Last updated 10 July 2026

Privacy Policy

1. The short version

You upload bank statements; we convert them and give you the results. Uploaded PDFs are deleted the moment processing finishes. Extracted data is deleted on the schedule your team chooses — from 30 minutes to 30 days. We never use your documents to train AI models, never sell your data, and use no advertising trackers.

2. What we collect

  • Account data — your name, email address and password (hashed), plus team names and membership.
  • Documents — the statement PDFs you upload and the transaction data extracted from them.
  • Billing data — handled by Stripe. We store your plan, invoices metadata and your card's brand and last four digits, never the full number.
  • Operational data — page counts, conversion status and standard server logs used to run and secure the service.

3. How documents are processed

When you upload a statement it is stored encrypted, its text is extracted, and the text is sent to our AI provider (OpenAI) solely to structure the transactions. Under our agreement with them, it is not used to train their models. Password-protected PDFs are decrypted with the password you supply; the password itself is never stored. The uploaded PDF is deleted from storage as soon as processing reaches a final state — successful or not — on every plan.

4. Retention

  • Source PDFs — deleted immediately after processing, always.
  • Extracted rows and exports — deleted on your team's retention setting: 30 minutes, 1 hour (default), 24 hours, 7 days or 30 days. Guest conversions expire within 24 hours.
  • History metadata — after expiry, only the file name, date, page count and status remain, so your team keeps an audit trail without the underlying financial data.
  • Account data — kept while your account exists and deleted when you delete it, except invoices and records we must keep for tax and accounting law.

5. Who we share data with

We share data only with the processors needed to run NoRekey, under data processing agreements:

  • Laravel Cloud — application hosting.
  • DigitalOcean — encrypted temporary file storage.
  • OpenAI — transaction extraction (no training on your data).
  • Stripe — payments and invoicing.
  • Google Fonts — typeface delivery on our web pages.

We never sell personal data and never share it for advertising.

6. Cookies

We use essential cookies only: your session, authentication and security (CSRF) cookies. There are no analytics or advertising cookies, which is why you don't see a cookie banner.

7. Your rights

Under UK GDPR you can ask for a copy of your personal data, have it corrected or deleted, object to processing, and take your data elsewhere. Most of this you can do directly in the app — retention is under your control, and you can delete conversions, teams and your account yourself. For anything else email support@norekey.com. You can also complain to the Information Commissioner's Office (ico.org.uk).

8. Security

Data is encrypted in transit and at rest. Access to production systems is restricted and audited, passwords are hashed, and two-factor authentication is available on every account.

9. Changes and contact

If we change this policy in a way that matters, we'll tell you by email or in the app first. The controller for your data is NoRekey; reach us any time at support@norekey.com.