Privacy Policy
Last updated: February 16, 2026
This Privacy Policy explains how StatementSwift ("we", "us", "our") collects, uses, and protects information when you visit our marketing site at www.statementswift.com or use our product app at app.statementswift.com.
1. Information We Collect
Account information
When you create an account on the product app, we collect your email address and basic profile information provided through email one-time-password (OTP) or Google OAuth sign-in.
Uploaded files
When you convert a bank statement, your PDF is uploaded to Azure Storage via a signed, time-limited URL. Uploaded files are used solely for extraction processing and are not shared with third parties.
Extracted data
Transaction data extracted from your statements is stored in our database and linked to your account. This includes dates, descriptions, amounts, balances, and related metadata.
Analytics and telemetry
With your consent, we collect aggregated usage and performance data through:
- Vercel Analytics & Speed Insights — page-level performance and usage metrics.
- Microsoft Clarity — session recordings and heatmaps for UX improvement.
All analytics are consent-gated and can be declined via the cookie banner.
Anti-abuse controls (free preview)
The free preview converter on this marketing site collects:
- An
anon_user_idhttpOnly cookie to enforce per-session preview limits. - A browser fingerprint identifier (
statementSwift.visitorIdin localStorage) for rate limiting. - IP address (hashed, not stored in readable form) processed via Upstash Redis for abuse detection.
These signals are used for service protection only, not for advertising or tracking.
2. How We Use Your Information
- Provide and maintain the conversion service.
- Process billing and enforce subscription quotas.
- Respond to support inquiries.
- Improve product reliability and user experience (with consent).
- Prevent abuse and enforce usage limits.
3. Sub-processors & Third Parties
We share data with the following service providers as necessary to operate the service:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Auth, database | Email, profile, conversion data |
| Microsoft Azure | File storage, AI extraction | Uploaded PDFs, extraction results |
| Polar | Billing (Merchant of Record) | Email, subscription/payment data |
| Vercel | Hosting, analytics | Aggregated usage data (with consent) |
| Microsoft Clarity | UX analytics | Session recordings (with consent) |
| Upstash | Rate limiting, job scheduling | Hashed IP, request counters |
| Resend | Transactional email | Email address, message content |
4. Data Retention
- Account data: Retained while your account is active. Deleted upon account deletion request.
- Uploaded PDFs: Stored in Azure for the duration needed to complete extraction. We do not guarantee automatic deletion — contact us to request file removal.
- Conversion data: Retained while your account is active for History and download access.
- Anti-abuse data: Rate-limit counters in Upstash Redis expire automatically (typically within 24 hours).
- Analytics: Retained per each provider's standard retention policy.
5. Cookies & Local Storage
| Name | Type | Purpose | Duration |
|---|---|---|---|
anon_user_id | httpOnly cookie | Free preview session identity | Session |
statementSwift.visitorId | localStorage | Abuse prevention fingerprint | Persistent |
cookie-consent | localStorage | Your analytics consent preference | Persistent |
sb-* | localStorage | Supabase auth session (product app) | Session |
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data ("right to be forgotten").
- Object to or restrict processing.
- Data portability (receive your data in a machine-readable format).
- Withdraw consent for analytics at any time via the cookie banner.
California residents (CCPA): You have the right to know what personal information is collected, request its deletion, and opt out of any sale of personal information. We do not sell personal information.
7. Security
All data is encrypted in transit via TLS. Uploaded files are transferred using time-limited, signed URLs. Database access is governed by row-level security policies ensuring users can only access their own data. Billing webhook payloads are verified using HMAC-SHA256 signatures.
8. Changes to This Policy
We may update this policy from time to time. The "Last updated" date at the top of this page will be revised accordingly. Continued use of the service after changes constitutes acceptance.
9. Contact
For privacy questions or to exercise your rights, email us at privacy@updates.statementswift.com or use our .