Privacy Policy

Last updated: February 11, 2026

1. Introduction

BankRead ("we", "us", or "our") operates the website bankread.ai and the BankRead application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

2. Information We Collect

Account Information

When you create an account, we collect your full name, email address, and an encrypted password. You may optionally provide an organization name.

Uploaded Documents

When you upload PDF bank statements, the documents are processed in memory to extract transaction data. We do not store your uploaded PDFs or the raw file contents on our servers. Once processing is complete, the file data is discarded.

Usage Data

We collect information about how you interact with the Service, including pages processed, features used, timestamps, and general usage statistics for billing and service improvement.

3. How We Use Your Information

  • To provide and maintain the Service, including processing your bank statement PDFs
  • To manage your account, subscriptions, and billing
  • To communicate with you about your account, support requests, or service updates
  • To enforce our Terms of Service and protect against misuse
  • To improve and develop new features for the Service

4. Third-Party Services

We use the following third-party services to operate BankRead:

  • Stripe β€” Stripe β€” Payment processing and subscription billing. Stripe processes your payment card details directly; we do not store card numbers. See Stripe's Privacy Policy.
  • Anthropic (Claude API) β€” Anthropic (Claude API) β€” AI-powered transaction extraction and categorization. Document content is sent to Anthropic for processing. See Anthropic's Privacy Policy.
  • Resend β€” Resend β€” Transactional email delivery (password resets, notifications).
  • Vercel β€” Vercel β€” Frontend hosting and deployment.
  • Cloudflare β€” Cloudflare β€” DNS, CDN, and DDoS protection.
  • Hetzner β€” Hetzner β€” Backend server hosting (located in data centers with ISO 27001 certification).

5. Cookies and Local Storage

BankRead uses the following cookies and browser storage:

  • Session cookie (essential) β€” Session cookie (essential) β€” A secure, HTTP-only JWT cookie set by NextAuth.js to maintain your authenticated session.
  • CSRF token cookie (essential) β€” CSRF token cookie (essential) β€” Protects against cross-site request forgery attacks.
  • cookie-consent (localStorage) β€” cookie-consent (localStorage) β€” Stores your cookie consent preference ("all" or "necessary").

We do not use third-party tracking cookies, analytics cookies, or advertising cookies.

6. Data Retention and Deletion

  • Uploaded PDFs: Uploaded PDFs: Processed in memory and immediately discarded. Never written to disk.
  • Account data: Account data: Retained while your account is active. You may request deletion at any time.
  • Usage logs: Usage logs: Retained for up to 12 months for billing and service improvement, then deleted.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

GDPR (European Economic Area)

Right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data.

PIPEDA (Canada)

Right to access your personal information, request corrections, and withdraw consent for non-essential processing.

CCPA (California, USA)

Right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell your personal information.

To exercise any of these rights, contact us using the form below.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including encrypted connections (TLS), hashed passwords, optional two-factor authentication (TOTP), and access controls. However, no method of electronic storage or transmission is 100% secure.

9. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please reach out: