Privacy Policy
1. What We Collect
| Data | Purpose | Retention |
|---|---|---|
| Email address | Authentication and account access | Until account is removed |
| Name (optional) | Personalization and account management | Until account is removed |
| Organization name | Account grouping and administration | Until account is removed |
| Uploaded PDF statements | Extraction processing only | In-memory only — never persisted |
| Extracted Excel output | Your downloadable results | 30 days, or deleted by you sooner |
| Session tokens | Keeping you signed in | 7 days |
| Audit events (login, upload, export) | Security and compliance logging | 90 days |
| IP address | Security logging and abuse prevention | 90 days |
2. What We Do Not Collect
- We do not use cookies for tracking or advertising
- We do not embed third-party analytics scripts (no Google Analytics, no Mixpanel, no Meta Pixel)
- We do not collect payment card data — payments are handled externally
- We do not build behavioral profiles
3. How Your Uploaded Data Is Handled
Your PDF statements are the most sensitive data you entrust to us. Here is exactly what happens:
- Upload: Your file is transmitted over TLS 1.3 encrypted connection directly to our processing server.
- Processing: The PDF is opened in-memory. No copy is written to disk or stored in any database.
- Output: The structured Excel result is stored in our encrypted database (AES-256, Supabase on AWS us-east-1) and is accessible only to you.
- Deletion: Extracted files are automatically purged after 30 days. You may delete them at any time from the app.
No Flattnd employee or contractor accesses your uploaded statements or extracted output in the normal course of business. Access for unsupported bank format review is conducted only with your knowledge, as communicated in the app.
4. We Will Never Sell or Share Your Data
This is an unconditional commitment:
- We will never sell your data to any party for any purpose
- We will never share your data with advertisers, data brokers, or marketing firms
- We will never license your data or use it to build products for third parties
- We will never use your uploaded statements to train machine learning models
The only circumstances under which we would disclose data are: (a) with your explicit written consent, or (b) when required by a valid legal process such as a court order or subpoena, in which case we will notify you to the extent permitted by law.
5. Infrastructure & Security
- All traffic encrypted via TLS 1.3 through Cloudflare
- Database encrypted at rest with AES-256 (Supabase / AWS us-east-1)
- Passwordless authentication — no passwords are stored
- HTTP security headers enforced on all responses (CSP, HSTS, X-Frame-Options)
- Access restricted to explicitly whitelisted users only
6. Your Rights
You may request at any time:
- A copy of all data we hold about you
- Deletion of your account and all associated data
- Correction of any inaccurate account information
To exercise these rights, email concierge@flattnd.com. We will respond within 5 business days.
7. Changes to This Policy
If we make material changes to this Privacy Policy, we will notify active users by email before the changes take effect. Continued use of the Service after notification constitutes acceptance.
8. Contact
Questions or concerns about your privacy? concierge@flattnd.com