Home » Data retention

Data retention

How long each piece of data lives, in one table.

The headline: by default we keep your uploaded PDF for 24 hours in an encrypted debug vault so we can investigate failed extractions and improve accuracy. After 24 hours the file auto-deletes. You can opt out per upload. The extension Settings page has a checkbox “Don’t keep my PDF for debugging”. With that box on, we hold the file in memory only and never write it to disk.

Retention by data class

Data class	How long we keep it	Why
Uploaded PDF (default)	24 hours in an encrypted vault on our server (root-only, mode 0700, disk-encrypted host). An hourly sweeper auto-deletes anything older.	We use these files to debug failed extractions and improve accuracy. We don't train AI on them or share them, and they're not backed up.
Uploaded PDF (opt out)	Never written to disk. Opt out in Settings and the upload sits only in process memory during conversion, then gets discarded.	For users who'd rather we never store it. The cost: we can't help diagnose extraction issues with that specific file later.
Generated Excel / CSV	We return these directly to your browser. The result page is reachable only while the in-memory entry exists. Once the server restarts or evicts it (about 24h later), it's gone.	There's no account history during the beta. We don't attach a result list to a user identity.
Account record	No account database during the public beta. No signup and no Stripe customer record. If you opt in via the homepage "Get notified" button, we keep your waitlist email only to send the Chrome Web Store install link and product updates, and you can remove it any time by replying to an email. We keep support, privacy, and security email threads while the thread is active. Once paid plans launch, we'll keep an account record (email + Stripe customer ID) while the account is active and delete it within 30 days of closure.	Bank2XL is free during beta. We'll document paid-plan retention here before billing starts.
Free-tier usage counters	Two daily counters: one keyed on the random per-install UUID (10 statements per day cap) and one keyed on the truncated IP prefix (50 statements per day NAT cap). Both reset at 00:00 UTC; older days are dropped.	Enforces the daily free-beta quota without storing PII.
Service logs (timestamps, page counts, success / failure, truncated IP)	Up to 90 days for operational debugging and abuse prevention. Aggregate counters may be kept indefinitely.	Standard SaaS telemetry. No file content is ever logged.
Billing records	Stripe holds these per their retention policy and our legal / tax obligations (typically 7 years).	Tax authorities require it.

The Chrome extension's local storage

The extension stores a small amount of data on your device only. The only field ever sent to our servers is installId, which goes out as an HTTP header on each upload so we can enforce the daily quota per install instead of per shared IP.

Key	Contents	Sent to server?	Lives until
`chrome.storage.local.apiBase`	Which API URL to send uploads to (so power users can self-host). Default: `https://api.bank2xl.app`.	No (used locally to build the URL).	You change it or uninstall the extension.
`chrome.storage.local.apiKey`	Optional Bearer token for future paid plans. Blank during the public beta.	Sent in the `Authorization` header when set.	You change it or uninstall the extension.
`chrome.storage.local.installId`	Random UUID generated on first run. Used for per-install rate limiting. No PII, no fingerprinting.	Sent as `X-Bank2XL-Install-Id` on each upload.	You clear extension storage or uninstall.
`chrome.storage.local.optOutRetain`	Boolean: when true, the extension sends `X-Bank2XL-No-Store: 1` so the server skips the 24h vault.	Drives a request header; the value itself stays local.	You change it or uninstall.
`chrome.storage.local.defaultFormat`	Preferred download format (xlsx / csv).	No.	You change it or uninstall.
`chrome.storage.local.recent`	Up to 8 records of recent conversions (job ID, filename, size, timestamp, reconciliation status, tx count). Filename is the name of the file you yourself selected. No file content.	No (history is local-only).	You uninstall the extension or clear extension storage.
`chrome.storage.local.quota`	Daily upload count for the current UTC date. Local mirror of the server-side counter so the chip updates without a round-trip.	No.	Auto-rotated daily; old dates removed automatically.

What the 24h vault actually is, in code

Be skeptical of any company that talks vaguely about storage. Here's what it means in ours:

The upload handler receives the file as an HTTP request body and reads it into a Python bytes object in process memory.
If the request does not carry the X-Bank2XL-No-Store: 1 header, the handler writes those bytes to /var/lib/bank2xl-api/vault/<job_id>.pdf on the API host. The vault directory is root-only (mode 0700), with each file at mode 0600.
A background sweeper runs hourly and deletes every file in the vault whose mtime is older than 24 hours.
If the opt-out header is present, we skip the vault write entirely. The only on-disk artifact is the per-job scratch file under tmpfs, which gets deleted the moment extraction finishes.
The extraction pipeline operates on the in-memory bytes: rasterizing pages into a temporary canvas, sending pages to the AI provider, building the result JSON.
We build the generated Excel as an in-memory openpyxl workbook, serialize it to bytes, send it to the browser, and the bytes go out of scope.
The vault isn't backed up, isn't replicated off the API host, and isn't exposed to any external service. Only the operator can read it, and only for the 24h window.

If you want to request immediate deletion of a specific upload before the 24h window elapses, email privacy@bank2xl.app with the job ID (the 12-character suffix on the result page URL). We delete within 1 business day.

Deleting your account

You can request account deletion at any time by emailing privacy@bank2xl.app from the email on file. We confirm the deletion within 7 days. Any vaulted PDFs older than 24h are already gone; any within the window are deleted as part of the account-closure workflow.

Join the waitlist Security details Privacy Policy