Privacy Policy

Last updated: December 24, 2025

Quick summary

  • No account required
  • Temporary processing only
  • Automatic deletion
  • Stripe handles payments

Overview

Sheet It Now is designed with privacy as a core principle. We process your bank statement PDFs to convert them into spreadsheet format, and we do not store your financial data beyond the immediate processing window.

GDPR-Aligned Practices

Important Note:

Sheet It Now is a US-based service operated by Side Quest Studios. We are not required to comply with the European General Data Protection Regulation (GDPR), as we do not specifically target or offer services to individuals in the European Economic Area (EEA). However, we have designed our service to follow GDPR-aligned principles as a best practice to protect all users' privacy, regardless of location.

What "GDPR-aligned" means: We implement data handling practices that mirror GDPR requirements (such as data minimization and limited retention) even though we are not legally obligated to do so. This is a voluntary commitment to privacy, not a guarantee of full GDPR compliance.

Below, we explain each principle in detail, including how we implement it, what limitations apply, and where we rely on third-party services.

1. Data Minimization

What we collect:

  • Uploaded PDF Files: Temporarily stored in Supabase Storage (a third-party cloud storage provider) for the duration needed to process your conversion (maximum 1 hour).
  • Job Metadata: We store minimal information about each conversion job in our database:
    • Job ID (randomly generated UUID)
    • Original filename (e.g., "statement_jan_2025.pdf")
    • Upload timestamp and expiration timestamp
    • Processing status (uploaded/parsed/paid/etc.)
    • Row count from your PDF
    • Stripe session ID (if you proceed to payment)
  • Parsed Transaction Data: During processing, the extracted text from your PDF is temporarily stored in our database in a JSONB column. This is necessary to generate your preview and export files. This data is deleted when the job expires (1 hour) or when our automated cleanup runs.
  • Payment Records: If you complete a payment, Stripe (our payment processor) shares minimal metadata with us: amount paid, currency, timestamp, and payment status.We never receive or store your credit card details.
  • Anonymous Usage Analytics: We use Plausible Analytics, which collects only aggregated statistics (page views, button clicks) without cookies, IP addresses, or personal identifiers.

What we DON'T collect:

  • No email addresses (unless you use lifetime access verification)
  • No user accounts or passwords
  • No IP addresses (Plausible doesn't track them)
  • No cookies for tracking
  • No conversion history across sessions
  • No financial account numbers or sensitive details from your statements (text is processed but not permanently stored)
Third-party disclosure: Your data is processed by:
  • Supabase (file storage and database hosting)
  • Stripe (payment processing)
  • OpenAI (PDF text parsing - receives only anonymized text content, not filenames or identifying information)
  • Vercel (application hosting)
Each of these services has their own privacy policies and data handling practices.

2. Purpose Limitation

Your uploaded files and extracted data are used solely for converting your PDF into Excel or CSV format. Specifically:

  • File Processing: Your PDF is parsed to extract transaction data, which is presented to you as a preview, then exported to .xlsx or .csv files.
  • Payment Verification: Payment metadata from Stripe is used only to verify that you have paid before allowing downloads.
  • Operational Logging: We log basic system events (e.g., "file uploaded", "parsing completed") for debugging and service reliability. These logs contain job IDs and timestamps, not your financial data.

We do NOT:

  • Use your data for marketing or advertising
  • Sell or share your data with third parties (except necessary processors listed above)
  • Analyze your transaction content for any purpose other than conversion
  • Train machine learning models on your data (OpenAI's API does not use customer data for training per their data usage policy)
  • Build user profiles or track behavior across sessions
Limitation: Our third-party service providers (Supabase, Stripe, OpenAI, Vercel) may have access to your data while processing it on our behalf. We rely on their commitments to use data only for providing their services to us, as outlined in their respective privacy policies and data processing agreements.

3. Storage Limitation

We retain your data for the minimum time necessary to provide the service:

Uploaded PDF Files & Generated Exports

Retention period: Maximum 1 hour from upload.

How deletion works:

  • When you upload a PDF, we set an expires_attimestamp in our database (current time + 1 hour).
  • Lazy cleanup: On each new upload request, our system checks for and deletes expired jobs. This means cleanup happens organically as the service is used.
  • Scheduled cleanup: We also run a separate cleanup job periodically (via a secured API endpoint) to ensure files are removed even during periods of low activity.
  • Both the source PDF and any generated .xlsx/.csv files are deleted together.

What this means: If you upload a file at 10:00 AM, it will be automatically deleted by 11:00 AM at the latest, even if you never download it.

Parsed Transaction Data

Retention period: Maximum 1 hour (same as files).

During processing, we store the extracted transaction data in a database column (as JSON) to enable preview generation and file exports. This data is stored in the same record as the job metadata and is deleted when the job expires. This is temporary working storage, not permanent archival.

Job Metadata

Retention period: Maximum 1 hour (deleted with the job).

This includes: job ID, filename, timestamps, status, and row count. All deleted together when the job expires.

Payment Records

Retention period: Retained indefinitely for legal and accounting compliance.

Payment records contain: amount paid, currency, timestamp, Stripe session ID, and payment status. No credit card details. These records are necessary for:

  • Tax reporting and financial audits
  • Fraud prevention and dispute resolution
  • Refund processing
  • Legal compliance (e.g., record-keeping requirements)

Important: Payment records are not linked to your financial transaction data from the PDF—they only record that a payment was made for a conversion, not what was converted.

System Logs

Retention period: Typically 30-90 days (operational discretion).

These are technical logs for debugging (e.g., "job 123 uploaded at 10:00 AM"). They do not contain your financial transaction data, only job IDs and system events. Logs are periodically purged as they age out.

Known limitations:
  • Cleanup may not be instant. There may be a brief delay (minutes) between expiration and actual deletion while our cleanup process runs.
  • If our service experiences downtime, cleanup may be delayed until service is restored.
  • Backup systems (operated by Supabase/Vercel) may retain data briefly beyond the 1-hour window before their own deletion cycles complete.

4. Transparency

We are transparent about our data practices:

  • This Privacy Policy: Explains what data we collect, why, how long we keep it, and who processes it.
  • Up-front notices: Before you upload any file, we clearly state on the homepage that files are processed temporarily and deleted automatically.
  • Preview-first approach: You can see exactly what data will be extracted from your PDF before paying. There are no hidden extractions.
  • Third-party disclosure: We list all third-party services that process your data and link to their privacy policies.
  • Contact information: We provide a direct email (hello@sidequeststudios.io) for privacy questions and data rights requests.

What we DON'T do:

  • Hide data collection in fine print
  • Use dark patterns to trick users into sharing more data
  • Change our privacy practices without updating this policy

Commitment: If we make material changes to how we handle data, we will update this Privacy Policy and change the "Last updated" date at the top of this page. For significant changes, we may also display a notice on our homepage.

5. User Control & Data Rights

We respect your control over your data. Here are your rights and how to exercise them:

Right to Access

What it means: You can request to know what personal data we have about you.

How to exercise: Email us at hello@sidequeststudios.io with your job ID (if you have it) or the approximate date/time of your upload. We will search our database and respond within 30 days.

What to expect: In most cases, if more than 1 hour has passed since your upload, we will have no data to share, as files and parsed data are auto-deleted. If a payment was made, we may have a payment record (amount, timestamp, status) but no file content.

Right to Deletion

What it means: You can request that we delete your data.

How to exercise: Email us at hello@sidequeststudios.io with your job ID. We will manually delete the associated records if they still exist.

What to expect: Files and parsed data are already set to auto-delete within 1 hour. If you request deletion before that time, we can expedite it. Note: Payment records may be retained for legal/accounting reasons even after a deletion request (this is permitted under most privacy laws).

Right to Rectification

What it means: You can request correction of inaccurate data.

Applicability: This right is less relevant to Sheet It Now, as we process your files as you provide them and don't maintain user profiles. If you believe we have incorrect metadata (e.g., wrong filename recorded), contact us and we'll investigate.

Right to Data Portability

What it means: You can receive your data in a structured, commonly used format.

How it works: This right is built into our service design. After processing, you can download your converted data as .xlsx (Excel) or .csv (CSV)—both are standard, portable formats that work with any spreadsheet software.

Right to Object to Processing

Applicability: Since using Sheet It Now is entirely voluntary (you choose to upload a file for conversion), and we process data only to provide the service you requested, this right is less applicable. If you do not want your data processed, simply do not upload a file.

Right to Restrict Processing

Applicability: Given our temporary processing model (1-hour retention), restriction is effectively automatic after the job expires. If you want processing stopped immediately, contact us and we can delete your job early.

Important notes:
  • We will respond to all data rights requests within 30 days.
  • We may ask for verification (e.g., job ID, upload timestamp) to ensure we're responding to the correct person.
  • Some rights may not apply due to legal exceptions (e.g., retaining payment records for tax compliance).
  • If you're in the EEA and believe we haven't adequately addressed your request, you may have the right to lodge a complaint with your local data protection authority—though again, we are not subject to GDPR as a US-based service not targeting EEA residents.

Legal Basis for Processing & International Transfers

Legal Basis (GDPR context)

While we are not required to comply with GDPR, if we were, our legal basis for processing would be:

  • Contractual necessity: We process your PDF and generate exports to fulfill the service you requested (converting a PDF to a spreadsheet).
  • Legitimate interests: We process payment metadata and system logs for operational purposes (fraud prevention, service reliability, accounting).

International Data Transfers

Sheet It Now is operated from the United States. Your data may be processed and stored on servers located in the US and other countries where our service providers operate.

Our third-party processors and their locations:

  • Supabase: Data may be stored in AWS regions globally (you can check their documentation for specific regions).
  • Stripe: Global payment processor with data centers worldwide.
  • OpenAI: US-based with potential processing in multiple regions.
  • Vercel: Global CDN with edge locations worldwide.

Important: If you are located in the EEA, UK, or other regions with strict data transfer rules, be aware that your data will be transferred to and processed in countries that may not have equivalent data protection laws. By using Sheet It Now, you acknowledge this cross-border data transfer.

Limitations of Our GDPR-Aligned Approach

To be fully transparent, here are areas where our "GDPR-aligned" approach has limitations:

Data Protection Officer (DPO)

GDPR requires: Organizations processing large volumes of sensitive data must appoint a DPO.
Our status: We have not appointed a formal DPO as we are not subject to GDPR and process data temporarily.

Data Protection Impact Assessments (DPIAs)

GDPR requires: DPIAs for high-risk processing activities.
Our status: We have not conducted a formal DPIA, though our service design minimizes risk through temporary processing and no long-term data retention.

Third-Party Data Processing Agreements (DPAs)

GDPR requires: Written DPAs with all data processors.
Our status: We rely on the standard terms of service and privacy policies of our third-party providers (Supabase, Stripe, OpenAI, Vercel). While these services are GDPR-compliant and offer DPAs to their customers, we have not negotiated custom DPAs for Sheet It Now.

Consent Mechanisms

GDPR requires: Explicit, informed consent for certain types of processing.
Our status: We do not collect explicit consent (e.g., checkboxes) because our processing is based on contractual necessity (you're requesting a service) rather than consent. However, by voluntarily uploading a file, you implicitly agree to our processing.

Data Breach Notification Procedures

GDPR requires: Breach notification to authorities within 72 hours and to affected individuals in certain cases.
Our status: We do not have formal GDPR-compliant breach notification procedures in place, as we are not subject to GDPR. However, we would notify affected users if a breach occurred as a matter of good practice.

Bottom line: We follow GDPR principles in our data handling practices(minimization, limited retention, transparency), but we do not have all the organizational structures and legal documentation that a GDPR-subject entity would maintain. This is why we say "GDPR-aligned" rather than "GDPR-compliant."

What We Collect

  • Uploaded Files: Your PDF bank statements are temporarily stored for processing only.
  • Payment Information: Payments are processed by Stripe. We do not store your credit card details.
  • Usage Analytics: We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies or track personal data.

Data Retention

  • Uploaded Files: Automatically deleted within 1 hour of upload, regardless of conversion status.
  • Generated Files: Deleted simultaneously with source PDFs (within 1 hour).
  • Parsed Data: Transaction data extracted from your PDF is stored temporarily during conversion, then permanently deleted with the file.
  • Payment Records: Stripe retains payment metadata (amount, timestamp, status) for legal and accounting compliance. We do not store your credit card details.
  • Analytics: Plausible Analytics collects only aggregated, anonymous usage statistics. No personal data or IP addresses are stored.

Automatic Cleanup: Our system runs automated cleanup jobs to ensure no files remain beyond the 1-hour window.

No User Accounts

Sheet It Now does not require user accounts. This means:

  • No email addresses collected
  • No passwords stored
  • No conversion history tracked
  • No personal profiles created

Third-Party Services

We use the following third-party services:

  • Stripe: For payment processing. See Stripe's Privacy Policy.
  • Supabase: For temporary file storage. See Supabase's Privacy Policy.
  • OpenAI: For document parsing assistance. Only anonymized text content is processed. No personally identifiable information, file names, or account data is sent to OpenAI.

Your Data Rights

You have the right to:

  • Access: Request information about what data we have about you (typically none, as we don't store files long-term)
  • Deletion: Request deletion of your data (files auto-delete within 1 hour)
  • Rectification: Request correction of inaccurate data
  • Portability: Download your converted files in standard formats (Excel, CSV)

To exercise these rights, contact us at hello@sidequeststudios.io

Contact

For privacy-related questions, please contact us at hello@sidequeststudios.io.