Back to home

Data Protection

Last updated: April 2, 2026

Bank statements contain some of the most sensitive financial information about you. We take that responsibility seriously. This page explains how Sight by CircleFunds protects your data at every step — from upload to deletion.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted via TLS 1.2+. API endpoints are HTTPS-only.

Encryption at Rest

Uploaded bank statements stored in AWS S3 are encrypted at rest using AES-256. Database records are stored on encrypted volumes.

Access Controls

Access to production systems is restricted to authorised personnel only. We follow the principle of least privilege — staff can only access the data required for their role.

No AI Training on Your Data

Your bank statements and personal data are never used to train AI or machine learning models — by us or any third-party provider. All AI providers are contractually bound by this commitment.

Isolated Processing

Each user's data is processed in isolation. Statement analysis jobs run in separate worker processes and results are scoped strictly to the authenticated account.

Automatic Deletion

Free-tier statements are automatically deleted after 7 days. Basic and Pro data is retained for the duration of your subscription. Enterprise retention is governed by your agreement. Deleted account data is purged within 7 business days and from backups within 30 days.

How Your Data Flows

  1. Upload: Your PDF is transmitted over HTTPS directly to our backend and stored in an encrypted storage.
  2. Parsing: A background worker extracts transactions from the document using bank-specific parsers or, for unknown banks, Google Gemini AI. No raw document content is logged or retained beyond processing.
  3. Analysis: The extracted transaction data is analysed in memory to produce your 157+ metric report. Results are saved to your account in an encrypted database.
  4. Delivery: Analysis results are returned to your authenticated session only. No analysis data is shared with third parties.
  5. Deletion: Statement files and analysis records are deleted per the retention schedule or immediately upon your request.

Third-Party Sub-processors

We use the following sub-processors to operate the Service. Each is bound by a data processing agreement that restricts use of your data to service delivery only.

ProviderPurposeData Shared
AWS S3Document storageUploaded files
Google GeminiAI extraction & insightsTransaction text (unknown banks / insights)
StripePayment processingEmail, billing info
PostgreSQL (self-hosted)Application databaseAccount & analysis data
Redis (self-hosted)Task queue & cachingJob metadata (no statement content)

GDPR Compliance

We are committed to complying with the General Data Protection Regulation (GDPR) where applicable. This includes lawful basis for processing, data minimisation, purpose limitation, and upholding data subject rights. If you are located in the EEA or UK and wish to exercise your GDPR rights — including access, rectification, erasure, or portability — contact us at hello@circlefunds.io.

Incident Response

In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities within 72 hours of becoming aware of the incident, as required by applicable law. We will provide details of the nature of the breach, the data involved, and the steps we are taking to mitigate harm.

Your Data Controls

  • Delete individual statements from your dashboard at any time.
  • Request full account deletion by emailing us — processed within 7 business days.
  • Request a copy of all personal data we hold about you.
  • Deactivate API keys instantly from your account settings.

Contact

For data protection enquiries, to report a security vulnerability, or to exercise your rights, contact us at hello@circlefunds.io.

Terms of Service →Privacy Policy →