Privacy Policy

Effective Date: January 28, 2025

Last Updated: February 16, 2026

Statement Desk ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal and financial information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

By using Statement Desk, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not use our service.

Information We Collect

Personal Information

  • Google Account Data: When you sign in with Google OAuth, we collect your name, email address, and profile picture
  • Contact Information: Email address for account management, support, and service-related communications
  • Usage Data: Information about how you interact with our service, including features used, processing history, and error logs
  • Device Information: Browser type, IP address, device type, and operating system for security and service optimization

Financial Data

  • Bank Statements: PDF files containing transaction history that you explicitly upload or select from Google Drive
  • Transaction Data: Transaction dates, amounts, descriptions, merchant names, and categories extracted from your statements
  • Account Information: Bank names and partial account numbers (last 4 digits only) for identification purposes
  • Financial Insights: Generated budgets, forecasts, spending patterns, and AI-powered analytics based on your transaction data

Google Workspace Data

  • Google Drive Access: Read-only access to PDF files you explicitly select for processing
  • Google Sheets Access: Read and write permissions to create and update spreadsheets for data export
  • Authentication Tokens: Encrypted OAuth tokens for maintaining secure access to Google services

How We Use Your Information

Primary Uses

  1. Process Bank Statements: Extract and analyze transaction data from PDF files using AI and traditional parsing methods
  2. Provide AI Services: Use Claude AI to categorize transactions, detect anomalies, and generate financial insights
  3. Export Data: Create and populate Google Sheets or other formats with your processed transaction data
  4. Generate Analytics: Create cash flow forecasts, budget recommendations, and spending trend analyses
  5. Enable Chat Features: Provide conversational AI assistance for financial queries about your data
  6. Account Management: Manage your subscription, authentication, and service preferences

Secondary Uses

  • Service Improvement: Analyze usage patterns to improve features and user experience
  • Security Monitoring: Detect and prevent fraudulent activity or unauthorized access
  • Customer Support: Respond to inquiries and provide technical assistance
  • Legal Compliance: Meet regulatory requirements and respond to legal requests

Google API Services User Data Policy

Statement Desk's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specific Google Permissions Used:

  • Google Drive (read-only): Access PDF files you explicitly select for processing
  • Google Sheets (read/write): Create and update spreadsheets for data export
  • Google Auth (openid, email, profile): Authenticate and maintain your secure session

Limited Use Disclosure:

Statement Desk complies with the Google API Services User Data Policy, including the following Limited Use requirements:

  1. We only use Google user data to provide and improve the user-facing features of Statement Desk (bank statement processing, data export to Google Sheets, and financial analytics). We do not use Google user data for any other purpose.
  2. We do not transfer Google user data to third parties except: (a) as necessary to provide or improve user-facing features (e.g., sending transaction data to Anthropic's Claude AI for categorization), (b) to comply with applicable laws, or (c) as part of a merger, acquisition, or asset sale with prior user notice.
  3. We do not use or transfer Google user data to serve ads, including retargeting, personalized advertising, or interest-based advertising.
  4. We do not allow humans to read Google user data unless: (a) you have given affirmative consent (e.g., requesting customer support), (b) it is necessary for security purposes (investigating abuse or security incidents), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized and used for internal operations.

No AI/ML Model Training:

We do not use Google user data to develop, improve, or train generalized AI or machine learning models. Any AI processing of your data (via Claude AI) is ephemeral and performed solely to provide you with the requested service functionality.

Google Data on Uninstall or Revocation:

If you uninstall Statement Desk or revoke Google account access, we will delete all Google user data (including OAuth tokens, Drive file references, and any cached Google account information) within 30 days. Processed transaction data that has been extracted and stored in your Statement Desk account is retained separately under the Data Retention section below.

How to Revoke Google Access:

You can revoke Statement Desk's access to your Google account at any time by visiting your Google Account Permissions page and removing Statement Desk from your authorized apps. You can also disconnect your Google account from within the Statement Desk application settings.

Data Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share your information only in the following circumstances:

Service Providers

  • Anthropic (Claude AI): For AI-powered transaction processing and insights generation
  • Supabase: For secure database storage and authentication
  • Stripe: For payment processing (they receive only payment information, not financial statement data)
  • Google Cloud Platform: For infrastructure and OAuth services

Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to:

  • Comply with legal obligations
  • Protect and defend our rights or property
  • Prevent fraud or illegal activity
  • Protect the safety of users or the public

Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access control and multi-factor authentication
  • Regular Audits: Security assessments and vulnerability testing
  • Secure Infrastructure: SOC 2 compliant cloud infrastructure
  • Employee Training: Regular security awareness training for all team members
  • Incident Response: 24-hour breach notification policy

Data Retention

  • Active Accounts: We retain your data as long as your account is active
  • Financial Records: Transaction data is retained for 7 years to comply with financial regulations
  • Deleted Accounts: Personal data is deleted within 90 days of account closure, except where retention is required by law
  • Aggregated Data: We may retain anonymized, aggregated data indefinitely for analytics

Your Rights and Choices

You have the following rights regarding your personal information:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and associated data
  • Data Portability: Export your transaction data in standard formats
  • Opt-out: Unsubscribe from marketing communications
  • Revoke Consent: Disconnect Google account access at any time

To exercise these rights, contact us at support@statementdesk.com

International Data Transfers

Your information may be transferred to and processed in the United States where our servers are located. We ensure appropriate safeguards are in place for international transfers in compliance with applicable laws.

Children's Privacy

Statement Desk is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis: We process your data based on your consent (Google OAuth authorization), contractual necessity (providing the service), and legitimate interests (security and service improvement)
  • Right to Access: Obtain a copy of all personal data we hold about you
  • Right to Rectification: Correct any inaccurate personal data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing

To exercise these rights, contact us at support@statementdesk.com. We will respond within 30 days.

California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know about personal information collected, the right to delete personal information, and the right to opt-out of the sale of personal information. We do not sell personal information.

Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we will provide additional notice via email or in-app notification.

Contact Information

For privacy questions, concerns, or to exercise your rights:

  • Email: support@statementdesk.com
  • Website: https://statementdesk.com