Privacy Policy
Effective date: March 21, 2026
This Privacy Policy explains how Slimbooks ("we," "us," "our") collects, uses, stores, and protects your information when you use our web-based bookkeeping application ("the Service"). We handle financial data and take that responsibility seriously.
1. What We Collect
Account information
When you sign up, we collect your email address and a hashed password (managed by Supabase Auth — we never see or store your plaintext password).
Financial transaction data
When you import files or manually create transactions, we store:
- Transaction date, description, and amount
- Transaction type (income or expense)
- Category assignments
- Notes you add to transactions
- Import source (which file type the transaction came from)
Uploaded files (temporarily)
CSV files, PDF bank statements, and receipt/invoice photos are processed in server memory during import. We do not store your uploaded files. They are parsed, the extracted transaction data is saved to your account, and the original file is discarded immediately. No copies are kept on disk, in object storage, or in backups.
Usage data
We collect basic usage analytics through Vercel's hosting platform: page views, request counts, and error rates. This data is aggregated and does not include your financial information.
2. How We Use Your Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Authentication, account recovery, service communications | Contract performance | |
| Transaction data | Displaying your transactions, generating P&L reports, AI categorization | Contract performance |
| Uploaded files | Parsing transactions from CSVs, PDFs, and receipt images | Contract performance |
| Usage analytics | Service reliability, performance monitoring | Legitimate interest |
We do not use your financial data for advertising, profiling, or any purpose beyond providing the Service.
3. AI Processing and Third-Party Data Sharing
Slimbooks uses Anthropic's Claude API for three features:
- Transaction categorization — Transaction descriptions and amounts are sent to Anthropic to assign categories. No account information, dates, or user identity is included in these requests.
- Receipt/invoice parsing — Receipt photos are sent to Anthropic's vision API to extract transaction details (merchant, amount, date). The image is transmitted over HTTPS and is not stored by Anthropic.
- PDF statement parsing — PDF bank statements are sent to Anthropic to extract transaction rows. The PDF is transmitted over HTTPS and is not stored by Anthropic.
Anthropic does not use API inputs to train their models. This is governed by Anthropic's API Terms of Service, which explicitly state that API inputs and outputs are not used for model training. See Anthropic's API Terms.
Other third-party services
| Service | What they receive | Why |
|---|---|---|
| Supabase | Email, hashed password, session tokens | Authentication and database hosting |
| Anthropic (Claude API) | Transaction descriptions, receipt images, PDF content | AI categorization and document parsing |
| Vercel | Request logs, IP addresses (aggregated) | Hosting and performance monitoring |
We do not sell your data to any third party. We do not share your financial data with advertisers, data brokers, or analytics companies.
4. Data Security
We implement the following security measures to protect your financial data:
- Encryption in transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2+
- Encryption at rest — Your database is hosted on Supabase with AES-256 encryption at the storage level
- Authentication — Supabase Auth with bcrypt password hashing, secure session tokens, and automatic session refresh
- Data isolation — Every database query is scoped to your authenticated user ID. Users cannot access each other's data.
- No file persistence — Uploaded CSVs, PDFs, and receipt images are processed in memory and discarded. They are never written to disk or object storage.
- Rate limiting — API endpoints are rate-limited to prevent abuse and protect against denial-of-service attacks
- Security headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are enforced on all responses
5. Data Retention
- Account data — Retained while your account is active
- Transaction data — Retained while your account is active. You may delete individual transactions or your entire account at any time.
- Uploaded files — Not retained. Discarded immediately after processing.
- After account deletion — All data is removed from active systems within 30 days. Encrypted database backups may contain your data for up to 90 days before automatic rotation.
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — Request a copy of all data we hold about you
- Correction — Update or correct inaccurate data
- Deletion — Delete your account and all associated data
- Export — Export your transaction data (available via the P&L export feature)
- Restrict processing — Opt out of AI categorization (you can manually categorize instead)
To exercise any of these rights, email us at privacy@slimbooks.io. We will respond within 30 days.
7. Cookies
Slimbooks uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| sb-*-auth-token | Supabase authentication session | Session / 7 days |
8. Children's Privacy
Slimbooks is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete it.
9. International Data Transfers
Your data is stored on servers in Canada (Supabase, AWS ca-central-1). When you use AI features, transaction data is transmitted to Anthropic's API servers in the United States for processing. This transmission is encrypted and the data is not stored by Anthropic.
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email at least 14 days before taking effect. The "Effective date" at the top of this page indicates the latest version.
11. Contact
For privacy-related questions or data requests, email us at privacy@slimbooks.io.