Bank-statements.co Logo Bank-statements

Privacy Policy

Effective Date: 8 March 2026 · Last Updated: 8 March 2026

This Privacy Policy explains how Vertial Holdings Pty Ltd (ABN 72 629 494 926), trading as Bank-statements.co ("we", "us", "our"), collects, uses, discloses, and protects your personal information when you use our website at https://www.bank-statements.co ("Site") and our bank statement conversion services ("Services").

We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable, we also comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Information We Collect

1.1 Personal Information

When you create an account or use our Services, we may collect:

  • Identity data: Name, email address, profile picture (via Clerk authentication)
  • Payment data: Billing information processed securely by Stripe. We do not store your full credit card number.
  • Account data: User ID, subscription status, credit balance, API key usage
  • Communication data: Emails you send us, support requests, feedback

1.2 Uploaded Documents

When you upload bank statement PDFs for conversion, we process the file contents to extract transaction data. Uploaded files and converted output are retained on our servers only for as long as needed to provide the Service. You can delete your files at any time from your dashboard. We do not analyse your financial transaction data beyond what is necessary to complete the conversion.

1.3 Technical Data

We automatically collect:

  • IP address, browser type, operating system
  • Pages visited, time spent, referral source
  • Device information and screen resolution

2. How We Use Your Information

We use your personal information to:

  • Provide and maintain our bank statement conversion Services
  • Process payments and manage your account and credit balance
  • Send transactional emails (account confirmations, credit notifications, receipts)
  • Send marketing communications (only with your consent; you can unsubscribe at any time)
  • Monitor and improve the security, performance, and reliability of our Services
  • Comply with legal obligations
  • Detect and prevent fraud or misuse

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal basis for processing your data includes:

  • Contract: Processing necessary to provide our Services to you
  • Consent: Marketing communications and non-essential cookies
  • Legitimate interests: Improving our Services, security monitoring, fraud prevention
  • Legal obligation: Tax reporting, responding to lawful requests

4. Third-Party Services

We use the following third-party services that may process your data:

  • Clerk — Authentication and user management (receives: name, email, profile picture)
  • Stripe — Payment processing, PCI DSS Level 1 compliant (receives: billing details, payment method)
  • Amazon Web Services (AWS) — Cloud infrastructure and file processing (receives: uploaded files for processing)
  • Google Gemini AI — Document parsing and data extraction (receives: uploaded file content; no data is retained by Google for training purposes)
  • Umami Analytics — Privacy-focused website analytics, self-hosted (no personal data collected)
  • Crisp — Live chat and customer support (receives: messages you send, email if provided)
  • Klaviyo — Email marketing, with your consent only (receives: email address)
  • Resend — Transactional email delivery (receives: email address, email content)
  • Sentry — Error monitoring and performance tracking (receives: technical data, IP address)

We only share the minimum data necessary for each service to function. Each service's privacy policy (linked above) governs their use of your data.

5. Data Security

We take the security of your data seriously and implement the following measures:

  • Encryption in transit: All data is transmitted over HTTPS using TLS 1.2+
  • Encryption at rest: Uploaded files and stored data are encrypted using AES-256
  • File management: You can delete your uploaded files and converted output at any time from your dashboard
  • Access controls: Only authorised personnel have access to user data
  • Secure authentication: Managed by Clerk with industry-standard security practices
  • Payment security: All payment data is handled by Stripe (PCI DSS Level 1 certified)
  • Breach notification: In the event of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under Part IIIC of the Privacy Act 1988 (Notifiable Data Breaches scheme). For EU/UK users, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.

6. Data Retention

  • Account data: Retained for as long as your account is active, plus 12 months after deletion
  • Uploaded files: Retained only for as long as needed to provide the Service; you can delete them at any time from your dashboard
  • Converted output files: Retained until you delete them from your dashboard
  • Payment records: Retained for 7 years as required by Australian tax law
  • Analytics data: Aggregated and anonymised; retained indefinitely

7. Cookies

We use cookies for:

  • Essential cookies: Session management, authentication (required for the Site to function)
  • Analytics cookies: Umami privacy-focused analytics (no personal data)
  • Third-party cookies: Crisp live chat, Klaviyo email tracking

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using our Services.

8. Cross-Border Data Transfers

Your data may be processed in countries outside of Australia, including the United States (where our cloud infrastructure and some third-party services are located). Where we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses and compliance with the APPs regarding cross-border disclosure.

9. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (subject to legal retention obligations)
  • Portability: Request your data in a structured, machine-readable format (GDPR)
  • Objection: Object to processing based on legitimate interests (GDPR)
  • Withdraw consent: Withdraw consent for marketing communications at any time
  • Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, contact us at info@bank-statements.co. We will respond to your request within 30 days (or 45 days for CCPA requests, with notice of extension if needed).

10. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

11. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to delete: You may request deletion of your personal information, subject to certain legal exceptions.
  • Right to opt-out of sale: We do not sell your personal information to third parties. If this changes, we will provide a "Do Not Sell My Personal Information" link.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Categories of personal information collected in the past 12 months: Identifiers (name, email), commercial information (purchase history, credit balance), internet activity (pages visited, device info), and financial information (processed via Stripe — we do not store card numbers).

To exercise your CCPA rights, contact us at info@bank-statements.co.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on our Site at least 14 days before they take effect. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.

13. Data Processing Agreement

If you process personal data using our Services on behalf of others (e.g., as an accountant or bookkeeper processing client bank statements), our Data Processing Agreement (DPA) applies and forms part of these terms.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

  • Vertial Holdings Pty Ltd (ABN 72 629 494 926)
  • Trading as Bank-statements.co
  • Sydney, New South Wales, Australia
  • Email: info@bank-statements.co