← Back to converter

Privacy Policy

Last updated 11 June 2026

This policy is a plain-English description of how the tool actually handles data. It is provided in good faith but is not legal advice. If you process other people’s financial data as part of a regulated business, have your own solicitor or DPO review it against your obligations.

1. Who we are

Statement → CSV (the “Service”, at csv.calmhqstudio.com) is operated by CalmHQ Studio (“we”, “us”). For UK GDPR purposes, when you upload a statement you (or the firm you act for) are normally the data controller of the personal data inside it; we act as a data processor handling that data on your instructions for the sole purpose of converting it to a spreadsheet.

2. What we process

  • The PDF or image bank statement you upload, and the transaction data extracted from it (dates, descriptions, amounts, balances).
  • A statement may contain personal data of third parties (the account holder, payees). You are responsible for having a lawful basis to process it.
  • Minimal technical logs: file size, which extraction method ran, row count, and whether validation passed. These logs never contain statement content.

3. How long we keep it — we don't

Your file is processed entirely in memory for the duration of a single request and is never written to disk or to a database. Once the CSV is returned to your browser, the uploaded data is discarded. We hold no copy. The resulting CSV exists only in your browser until you download it.

4. AI processing & masking

Most statements are parsed locally by our own rule engine and never leave our server. When a statement’s layout defeats the local parser, the text is sent to an AI model run by Anthropic (our sub-processor) to transcribe the transactions. Before any such call:

  • Account numbers, sort codes, IBANs, card numbers, phone numbers and email addresses are masked.
  • Only the statement text needed to read transactions is sent — no file, no images.

Anthropic processes the data to return a result and, under its commercial terms, does not train its models on it. Data may be processed on infrastructure outside the UK/EEA under appropriate safeguards (Standard Contractual Clauses). See Anthropic’s privacy and data-processing terms for detail.

5. Lawful basis

We process the data only to perform the conversion you request (the basis you rely on with your own clients — typically contract or legitimate interests — flows through to us as your processor). We do not use the data for marketing, profiling, or any purpose other than the conversion.

6. Security

Transfers are encrypted in transit (HTTPS). Processing is in-memory and ephemeral. We do not sell or share data with anyone except the AI sub-processor named above, and only when the local parser cannot handle the file.

7. Your rights

Under UK GDPR you have rights of access, rectification, erasure, restriction, portability and objection. Because we retain no copy of your statements after processing, most requests are satisfied automatically — there is nothing for us to hold or delete. For any query, contact us at the address below.

8. Contact

CalmHQ Studio — privacy@calmhqstudio.com. You also have the right to complain to the UK Information Commissioner’s Office (ico.org.uk).

See also our Terms of Use.