When you upload a PDF statement, the file never reaches our servers. PDF.js — the same library Firefox ships — parses the document inside your browser tab and extracts only the text. That text (and only that text) is what we send to our AI to identify charges and match them to credits.

The raw PDF is discarded when you close the tab. If you opt in to "Save statement to archive" — which is off by default — only the extracted, structured data is stored, and you can purge it any time from Settings.

Every row in our database carries the user ID of its owner. Postgres row-level security policies — enforced at the database layer, not the application layer — block any query from returning a row that doesn't match the authenticated user's ID. We use the same mechanism for admin-only tables.

• Encryption at rest (AES-256) on every table.
• TLS 1.2+ on every connection.
• Application code uses an anonymous key in the browser — service keys never reach the client.
• Server functions that need elevated access (admin tools, webhooks) run on isolated server runtime and verify the caller's session every time.

Most card-tracking apps connect to your bank through Plaid or a similar aggregator. We chose not to. The tradeoff:

• Bank or card-issuer login credentials.
• Account numbers or card numbers (we ask for the last 4 only).
• Balances, transactions outside of statement scans, or credit scores.
• Location, device fingerprint, or social-graph data.

• Export. Download every row we have on you, as JSON, from Settings.
• Delete. One click in Settings purges your account and every associated row.
• Opt out. Disable analytics, statement archive, and marketing emails individually.

Found something we missed? Email security@worththefee.com.