Privacy Policy

Last updated: 8 February 2025

SortSpend ("we", "us", "our") is committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data We Collect

• Account information: When you sign in with Google, we receive your name and email address.
• PDF content: When you upload a PDF, we process its text content to extract and categorise transactions.
• Usage data: We track credit usage (number of uploads) associated with your account.

2. How We Use Your Data

• To provide the expense categorisation service
• To manage your account and credit balance
• To authenticate you via Google OAuth

3. PDF Data Handling

PDFs are NOT stored. Your uploaded PDF content is processed in memory, sent to our AI provider for analysis, and immediately discarded. We do not retain, store, or archive any PDF files or their extracted text after processing is complete.

4. Sub-processors

We use the following third-party sub-processor:

• Anthropic — AI language model provider. PDF text content is sent to Anthropic's API for transaction categorisation. Anthropic processes this data in accordance with their privacy policy and does not use API inputs for training.
• Google — Authentication provider via Google OAuth.

5. Data Retention

• User accounts: Retained until you request deletion.
• PDF content: Discarded immediately after processing. Not stored.
• Analysis results: Stored temporarily in server memory for your session and automatically cleared.

6. Cookies

We use essential cookies only:

• Session cookie: Required for authentication (next-auth.session-token). This is strictly necessary for the service to function.
• CSRF token: Required for security (next-auth.csrf-token).

We do not use analytics, advertising, or tracking cookies.

7. Your Rights Under UK GDPR

You have the right to:

• Access — Request a copy of the personal data we hold about you
• Rectification — Request correction of inaccurate data
• Erasure — Request deletion of your account and associated data
• Portability — Request your data in a portable format
• Object — Object to processing of your personal data
• Restrict processing — Request restriction of processing

8. Legal Basis for Processing

We process your data on the following legal bases:

• Contract: Processing necessary to provide the service you requested
• Legitimate interest: Account management and service improvement

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (HTTPS), secure authentication via OAuth, and minimal data retention.

10. Contact

For any privacy-related requests or questions, contact us at:

privacy@sortspend.com

11. Complaints

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.