Privacy Policy

Last updated: May 17, 2026

Bank2XL ("we", "us", "the Service") provides a Chrome extension and web app that converts PDF bank statements to Excel and CSV files. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

The short version: Your uploaded PDFs are processed in memory for the sole purpose of returning your Excel/CSV, then discarded. We do not store statement files, do not sell or share your data, and do not train AI on your content. We use a third-party AI provider (Google Gemini via OpenRouter) for the conversion — they do not retain or train on your content under our API terms.

1. Information we collect

1.1 Files you upload

When you upload a PDF bank statement, we receive the file and process it to extract its content. We use the file solely to produce the requested output (Excel, CSV, or JSON).

1.2 Account information

If you create a paid account, we collect your email address and (via Stripe or similar processor) your payment details. We do not store full card numbers - those are held by the payment processor.

1.3 Usage data

We record basic technical information for service health and abuse prevention: timestamps of conversions, number of pages processed, success/failure status, and your IP address (truncated). We do not record the contents of your statements in this telemetry.

1.4 Chrome extension permissions

The Chrome extension requests the minimum permissions needed:

storage — to remember your settings, recent conversions, and free-tier counter locally on your device.
downloads — to save the converted Excel file to your device.

The extension also declares a single host permission for https://api.bank2xl.app/* so it can send your file to our converter API. It does NOT request access to your browsing history, all websites, or any banking sites. It only acts on files you explicitly hand it.

2. How we use your information

Purpose	Data used
Convert your PDF to spreadsheet	The uploaded file, held in memory only. Not written to durable storage; discarded as soon as your result is returned.
Authenticate you and bill paid plans	Email, plan tier, Stripe customer ID
Service reliability and fraud prevention	Usage logs (timestamps, page counts, truncated IP). No file content.
Improve the model (aggregate only)	De-identified accuracy metrics (e.g., reconciliation rate) — never file content.

We do not use your statement content to train AI models. We do not sell your data to advertisers, brokers, or any third party.

3. Third-party providers

To run the Service we share limited information with:

Provider	Purpose	What they receive
OpenRouter (LLM router)	Send a rasterized page image to the LLM	One image per statement page; no metadata
Google (Gemini API)	OCR + extraction (via OpenRouter)	The image content for inference only; not retained per Google API terms
Stripe	Payment processing	Email, billing address, card details (held by Stripe)
Cloud hosting (Cloudflare / AWS)	Run the web service	Request metadata, IP for routing

Each provider operates under its own privacy policy. We choose providers with strict no-training and no-retention defaults for content data.

4. Retention

Uploaded PDF files: never stored. Held in server memory only during conversion (typically a few seconds), then discarded. There is no copy on disk you can request to delete because none was ever made.
Generated Excel/CSV outputs: returned to your browser, not stored. Result pages stay reachable only while the conversion is in memory; once the server restarts or the in-memory entry is evicted, the result is gone.
Account information (email, billing): retained while your account is active; deleted within 30 days of account closure, subject to legal/tax retention requirements.
Aggregate telemetry (timestamps, page counts, success/failure, truncated IP, never file content): may be retained indefinitely for product reliability and abuse prevention.

5. Security

We use TLS for all data in transit. Files at rest are encrypted with AES-256. Access to production systems is restricted to a small number of engineers with two-factor authentication. We follow industry-standard practices but cannot guarantee absolute security; please use the Service only with statements you are willing to upload to a cloud SaaS.

6. Your rights

You can at any time:

Request a copy of the personal information we hold about you.
Request deletion of your account and associated data.
Withdraw consent for processing (which will result in account closure, since we cannot run the Service without processing).
Opt out of any non-essential telemetry from the extension Settings page.

Residents of California (CCPA), the EU/UK (GDPR), and other jurisdictions with similar laws have additional statutory rights. Contact us at [email protected] to exercise them. We do not sell personal information under any definition of "sell" in CCPA.

7. Children

The Service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has used the Service, contact us and we will delete the associated account.

8. Changes

We may update this Policy. Material changes will be announced via email to account holders and via a banner on the landing page. Continued use of the Service after a change constitutes acceptance.

9. Contact

Bank2XL
Email: [email protected]
Operator: Dmitry Ivanov, Montenegro