Privacy Policy

Your privacy is important to us. This privacy policy explains how CardSheet collects, uses, stores, and protects your personal information in compliance with GDPR and industry security standards.

Data Controller

CardSheet is the data controller for the personal information we collect. If you have questions about how we handle your data, contact us at hello@cardsheet.app.

Information We Collect

We collect only the information necessary to provide our service. Here's exactly what we store:

Account Information

  • Email address: Used for login and important service notifications
  • Name: First and last name (from Google OAuth sign-in)
  • Profile image URL: From Google OAuth sign-in
  • Currency preference: Your preferred currency for displaying amounts

Subscription & Billing

  • Subscription tier: Free, Personal, or Pro
  • Subscription status: Active, canceled, or past due
  • Billing period dates: Current period start and end
  • Payment provider IDs: Polar.sh customer and subscription IDs (we do not store credit card numbers)
  • Usage tracking: Pages consumed this billing period

Uploaded Documents

PDF files are automatically deleted immediately after processing.

  • PDF statements: Temporarily stored during processing, then permanently deleted immediately after extraction
  • File hash: A cryptographic hash to detect duplicate uploads (not the file itself)

Extracted Transaction Data

After processing your statement, we store only the extracted transaction data:

  • Transaction details: Date, description, merchant name, amount, and transaction type
  • Statement metadata: Bank name, card last 4 digits (for distinguishing multiple cards), statement date, page count, and balance information
  • Categories: Your custom categories and categorization rules
  • Merchant mappings: Custom merchant names you've set

Session & Security Data

  • Session tokens: Encrypted tokens to keep you logged in
  • IP address: Logged for security and abuse prevention
  • User agent: Browser and device information for session management

What We Do NOT Collect

We do not collect or store sensitive financial information beyond transaction details.

  • Full credit card numbers
  • Billing addresses
  • Social security numbers
  • Bank account numbers
  • CVV/security codes

Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract performance: Processing your statements and providing the service you signed up for
  • Legitimate interests: Security monitoring, fraud prevention, and service improvements
  • Legal obligation: Retaining data as required by applicable laws

How We Use Your Information

We use the information we collect to:

  • Process your credit card statements using AI and extract transaction data
  • Provide, maintain, and improve our services
  • Send you technical notices, security alerts, and support messages
  • Respond to your comments and questions
  • Detect, prevent, and address fraud and security issues

Data Retention

  • PDF files: Deleted immediately after processing
  • Transaction data: Retained until you delete it or close your account
  • Account data: Retained while your account is active; deleted when you delete your account
  • Session data: Retained for security purposes as defined by our hosting provider

Third-Party Services

We use the following third-party services:

  • Anthropic Claude: AI processing of your statements (your data is not used for training their models)
  • Polar.sh: Payment processing for subscriptions (we don't see your full card number)
  • Google OAuth: Sign-in authentication (we only receive your email, name, and profile picture)
  • Plausible Analytics: Privacy-focused website analytics on our marketing pages. Plausible does not use cookies, does not collect personal data, and is fully GDPR compliant. No consent banner is required.
  • Sentry: Error monitoring to help us identify and fix bugs (no personal transaction data is collected)
  • Cloud hosting: Your data is stored on secure, encrypted servers

Data Security

We implement industry-standard security measures:

  • Encryption in transit: All connections use HTTPS with modern TLS encryption
  • Encryption at rest: Stored data is encrypted by our cloud hosting provider
  • OAuth authentication: We use Google OAuth for secure sign-in (no passwords stored)
  • Automatic file deletion: PDF files are purged immediately after processing
  • Access controls: Strict internal access controls to protect your data

Your Rights

Under GDPR and similar privacy laws, you have the following rights:

  • Access your data: Export your transactions anytime using CSV or Excel export. For a full copy of your account data, contact us at hello@cardsheet.app
  • Correct your data: Edit your transactions and profile information directly in the app
  • Delete your data: Delete your account from settings to permanently remove all your data
  • Data portability: Export your data in CSV or Excel format anytime

To exercise these rights, contact us at hello@cardsheet.app.

International Data Transfers

Your data is primarily stored in the United States. The service is accessible globally, and your data may be processed by our third-party service providers in other countries. We ensure appropriate safeguards are in place, including Standard Contractual Clauses where required by law.

Children's Privacy

CardSheet is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through a notice on our website. Continued use after changes constitutes acceptance.

Contact Us

If you have any questions about this privacy policy or how we handle your data, contact us at hello@cardsheet.app.

Last updated: January 20, 2026