- 01
Overview
Sortlumo is a privacy-first personal finance tool. You upload bank or credit-card statement PDFs and we turn them into categorized transactions you can search, slice, and export. This policy explains exactly what data we collect, why we collect it, who else touches it, and what control you have over it.
The short version:we never link to your bank, we never sell or share your spending data, we don't run third-party tracking on your statements, and you can export or delete everything in your account at any time.
- 02
Data we collect
We collect only what's necessary to run the service:
- Account data — your email address and a hashed password (we never see your password in plain text).
- Statement PDFs you upload — stored against your account so you can re-open and re-export later.
- Parsed transactions — date, merchant, description, amount, currency, and the category assigned by our parser. Plus any manual re-categorizations you make.
- Account metadata— names and labels you give your accounts (e.g., "Chase Checking", "AmEx Gold"), institution names, and the last 4 digits of an account if you choose to record them.
- Billing data — if you subscribe, Stripe handles your card details on our behalf. We never see or store your full card number; we receive a Stripe customer/subscription ID and basic status (active, canceled, etc.).
- Operational logs — minimal server logs (timestamps, IPs, HTTP status codes) needed to keep the service running and to investigate abuse. These are retained for up to 30 days unless required longer for security or legal reasons.
We do not collect: bank login credentials (we never link to your bank), behavioral analytics on individual transactions, advertising identifiers, or third-party social-graph data.
- 03
How we use your data
We use the data above strictly to deliver and improve the service:
- Parse uploaded PDFs into structured transactions and assign categories.
- Show you summaries, recurring-charge detection, and category breakdowns.
- Authenticate you and protect your account.
- Process payments and manage your subscription (via Stripe).
- Send transactional email (account verification, password reset, billing receipts) — never marketing email unless you explicitly opt in.
- Investigate and stop abuse, fraud, or service-availability problems.
We do not use your transactions to build a profile that we sell, share, or use for targeted advertising.
- 04
Service providers we use
To keep Sortlumo lean and reliable, we rely on a small set of vetted service providers. Each one only sees the data it strictly needs to do its job:
- Stripe (payments) — handles card processing, subscription billing, and invoicing. We send Stripe your email and Stripe-customer ID; Stripe handles card data under PCI-DSS Level 1 compliance.
- Resend (email) — delivers transactional email (verification, password reset, billing). We send Resend your email address and the message body.
- Anthropic (Claude) or Google (Gemini) (PDF parsing) — when you upload a statement, the extracted text is sent to one of these AI providers via their API for structured parsing and categorization. Both providers contractually do not use API inputs to train their models. We never send your email, name, or any account identifiers along with the text.
- Vercel(hosting) — runs the application servers. Standard request/response logs (no statement contents) flow through Vercel's infrastructure.
We do not share your data with advertisers, analytics vendors, data brokers, or any third party that would use it for purposes other than delivering Sortlumo to you.
- 05
Storage and security
Your statements and transactions are stored in our database, scoped to your account. Access is gated by an authenticated session tied to your email and password. We use industry-standard encryption in transit (TLS) and at rest.
Internally, only a small number of authorized engineers can access production systems, and access is logged. We do not browse user data except as strictly necessary to investigate a reported issue or to comply with a lawful request.
No service is 100% secure. If we discover a breach that affects your account, we'll notify you promptly with details and recommended actions.
- 07
Your rights and controls
You always have full control over your data:
- Export — every account can download all categorized transactions as an Excel (.xlsx) file at any time, on every plan.
- Delete a statement — remove a single uploaded statement (and its parsed transactions) from your account in one click.
- Delete your account — message us via the contact form from the email address on your account and we will permanently delete your account and all associated data within 30 days. Backups are purged on a rolling 90-day cycle.
- Access or correct your data— most data is visible and editable inside the dashboard. For anything that isn't, reach us via the contact form.
- Cancel your subscription — manage or cancel from your account settings; access continues to the end of the paid period.
If you're in the EU, UK, California, or another jurisdiction with specific data-protection rights (GDPR, UK GDPR, CCPA/CPRA, etc.), you have the additional rights guaranteed under those laws — including the right to know what we hold, to request correction or deletion, to object to processing, and to lodge a complaint with your local data-protection authority.
- 08
Data retention
We keep your statements and parsed transactions for as long as your account is active, because that's the whole point of the service — you can re-open a statement you uploaded two years ago. If you delete a statement, it's removed from primary storage immediately and from backups within 90 days.
If you delete your account, we purge your data within 30 days. A few things may persist longer for legal or accounting reasons (billing records, fraud investigations) — but these are isolated from the product and not used for anything else.
- 09
Children
Sortlumo is not intended for anyone under the age of 16. We do not knowingly collect data from children. If you believe we have, please contact us and we will delete it.
- 10
International transfers
Sortlumo and its service providers operate primarily in the United States and the European Union. By using the service, you consent to your data being processed in those regions. When data crosses borders, we rely on standard contractual clauses and other approved safeguards.
- 11
Changes to this policy
We may update this policy as the service evolves. When we make material changes, we'll bump the "Last updated" date and, for substantial changes, give registered users notice by email before the changes take effect.
- 12
Contact us
Questions, concerns, or data requests? Send us a message and we'll reply by email — typically within two business days.
Privacy
Privacy Policy
The data we collect, why we collect it, who else touches it, and what control you have over it.
Last updated May 17, 2026