Your privacy matters to us. This policy explains what data we collect when you use CSVXtractor, how we use it, and your rights under UK GDPR. We are committed to handling your data responsibly and transparently.
1. Who We Are
CSVXtractor is operated by Simpleledger Limited, registered in England and Wales (Company No. 14373987), with our registered office at 67 Watling Street, Nuneaton, Warwickshire, CV11 6JJ.
We are the data controller for personal data processed through CSVXtractor. For data protection queries, contact us at info@simpleledger.co.uk.
2. What Data We Collect
| Category | Data collected | Purpose |
|---|---|---|
| Account data | Name, email address, company name | Account creation and authentication |
| Usage data | Pages processed, sessions created, files uploaded, export formats used | Quota management and billing |
| Payment data | Billing history, plan type, payment status | Subscription management (card details handled by Stripe — we never see them) |
| Uploaded PDFs | Bank statement PDF files | Transaction extraction only — not stored after processing |
| Extracted transactions | Dates, amounts, descriptions, payees, balances | Stored in your account for session history and re-download |
| Technical data | IP address, browser type, device type | Security, fraud prevention, service improvement |
3. How We Use Your Data
We process your personal data on the following legal bases under UK GDPR:
- Contract performance — to provide the CSVXtractor service, manage your account and process payments
- Legitimate interests — to improve the service, prevent fraud, and maintain security
- Legal obligation — to comply with applicable laws and regulations
- Consent — where you have specifically opted in to marketing communications
4. Bank Statement Data
We understand that bank statement PDFs contain sensitive financial information. Here is exactly how we handle them:
- PDFs are transmitted securely over HTTPS to our processing server (Modal.com)
- Text is extracted from the PDF server-side using pdfplumber
- The PDF file itself is discarded immediately after text extraction — it is never stored
- Extracted transaction data (dates, amounts, descriptions) is stored in your account database (Supabase) and is accessible only to you
- You can delete your session data at any time from your account
5. Third-Party Services
We use the following trusted third-party services to operate CSVXtractor:
- Supabase — database and authentication (EU data residency available). Privacy policy →
- Modal.com — serverless compute for PDF processing. Privacy policy →
- Stripe — payment processing. Card data is handled entirely by Stripe and never passes through our systems. Privacy policy →
- Google reCAPTCHA — bot protection on sign-in and registration. Privacy policy →
We do not sell your data to any third party.
6. Data Retention
- Account data: Retained for the duration of your account. Deleted within 30 days of account closure.
- Transaction data: Retained in your account until you delete it or close your account.
- Payment records: Retained for 7 years as required by UK financial regulations.
- PDF files: Never stored — discarded immediately after processing.
7. Security
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- HTTPS encryption for all data in transit
- Row-level security on our database (only you can access your data)
- Passwords are hashed and never stored in plain text
- Payment data is handled entirely by Stripe using PCI-DSS compliant infrastructure
- Access to admin systems is restricted and monitored
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to restriction — request that we limit how we process your data
- Right to data portability — receive your data in a portable format
- Right to object — object to processing based on legitimate interests
To exercise any of these rights, email us at info@simpleledger.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data properly.
9. Cookies
CSVXtractor uses the following cookies:
- Authentication cookies — set by Supabase to keep you logged in. These are strictly necessary.
- reCAPTCHA cookies — set by Google to protect against bots. See Google's privacy policy for details.
We do not use advertising or tracking cookies.
10. Children
CSVXtractor is intended for business use by adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this privacy policy from time to time. The latest version will always be at this URL. We will notify you of material changes by email or via a notice in the application.
12. Contact Us
Data Controller: Simpleledger Limited
67 Watling Street, Nuneaton, Warwickshire, CV11 6JJ
Company No: 14373987
Email: info@simpleledger.co.uk
Website: simpleledger.co.uk