree that all such derived information is the property of the Operator, that the Operator's rights therein are not subject to any right of access, correction, deletion, portability, or restriction asserted in respect of the underlying Content, and that the Operator may continue to maintain, use, distribute, and exploit such derived information notwithstanding any subsequent withdrawal, objection, or rights request directed at the underlying Content.

We Process the foregoing categories of information for one or more of the following purposes (collectively, the “Purposes”):

1. To operate the Service and deliver Output to you;
2. To transmit transactional electronic mail relating to your Use of the Service, including download links, verification messages, and operational notices;
3. To carry out Diagnostic Purposes (as defined in the Terms), including debugging, regression testing, accuracy benchmarking, error analysis, performance measurement, parser tuning, heuristic development, model training, model evaluation, and format coverage expansion;
4. To detect, investigate, prevent, and respond to fraud, abuse, security incidents, denial-of-service activity, infringement, and other unlawful or harmful conduct;
5. To enforce the Terms, including the prohibited-use provisions thereof, and to defend, prosecute, or settle actual or threatened claims involving the Service;
6. To comply with legal, regulatory, governmental, judicial, or self-regulatory obligations, including the response to legal process and the maintenance of records mandated by applicable law;
7. To effect, evaluate, or consummate a merger, acquisition, financing, reorganization, bankruptcy, receivership, dissolution, sale of assets, or transition of service to another provider, as further described in Article 11; and
8. Where you have provided affirmative opt-in, to send non-transactional communications regarding the Service, until such time as you withdraw your opt-in.

7.1 Composition. The Diagnostic Corpus consists of Content, Extracted Data, Telemetry, derivative artifacts, and associated metadata retained by the Operator for Diagnostic Purposes. The Diagnostic Corpus is the foundational asset of the Operator's engineering practice and is the consideration in exchange for which the Service is made available without monetary charge.

7.2 Retention. Information comprised within the Diagnostic Corpus is retained for such period as the Operator deems necessary to its engineering objectives, which period may be indefinite. The Operator is under no obligation to expire, age out, minimize, or aggregate information within the Diagnostic Corpus on any particular timeline, and any representation as to retention period made in any marketing or informational material outside this Policy and the Terms is hereby superseded.

7.3 No Opt-Out; No Withdrawal. Consistent with Sections 4.4 and 7.6 of the Terms, there is no mechanism by which you may use the Service while opting out of inclusion in the Diagnostic Corpus, and once Content has been submitted, you have no right to require its removal, expungement, or quarantine. The sole means of avoiding inclusion in the Diagnostic Corpus is to refrain from uploading Content.

7.4 Internal Use; Limited Disclosure. The Diagnostic Corpus is used internally by the Operator and is disclosed only (a) to bona fide Service Providers bound by written confidentiality obligations no less protective than those customary in the industry, (b) as compelled by legal process or required by law pursuant to Article 11, and (c) in connection with a successor transaction as described in Article 11. The Operator does not sell, rent, or lease the Diagnostic Corpus or any individual Content item to any third party.

7.5 Aggregated and De-Identified Outputs. The Operator may generate and freely publish, distribute, and exploit aggregated, statistical, and de-identified outputs derived from the Diagnostic Corpus, provided that no such output shall identify any individual User or reproduce any individual Content item in human-readable form. Such outputs are not Personal Information for purposes of this Policy.

Where the GDPR, the United Kingdom General Data Protection Regulation, or an analogous regime applies to our Processing of your Personal Information, we rely on one or more of the following legal bases:

1. Performance of a contract to which you are party, in respect of the operation of the Service, the delivery of Output, and the transmission of transactional electronic mail (Article 6(1)(b) GDPR);
2. Our legitimate interests, in respect of the maintenance and exploitation of the Diagnostic Corpus, the improvement of the parser, the security and integrity of the Service, the prevention and investigation of fraud and abuse, the enforcement of the Terms, and the defense, prosecution, or settlement of claims (Article 6(1)(f) GDPR). We have conducted a balancing assessment and concluded that, on the basis of the disclosures set forth in this Policy and the Terms, the structural integration of the Diagnostic License into the bargain, the absence of monetary consideration, and the absence of any reasonable expectation of confidentiality predicated upon those disclosures, our legitimate interests are not overridden by the interests, rights, or freedoms of data subjects;
3. Compliance with a legal obligation to which we are subject, in respect of disclosures compelled by law (Article 6(1)(c) GDPR);
4. Your consent, in respect of non-transactional communications you have affirmatively opted in to receive, which consent you may withdraw at any time through the unsubscribe mechanism provided in each such communication (Article 6(1)(a) GDPR); and
5. Such other legal basis as may from time to time apply to any particular Processing activity.

In respect of Sensitive Personal Information, we do not solicit such information and request that you redact it from Content prior to upload to the extent required by applicable law; submission of Sensitive Personal Information you have not lawfully authorized for Processing is a breach of the Terms.

The Operator Processes Content, Extracted Data, Telemetry, and other information described in this Policy as an independent controller (or analogous principal under any applicable regime), for its own legitimate engineering interests as described in this Policy and the Terms, and not as a processor, service provider, sub-processor, business associate, or comparable intermediary acting on your behalf. Consistent with Section 7.7 of the Terms, the Operator will not enter into any data-processing agreement, business-associate agreement, standard contractual clauses, joint-controller arrangement, data-transfer impact assessment, or comparable instrument as a condition of the Service, and any such instrument tendered to the Operator shall be of no force or effect.

You are solely responsible for (a) determining the lawfulness of your submission of any particular Content; (b) obtaining and maintaining any consent, authorization, or notice required of you in respect of such submission and of the Operator's Processing for the Purposes; (c) responding to any data-subject or consumer-rights request directed to you in respect of the Content; and (d) maintaining records sufficient to demonstrate your compliance with the foregoing.

We disclose information described in this Policy only to the following categories of recipients, in each case subject to such confidentiality and security undertakings as we determine appropriate to the circumstances:

1. Internal personnel of the Operator and of its affiliates with a need to access such information for purposes consistent with this Policy;
2. Service Providers engaged to provide cloud infrastructure, email delivery, monitoring, security, abuse prevention, error reporting, analytics, and comparable functions in support of the Service;
3. Professional advisors of the Operator, including accountants, auditors, and counsel, bound by ethical or contractual duties of confidentiality;
4. Governmental, judicial, regulatory, or self-regulatory authorities, as further described in Article 11;
5. Counterparties, advisors, and prospective acquirors in connection with a successor transaction, as further described in Article 11; and
6. Any other recipient to whom you direct disclosure or in respect of whom you have provided affirmative authorization.

The Operator does not sell, rent, lease, exchange for consideration, share for cross-context behavioral advertising, or otherwise disclose Personal Information for monetary or other valuable consideration, and has not done so within the twelve (12) months preceding the effective date of this Policy.

11.1 Legal Process; Lawful Requests. We may disclose information described in this Policy in response to subpoenas, court orders, search warrants, civil-investigative demands, regulatory inquiries, national-security-related requests, or other legal process; in response to lawful requests by governmental authorities; to comply with applicable law; to enforce the Terms; to protect the rights, property, safety, or security of the Operator, its personnel, its Users, or the public; or to defend, prosecute, settle, or otherwise resolve actual or threatened claims. The Operator is under no obligation to notify you of, or to challenge on your behalf, any such disclosure, and may comply with any process facially valid on its face without independent investigation as to its merits.

11.2 Successor Transactions. In the event of a merger, acquisition, financing, reorganization, bankruptcy, receivership, dissolution, sale of assets (in whole or in part), transition of service to another provider, or comparable corporate transaction, all information described in this Policy, including the Diagnostic Corpus in its entirety, may be transferred, sold, assigned, or otherwise conveyed to the counterparty, successor, acquiror, or assignee, which shall thereafter be entitled to Process such information subject to this Policy or any successor policy reasonably comparable hereto.

The Service is operated using infrastructure that may be located in the United States and in such other jurisdictions as the Operator may from time to time determine. By Using the Service, you understand and consent to the transfer of your information to, and the Processing of your information in, jurisdictions that may afford lesser protections to Personal Information than the jurisdiction of your residence, including, where applicable, the United States and jurisdictions deemed by the European Commission or by comparable authorities to lack adequate data-protection standards. Consistent with Article 9, the Operator does not enter into standard contractual clauses, transfer impact assessments, or comparable cross-border-transfer instruments, and relies upon your informed consent under Article 49(1)(a) GDPR (or analogous provision) as a transfer mechanism to the extent the same is required.

13.1 Content; Extracted Data; Telemetry.Indefinite, as described in Section 7.2.

13.2 Output and Download Hyperlinks. Ephemeral. Output is made available for download for such period as the Operator may from time to time determine, and download hyperlinks may expire without notice in accordance with Section 8.3 of the Terms.

13.3 Email Identifier. Retained for so long as reasonably necessary to deliver Output and any opted-in non-transactional communications, to detect and prevent abuse, and to defend against claims, and thereafter for such additional period as the Operator may determine appropriate.

13.4 Records of Legal and Regulatory Significance. Retained for the period required by applicable law or, where no specific period is prescribed, for so long as the Operator determines necessary to its legal, regulatory, or evidentiary interests.

13.5 No Affirmative Deletion Schedule.Notwithstanding any of the foregoing, the Operator is under no obligation to implement, maintain, or adhere to any affirmative deletion or data-minimization schedule, and reserves the right to retain any information described in this Policy for such longer period as it deems appropriate.

We implement such technical and organizational measures as we determine reasonable in light of the nature of the Service and the absence of monetary consideration. Notwithstanding the foregoing, no system is impervious to compromise, and consistent with Article 15 of the Terms, we make no representation, warranty, or guarantee that information described in this Policy will not be lost, accessed without authorization, intercepted, altered, destroyed, or disclosed, and we expressly disclaim all liability for any such event to the maximum extent permitted by applicable law.

You are responsible for taking commercially reasonable precautions to protect the Email Identifier you submit, including by maintaining the security of the underlying email account, and we shall have no liability arising from compromise of any such account or interception of download hyperlinks transmitted thereto.

The Service is not directed to, and the Operator does not knowingly permit Use of the Service by, any individual under the age of eighteen (18). Consistent with Article 12 of the Terms, any such Use is strictly prohibited. The Operator does not knowingly collect Personal Information from individuals under the age of thirteen (13) and disclaims any role as an operator of a website or online service directed to children within the meaning of the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506.

The Service may employ cookies, local-storage entries, session-storage entries, and comparable client-side state mechanisms for purposes including, without limitation, maintaining session continuity, effecting basic functionality (such as preserving the Email Identifier across a multi-step upload), and capturing Telemetry. The Operator does not employ cross-site advertising cookies, behavioral- advertising pixels, or third-party trackers maintained for the purpose of cross-context behavioral advertising, and undertakes no obligation to display a granular cookie-consent banner beyond what is required by applicable law.

You may configure your browser to refuse, delete, or be notified of cookies; however, certain features of the Service may not function correctly in the absence of such state. Any such impairment is your sole responsibility and shall not give rise to any claim against the Operator.

The parsing operations conducted upon Content are wholly automated and may employ heuristic, rule-based, and machine-learning techniques. The Output produced thereby is not subject to human review prior to delivery. To the extent any applicable regime confers a right to obtain human intervention in respect of automated processing producing legal or similarly significant effects, the Operator's position is that the Output produced by the Service does not, of itself, produce any such effect, and that any consequence flowing from your reliance upon Output is attributable to your decision to so rely, not to the Service.

18.1 Categories Collected. In the twelve (12) months preceding the effective date of this Policy, the Operator has collected the following categories of Personal Information about California residents: identifiers (Email Identifier, IP address); commercial information (the existence and nature of your Use); internet or other electronic-network activity information (Telemetry); inferences drawn from the foregoing; and, embedded within Content, such additional categories of Personal Information as you may have voluntarily submitted, which may include financial information and, depending upon the content of your statements, additional identifiers and characteristics. The sources of such information are described in Articles 3 through 5.

18.2 Purposes; Retention. The Operator collects such Personal Information for the Purposes set forth in Article 6 and retains it for the periods set forth in Article 13.

18.3 No Sale; No Sharing for Cross-Context Behavioral Advertising. The Operator does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.

18.4 Rights; Limitations. Subject to verification of identity and to the limitations and exceptions set forth in applicable law and in Section 14.3 of the Terms, a California resident may, where the Operator has published a contact channel for the purpose, request to know the categories and specific pieces of Personal Information the Operator has collected; request deletion; request correction; and exercise the right to limit the use of Sensitive Personal Information. The Operator may deny any request to the extent that honoring the request would impair the integrity, completeness, or utility of the Diagnostic Corpus, would require deletion of derived information as described in Section 5, or would conflict with a statutory exemption, including the exemptions applicable to information necessary to detect security incidents or to debug, identify, and repair errors that impair existing intended functionality. The Operator will not discriminate against any individual for exercising any right afforded by applicable California law.

18.5 Authorized Agents. An authorized agent may exercise rights on behalf of a California resident upon submission of evidence reasonably satisfactory to the Operator of (a) the agent's authorization to act on the resident's behalf and (b) the resident's identity.

19.1 Controller. The Operator is the controller of Personal Information collected through the Service.

19.2 Rights of Data Subjects. Subject to the conditions and limitations set forth in applicable law and in Section 14.3 of the Terms, you may, where the Operator has published a contact channel for the purpose, exercise the rights of access, rectification, erasure, restriction, portability, and objection in respect of Personal Information concerning you. The Operator may decline any such request to the extent that honoring the request would (a) impair the integrity, completeness, or utility of the Diagnostic Corpus, (b) require deletion or alteration of derived information as described in Section 5, (c) conflict with the Operator's overriding legitimate interests as identified in Section 8, or (d) be otherwise permitted or required by applicable law.

19.3 Withdrawal of Consent. Where Processing is based on your consent, you may withdraw such consent at any time, without affecting the lawfulness of Processing prior to withdrawal. Withdrawal of consent in respect of non-transactional communications shall not constitute withdrawal of consent in respect of, or otherwise affect, the Diagnostic License or any Processing based on legitimate interests or contractual necessity.

19.4 Supervisory Authority. You have the right to lodge a complaint with the data-protection supervisory authority of your country of residence. A list of European supervisory authorities is maintained by the European Data Protection Board.

19.5 Article 22 GDPR. The position set forth in Article 17 of this Policy applies to any assertion of rights under Article 22 GDPR (automated individual decision-making).

Residents of jurisdictions that have enacted comprehensive privacy statutes comparable to those of California and the European Union (including, without limitation, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Delaware, and Iowa within the United States; Brazil under the Lei Geral de Proteção de Dados; Canada under the Personal Information Protection and Electronic Documents Act and provincial analogues; and other comparable regimes) shall be afforded the substantive rights conferred by such statutes, subject in each case to the verification, exception, and procedural requirements set forth therein, to the limitations identified in Sections 18.4, 19.2, and 14.3 of the Terms, and to the availability of a published contact channel as contemplated by Section 22 below.

The Operator does not modify its Processing in response to “Do Not Track” signals transmitted by browsers, as no industry consensus exists as to the meaning thereof. The Operator may, in its sole discretion and where required by applicable law (including, in respect of California residents, the California Privacy Rights Act), treat Global Privacy Control signals as a request to opt out of the “sale” or “sharing” of Personal Information; however, because the Operator does not engage in sale or sharing as defined therein (see Section 18.3), the practical effect of such a signal is null.

Consistent with Article 27 of the Terms, the Operator has not published, and is under no obligation to publish, a contact channel for the receipt of data-subject-rights requests, privacy inquiries, or comparable communications. Any communication transmitted to the Operator in the absence of a channel expressly designated by the Operator for the purpose in question (a) shall be of no legal effect, (b) shall not constitute a valid request for purposes of any statutory rights regime, and (c) shall not toll any statutory response deadline. The Operator may, at any time and in its sole discretion, designate, withdraw, or modify any such channel, and any change shall be effective upon posting. To the extent applicable law deems a request valid notwithstanding the absence of a published channel, the Operator's response shall be governed by the limitations set forth in this Policy and in the Terms.

The Operator may revise this Policy from time to time by posting a revised version on the Site, accompanied by an updated effective date. Any such revision shall become binding upon you upon the earlier of (a) your continued Use of the Service following the posting of the revised Policy and (b) the thirtieth (30th) day following such posting. It is your responsibility to review this Policy periodically. If any revision is unacceptable to you, your sole and exclusive remedy is to discontinue all Use of the Service. Revisions to this Policy shall not (i) require deletion of information collected under any prior version, (ii) limit the Operator's continuing use of the Diagnostic Corpus, or (iii) revive any consent previously withdrawn in respect of non-transactional communications.

If any provision of this Policy is held by a competent authority to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to render it valid, legal, and enforceable, or, if such modification is not feasible, shall be severed from this Policy, and the remaining provisions shall continue in full force and effect. Headings are inserted for convenience only. The words “include”, “includes”, and “including” shall be deemed to be followed by the phrase “without limitation”. Ambiguities shall not be construed against the drafter. In the event of any conflict between this Policy and the Terms as to any matter of substantive right or obligation, the Terms shall control.

By Using the Service, you acknowledge and represent that (a) you have read this Policy in its entirety, that you understand it, and that you agree to be bound by it; (b) you understand that submission of Content irrevocably licenses such Content to the Operator for inclusion in the Diagnostic Corpus and for use for Diagnostic Purposes, that such licensing is the consideration for the Service, and that there is no opt-out short of non-use; (c) you understand that the Operator acts as an independent controller of your information and may decline data-subject-rights requests on the bases set forth herein; (d) you understand that the Operator has not published, and is under no obligation to publish, a contact channel for the exercise of rights or for any other purpose; and (e) you waive any defense to the enforceability of this Policy premised on the absence of an opt-in checkbox, the standardized nature of this Policy, the manner of its presentation, or the speed with which the Service can be initiated.