Tidy Statement

Legal

Privacy Policy

Last updated: June 9, 2026

1. Who We Are

This Privacy Policy describes how Craftled, MB ("Craftled", "we", "us", or "our") collects, uses, and protects personal data when you visit Tidy Statement at tidystatement.com, convert a bank statement, join the paid-plan waitlist, or contact us. For the broader agreement governing your use of Tidy Statement, see our Terms of Service.

Craftled, MB
Eduardo Andre 14-5, LT-02232 Vilnius, Lithuania
Registration: 305722486
VAT: LT100015273316

Craftled acts as the data controller for personal data collected through tidystatement.com. For privacy inquiries, contact privacy@tidystatement.com. Emails sent to addresses at tidystatement.com are received and handled by Craftled.

2. What Information We Collect

We collect the minimum information needed to operate Tidy Statement and protect it from abuse.

Information you provide directly

  • Uploaded files: the bank-statement PDF or image you submit for conversion, processed only to extract transaction data and return the result to you.
  • Extraction output: account holder, bank name, statement period, transaction dates, descriptions, amounts, balances, categories, and references detected in the uploaded file.
  • Waitlist signup: your email address, selected plan, interface language, and the request metadata needed to prevent repeated signup abuse.
  • Direct correspondence: any information you include when you email us.

Information collected automatically

  • Analytics data: anonymized page views, referrer, browser type, country-level geography, and device type, collected through our self-hosted Umami analytics. Umami does not use cookies and does not track individuals across sessions or sites.
  • Server and security logs: IP address, user agent, request path, response code, timestamp, and BotID verification results where needed for security, debugging, and abuse prevention.
  • Rate-limit and budget counters: IP-based extraction and waitlist counters, per-email waitlist counters, and hourly AI budget counters stored in Upstash Redis.
  • Extraction observability: one structured log line for successful extractions with operational metadata such as IP address, model used, AI Gateway generation ID, cost, token counts, transaction count, confidence score, warning count, and latency. This log does not include transaction descriptions, account numbers, balances, or uploaded files.
  • Language preference: a `lang` cookie stores your selected interface language for up to one year so the root page can redirect you to your preferred locale.

Information we do not collect or store

  • We do not store uploaded bank statements or extracted transaction data in a database.
  • We do not require an account to use the beta converter.
  • We do not currently process payments or store payment method details.
  • We do not use Google Analytics, Meta Pixel, or tracking pixels that profile individuals across the web.
  • We do not sell personal information or share it for cross-context behavioral advertising.

3. How We Use Information

We use the information we collect to:

  • Provide the converter, including reading the uploaded file, extracting transaction data, validating the result, and returning CSV-ready output.
  • Protect the Service from bots, abuse, fraudulent traffic, malformed uploads, and runaway AI costs.
  • Operate the website, route localized pages, serve metadata and sitemaps, and maintain security headers.
  • Understand aggregate product usage through cookie-free analytics. We do not build profiles of individual visitors.
  • Manage the paid-plan waitlist and respond to inquiries sent to support or privacy email addresses.
  • Debug errors, measure extraction quality and latency, and maintain service reliability without storing transaction content.
  • Comply with legal obligations and respond to lawful requests from authorities.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

4. Legal Basis for Processing

We process personal data on the following legal bases under the EU and UK General Data Protection Regulations:

  • Contract performance: processing uploaded statements and returning extraction results you request.
  • Consent: joining the paid-plan waitlist and receiving related launch updates.
  • Legitimate interest: protecting the Service from abuse, maintaining security logs, rate limiting, measuring aggregate usage, debugging failures, and responding to direct correspondence.
  • Legal obligation: maintaining records required by law and responding to lawful requests.

You may withdraw consent for waitlist emails at any time by contacting us at privacy@tidystatement.com.

5. Third-Party Processors

We use the following service providers to operate Tidy Statement. Each processes data only for the purposes described here and in its own data-processing commitments.

ProviderPurposeLocation
Vercel Inc.Web hosting, CDN, Vercel BotID, server logs, and Vercel AI Gateway routing.USA / EU
AnthropicPrimary AI model provider for extracting data from uploaded statements via the Vercel AI Gateway.USA
GoogleFallback AI model provider for extracting data from uploaded statements via the Vercel AI Gateway.USA / global
UpstashRedis counters for rate limiting, waitlist email throttling, and the hourly AI budget bucket.Configured cloud region
Umami, self-hosted by CraftledCookie-free analytics hosted at umami.craftled.com.EU
GitHubSource code repository and development workflow. No uploaded statements or extracted transaction data.USA

Where data is transferred outside the European Economic Area (EEA) or UK, we rely on Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable, or other lawful transfer mechanisms.

6. AI Processing and Uploaded Statements

To extract transaction data, we send the uploaded file and extraction instructions to the Vercel AI Gateway, which routes the request to an AI model provider. Our current model chain uses Anthropic Claude as the primary provider, with Google Gemini as fallback. The providers process the file only to generate the extraction response and do not use it to train models.

Uploaded bank statements may contain financial information and other personal data. We process them only at your direction and only to provide the extraction result. Craftled does not retain uploaded files or extracted transaction data after the request completes.

Tidy Statement can request Zero Data Retention (ZDR) through the Vercel AI Gateway when that configuration is enabled for the deployment. When ZDR is not enabled, each AI provider's default retention policy may apply to API traffic for trust-and-safety or abuse-monitoring purposes, typically for a short period before deletion. We do not request or download provider-retained copies.

7. Cookies and Similar Technologies

Tidy Statement uses a single functional `lang` cookie to remember your language preference for up to one year. This cookie is used only so visits to the bare root path can redirect to your preferred locale. It is not used for advertising, analytics, or cross-site tracking.

Our Umami analytics are cookie-free. We do not use advertising cookies or tracking pixels.

8. Data Retention

  • Uploaded statements and extracted transaction data: processed in memory and not retained by Craftled after the request completes.
  • AI provider traffic: subject to the ZDR setting and provider retention policy described above.
  • Rate-limit and hourly budget counters: retained only for the relevant short window, typically hours, before expiring automatically.
  • Language cookie: retained for up to one year unless you clear it sooner.
  • Waitlist email and related signup metadata: retained until we launch paid plans, process your deletion request, or no longer need the waitlist.
  • Server, security, analytics, and structured operational logs: retained only as long as reasonably needed for security, debugging, analytics, abuse prevention, and legal compliance. These logs do not include uploaded statements or transaction content.

9. Waitlist Emails

If you voluntarily join our waitlist, we store the email address you provide, together with the selected plan and interface language, for the purpose of notifying you when paid plans launch and managing interest in those plans. You can request deletion at any time by contacting us.

10. Your Rights

If you are in the European Economic Area or United Kingdom, you have the right to access, rectify, or erase any personal data we hold about you, to restrict or object to its processing, and to data portability. Since extracted transaction data is not retained, most of these rights apply only to waitlist email addresses and operational metadata.

If you are a California resident, you may have rights to know what personal information we collect, use, and disclose, request deletion or correction, opt out of sale or sharing, and avoid discrimination for exercising your rights. We do not sell personal information or share it for cross-context behavioral advertising. We honor Global Privacy Control signals where applicable and do not currently respond to traditional Do Not Track browser signals.

To exercise any right, email privacy@tidystatement.com. We may request reasonable verification of your identity before fulfilling a request.

11. International Data Transfers

Some providers are located outside the EEA and UK, notably in the United States. Where this occurs, we rely on Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable, or other lawful transfer mechanisms.

12. Children's Privacy

Tidy Statement is not directed at children under 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided personal data to us, contact privacy@tidystatement.com and we will delete it where required.

13. Security

We protect personal data using reasonable technical and organizational measures, including:

  • TLS encryption in transit for all connections.
  • In-memory processing for uploaded statements, with no transaction database.
  • Vercel BotID protection on the extraction and waitlist APIs.
  • Upstash-backed rate limits and an hourly AI budget kill-switch to reduce abuse risk.
  • Magic-byte validation before AI processing to reject malformed or mismatched files.
  • Strict security headers, including HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
  • Access controls limiting administrative access to authorized personnel.

No internet transmission or storage system is completely secure. We cannot guarantee absolute security, but we apply reasonable measures consistent with the nature of the Service.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes may be communicated by a notice on tidystatement.com or by email where we have an email address for you.

15. Contact

If you have any questions about this Privacy Policy or want to exercise your data rights, please contact us at privacy@tidystatement.com.