StmtSnap

Privacy Policy

Last updated: March 2026 · Effective from: March 2026

Summary: We parse your bank statement PDFs and return structured data. We never store your PDF. Extracted transaction data is retained based on your plan tier and automatically deleted on schedule. We do not sell your data.

1. Who We Are

StmtSnap (“we”, “our”, “us”) is a bank statement parsing service operated by StmtSnap Technologies. We are a Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act). You, the user, are the Data Principal.

Contact: privacy_stmtsnap@aptibot.com

2. What We Collect

Account data

Email address and display name (provided during signup via Google OAuth or email/password).

Extracted transaction data (paid plans only)

When you are signed in and parse a statement, we store the extracted transaction records (date, narration, debit/credit amounts, balance). We store the masked last 4 digits of your account number only — never the full account number. This data is retained according to your plan tier and automatically deleted on schedule.

Usage logs

Pages consumed per parse request, extraction method, confidence score, and a one-way hash of your IP address (for anonymous users). These logs are used for free-tier enforcement and service analytics.

Payment data

Billing is handled entirely by Razorpay (INR payments) or Stripe (USD payments). StmtSnap does not store card numbers, UPI IDs, or any payment credentials. We receive only a subscription ID and plan identifier from the payment provider.

3. What We Do NOT Collect

  • Your PDF files are never stored. After parsing, the uploaded file is discarded from memory immediately. It is never written to disk, cloud storage, or any persistent system.
  • Full bank account numbers (only the last 4 digits, masked as XXXX1234)
  • Passwords, PINs, or credentials of any kind
  • Any data from anonymous (signed-out) users beyond a hashed IP address for rate limiting

4. Data Retention — Tier-Based

Extracted transaction data is retained for the duration below, then permanently deleted from our database automatically:

PlanRetentionUser control
Free24 hoursNo — parse history not stored
StarterUp to 30 daysChoose 1–30 days in Settings
ProUp to 1 yearChoose 1–365 days in Settings
TeamUp to 3 yearsChoose 1–1095 days in Settings

Deletions run automatically each night at 03:00 UTC. You can also delete individual records immediately from your History page.

5. How We Use Your Data

  • To provide the parsing and export service
  • To enforce free-tier page limits
  • To manage your subscription and billing
  • To display your parse history (paid plans)
  • To send account-related emails (password reset, email confirmation)
  • To generate aggregate, anonymised usage analytics (no individual identification)

We do not sell, rent, or share your personal data with any third party for marketing or advertising purposes.

6. Third-Party Data Processors

We use the following sub-processors to deliver the service. All are bound by data processing agreements:

ProcessorPurposeLocation
SupabaseDatabase & authenticationUS-East (AWS)
RazorpayINR payment processingIndia
Dodo PaymentsUSD payment processingUnited States
WATIWhatsApp bot messagingIndia / US
Google OAuthSign-in with GoogleUnited States
Google GeminiAI-assisted PDF text extractionUnited States
RailwayAPI server hostingUnited States
VercelWeb frontend hostingGlobal CDN

7. Data Residency

Our primary database is hosted on Supabase in the US-East region (AWS us-east-1). Your data may be stored outside India. By using StmtSnap, you consent to this cross-border transfer. If you require India-only data residency, please contact us at privacy_stmtsnap@aptibot.com to discuss Enterprise options.

8. Cookies & Local Storage

We use a single authentication session cookie set by Supabase to keep you signed in. No third-party advertising, tracking, or analytics cookies are used. We do not use any cross-site tracking technologies.

9. Security

  • All data in transit is encrypted via TLS 1.2+
  • Authentication uses industry-standard JWT tokens (HS256 / RS256)
  • Webhook endpoints protected with HMAC-SHA256 signature verification
  • Service role database credentials are never exposed to the frontend
  • Row-Level Security (RLS) ensures users can only access their own data

10. Your Rights (DPDP Act 2023)

As a Data Principal under India's DPDP Act 2023, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update inaccurate data in your profile and settings
  • Erasure: Request deletion of your account and all associated data. We will complete this within 24 hours of a verified request.
  • Withdraw consent: Stop using the service and request data deletion at any time
  • Data portability: Request your parse history exported as JSON
  • Grievance redressal: Lodge a complaint with our Data Protection Officer

To exercise any right, email privacy_stmtsnap@aptibot.com from your registered email address. We will respond within 72 hours.

11. Account & Data Deletion

You may delete your account from Settings → Data & Privacy → Delete Account. Upon deletion:

  • Your authentication account is deleted immediately
  • All parsed statement history is deleted within 24 hours
  • Usage logs are purged within 30 days
  • Subscription records are retained for 7 years for tax/regulatory compliance

12. Children

StmtSnap is not directed at children under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us immediately.

13. Changes to This Policy

We may update this policy. For material changes, we will notify you by email at least 30 days before the change takes effect. Continued use after the effective date constitutes acceptance. The “Last updated” date at the top reflects the most recent revision.

14. Contact & Grievance Officer

Data Protection Officer / Grievance Officer:
Email: privacy_stmtsnap@aptibot.com
Response time: Within 72 hours of receipt