Privacy Policy

Last updated: May 17, 2026

Bank2XL ("we", "us", "the Service") provides a Chrome extension and web app that converts PDF bank statements to Excel and CSV files. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

The short version: Your uploaded PDFs are processed for the sole purpose of returning your Excel/CSV. We do not sell or share your data. Files are deleted within 24 hours of processing. We use a third-party AI provider (Google Gemini via OpenRouter) for the conversion - they do not retain or train on your content under our API terms.

1. Information we collect

1.1 Files you upload

When you upload a PDF bank statement, we receive the file and process it to extract its content. We use the file solely to produce the requested output (Excel, CSV, or JSON).

1.2 Account information

If you create a paid account, we collect your email address and (via Stripe or similar processor) your payment details. We do not store full card numbers - those are held by the payment processor.

1.3 Usage data

We record basic technical information for service health and abuse prevention: timestamps of conversions, number of pages processed, success/failure status, and your IP address (truncated). We do not record the contents of your statements in this telemetry.

1.4 Chrome extension permissions

The Chrome extension requests the minimum permissions needed:

storage - to remember your settings and free-tier counter locally on your device.
activeTab - to receive a PDF when you click the Bank2XL icon on an open tab.
downloads - to save the converted Excel file to your device.

The extension does NOT request access to your browsing history, all websites, or any banking sites. It only acts on files you explicitly hand it.

2. How we use your information

Purpose	Data used
Convert your PDF to spreadsheet	The uploaded file (held in RAM, optionally cached for retry within 30 minutes)
Authenticate you and bill paid plans	Email, plan tier, Stripe customer ID
Service reliability and fraud prevention	Usage logs (timestamps, page counts, truncated IP)
Improve the model (aggregate only)	De-identified accuracy metrics, never the file content itself

We do not use your statement content to train AI models. We do not sell your data to advertisers, brokers, or any third party.

3. Third-party providers

To run the Service we share limited information with:

Provider	Purpose	What they receive
OpenRouter (LLM router)	Send a rasterized page image to the LLM	One image per statement page; no metadata
Google (Gemini API)	OCR + extraction (via OpenRouter)	The image content for inference only; not retained per Google API terms
Stripe	Payment processing	Email, billing address, card details (held by Stripe)
Cloud hosting (Cloudflare / AWS)	Run the web service	Request metadata, IP for routing

Each provider operates under its own privacy policy. We choose providers with strict no-training and no-retention defaults for content data.

4. Retention

Uploaded PDF files: deleted from our servers within 24 hours of conversion, or immediately on user request.
Generated Excel/CSV outputs: available in your account history for 30 days, then deleted.
Account information (email, billing): retained while your account is active; deleted within 30 days of account closure, subject to legal/tax retention requirements.
Aggregate telemetry (no file content): may be retained indefinitely for product improvement.

5. Security

We use TLS for all data in transit. Files at rest are encrypted with AES-256. Access to production systems is restricted to a small number of engineers with two-factor authentication. We follow industry-standard practices but cannot guarantee absolute security; please use the Service only with statements you are willing to upload to a cloud SaaS.

6. Your rights

You can at any time:

Request a copy of the personal information we hold about you.
Request deletion of your account and associated data.
Withdraw consent for processing (which will result in account closure, since we cannot run the Service without processing).
Opt out of any non-essential telemetry from the extension Settings page.

Residents of California (CCPA), the EU/UK (GDPR), and other jurisdictions with similar laws have additional statutory rights. Contact us at privacy@bank2xl.app to exercise them. We do not sell personal information under any definition of "sell" in CCPA.

7. Children

The Service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has used the Service, contact us and we will delete the associated account.

8. Changes

We may update this Policy. Material changes will be announced via email to account holders and via a banner on the landing page. Continued use of the Service after a change constitutes acceptance.

9. Contact

Bank2XL
Email: privacy@bank2xl.app
Operator: Dmitry Ivanov, Montenegro