← banktobooks

Privacy Policy

Last updated: May 3, 2026

1. Who we are

BankToBooks ("we", "us") is a private-beta statement-parsing service operated from Bogotá, Colombia. This policy explains what we collect, why, how long we keep it, and the rights you have under applicable laws — including the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and Colombia's Habeas Data framework (Ley 1581 de 2012).

2. What we collect on the waitlist

When you join the waitlist we record:

  • Email address (required) — the only direct identifier. Used to contact you about beta access and product updates.
  • Banks / statement formats (optional) — free-text describing which formats you struggle with. Used to prioritize parser development.
  • UTM parameters from the URL — to understand which channel you came from.

We also automatically capture the following without asking you to type anything, to operate the service responsibly:

  • SHA-256 hash of your IP address (with a server-only salt) — for rate-limiting and abuse prevention. We never store the raw IP.
  • Country, region, and cityderived by Vercel's edge network — for aggregate analytics. We do not store latitude/longitude.
  • Browser language preference — to understand audience.
  • Referring website hostname only (not the full URL) — to attribute traffic to channels.
  • Time on page before submission and visit count (via localStorage) — engagement signal.
  • Browser User-Agent and timezone offset — for compatibility and bot detection.

We use a hidden honeypot field and a minimum-time check on the form to filter automated submissions.

3. What we do not collect

  • We do not use third-party advertising trackers or pixels.
  • We do not sell or share your data with advertisers.
  • We do not train machine-learning models on your data.
  • We do not store your raw IP address.
  • We do not use cookies for tracking. Vercel's built-in cookieless analytics may be active on the marketing site for aggregate page-view counts only.

4. Why we collect it (legal bases)

  • Consent — by submitting the waitlist form, you consent to receive email about beta access and product updates.
  • Legitimate interest (GDPR Art. 6(1)(f)) — for fraud prevention, abuse rate-limiting, and channel attribution. These are stored as derived fields, not raw identifiers.
  • Contractual — when you become a beta or paid user, we process the data needed to provide the service you requested.

5. Where it lives and who handles it

  • Database — Supabase (US East region), encrypted at rest. Row-Level Security restricts read access to the service owner.
  • Hosting and edge network — Vercel (global edge, primary region US East). HTTPS forced via HSTS preload.
  • Email delivery (when active) — a transactional email provider you will be informed about before we contact you.

All sub-processors are bound by their own confidentiality and security commitments.

6. How long we keep it

  • Waitlist record — retained while the beta is active (currently through end of 2026). After beta closure, we delete records for accounts that did not convert to paid plans.
  • Statement files (when product launches) — automatically deleted 30 days after upload unless you opt to keep them in your account.
  • IP hash — rotated when we rotate the salt (planned annually). Old hashes become unrecoverable.

7. Your rights

Depending on where you live, you may have any or all of the following rights:

  • Access — request a copy of all data tied to your email.
  • Correction — request we fix inaccurate data.
  • Deletion / right to be forgotten — request we remove your record entirely.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection / restriction — request we stop certain processing.
  • Withdrawal of consent — at any time, with no penalty.
  • Non-discrimination (CCPA) — you will not be charged more or given degraded service for exercising any of these rights.

To exercise any of these, email privacy@banktobooks.app. We respond within 30 days.

8. International transfers

If you are in the EU or UK, your data may be transferred to and processed in the United States and Colombia. We rely on Standard Contractual Clauses where required and on the adequacy / equivalence frameworks of our sub-processors.

9. Children

BankToBooks is a B2B service for accounting professionals. We do not knowingly collect data from anyone under 18. If you believe a minor submitted data, contact us and we will delete it.

10. Changes to this policy

We may update this policy as the product matures. Material changes will be communicated by email to people on the waitlist or to active users. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

For privacy questions or to exercise any right above: privacy@banktobooks.app.