Privacy Policy

Last updated 10 June 2026. Controller: Asakasa Technologies SRL (Romania, EU). Contact: leave a note or [email protected].

The short version: your bank and card statements are processed entirely inside your browser. We have no endpoint that receives your statement files, and we never see, store, transmit, sell, or analyse their contents. The only data that ever reaches us is what you deliberately type into a support note, and your payment email if you buy Pro.

1. What we do and don't receive

Statement files & their contents — never uploaded. PDF parsing and OCR run locally in your browser using code and assets served to your device. There is no upload endpoint, and the page's Content-Security-Policy blocks network connections to anywhere except this site. Statement PDFs, rendered page images, OCR text, parsed rows, descriptions, amounts, balances, filenames and exported CSVs stay on your device.
No analytics, no tracking cookies, no advertising, no profiling, no fingerprinting. We do not use Google Analytics or any third-party tracker.

2. Data stored on your device (not sent to us)

We use your browser's localStorage to hold: a monthly free-export counter, and — if you buy Pro — a license flag and the email you used. This never leaves your browser except when you explicitly ask to restore a license (see §3). You can clear it any time via your browser settings or the “Clear statement” button (which wipes the loaded statement from memory).

3. The only times the page makes a network request

Pro license check / restore. When you purchase or click “Restore by email”, we verify the purchase with our payment processor (Stripe). Only the checkout session id or the email you enter is sent — never any statement data. Lawful basis: performance of a contract (GDPR Art. 6(1)(b)).
Support note. If you use the “Leave a note” form, the email address and message you type are sent to us and stored for up to 90 days so we can reply and improve format coverage. Don't include account numbers or statement contents — they aren't needed. Lawful basis: our legitimate interest in providing support (GDPR Art. 6(1)(f)), and steps at your request.

4. Processors & international transfers

Static hosting and the support intake run on Cloudflare; payments on Stripe. Where these involve transfers outside the EEA, they are covered by Standard Contractual Clauses. We do not share your data with anyone else, and we do not sell or “share” personal information as defined by the California CCPA/CPRA — we have no advertising or data-broker relationships.

5. Your rights

Under the GDPR (and similar laws such as the CCPA) you may request access to, correction of, deletion of, or a copy of the limited personal data we hold (essentially: any support note and Pro purchase record tied to your email). Because we hold almost nothing, these requests are simple — contact us and we'll action them, normally within 30 days. EU residents may also complain to their data-protection authority. We do not subject you to automated decision-making, and no human ever reviews statement contents because we never receive them.

6. Retention

Support notes: up to 90 days, then automatically deleted. Pro purchase records: retained by Stripe as long as needed for tax and chargeback purposes. On-device data: until you clear it.

7. Children

The Bazaar is a general-audience utility, not directed to children, and we knowingly collect no data from anyone under 16.

8. Changes

We'll update the date above when this policy changes. Material changes will be noted on the tool page.