Privacy Policy
Effective date: 21 May 2025 · Last updated: 21 May 2025
1. Introduction
Kashva (“Kashva”, “we”, “our”, or “us”) operates the bank statement analysis platform available at kashva.ai (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use the Service, and sets out your rights under applicable data protection law.
This policy is governed by Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “UAE PDPL”) and its Executive Regulations (Cabinet Decision No. 111 of 2023). If you are located in the European Economic Area, the General Data Protection Regulation (GDPR) may also apply to you.
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.
2. Data Controller
The data controller responsible for your personal data is Kashva, operated in the United Arab Emirates. For data protection enquiries, contact our Data Protection Officer at: privacy@kashva.ai.
3. Data We Collect
We collect the following categories of personal data:
3.1 Account Data
When you register, we collect your email address and a hashed version of your password (managed by Supabase Authentication). We do not store your password in plaintext.
3.2 Bank Statement Data
You may upload PDF or CSV files containing your bank statements. These files contain financial transaction records including dates, amounts, merchant names, descriptions, and account details. This data is treated as sensitive financial data and is subject to the highest level of protection we apply.
3.3 Derived Transaction Data
From your uploaded statements, we extract and store individual transaction records, including AI-generated category labels, vendor names, and recurrence classifications. This derived data is linked to your account and is used to provide the analytics features of the Service.
3.4 Usage and Technical Data
We automatically collect certain technical data when you use the Service, including your IP address, browser type, device type, pages visited, and timestamps. This data is used for security monitoring, debugging, and service improvement.
3.5 Cookies
We use cookies and similar technologies as described in our Cookie Policy.
4. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing and operating the Service (parsing statements, AI categorisation, dashboard analytics) | Performance of contract |
| User authentication and account security | Performance of contract |
| Sending service-related communications (processing status, account notices) | Performance of contract |
| Detecting and preventing fraud, abuse, or security incidents | Legitimate interests |
| Improving the Service through aggregated, anonymised usage analysis | Legitimate interests |
| Complying with applicable laws and legal obligations | Legal obligation |
| AI processing of your transaction descriptions via Anthropic's Claude API | Performance of contract / Consent (see Section 5) |
We do not use your personal data for automated profiling that produces legal or similarly significant effects without human oversight. AI-generated transaction categories are informational only and can be manually overridden by you at any time.
5. AI Processing and Anthropic
To categorise your transactions, Kashva transmits transaction description text to the Anthropic API (Claude). Anthropic acts as a data processor on our behalf under a Data Processing Agreement. Anthropic does not use API input data to train its models, and does not retain your data beyond the processing of each request. Only transaction description text (not account numbers, full statement files, or personally identifiable information) is transmitted to Anthropic.
Anthropic processes data on servers located in the United States. By using the Service, you consent to this processing. You may request deletion of all your data at any time, which will also remove all stored transaction descriptions from our systems.
6. Data Storage and Sub-processors
Your data is stored using Supabase Inc., a cloud database provider with servers located in the United States. We have executed a Data Processing Agreement with Supabase covering data security, confidentiality, and sub-processor obligations.
Our key sub-processors are:
| Sub-processor | Country | Purpose |
|---|---|---|
| Supabase Inc. | United States | Database, authentication, and file storage |
| Anthropic PBC | United States | AI transaction categorisation |
| Vercel Inc. | United States | Web application hosting and delivery |
| Cloudflare Inc. | United States | CDN, DDoS protection, and DNS |
We will notify you of any material changes to this sub-processor list with reasonable advance notice.
7. International Data Transfers
Because Kashva’s infrastructure providers are located in the United States, your personal data will be transferred to and processed in the United States. The United States is not currently on the UAE Data Office’s list of countries with adequate data protection.
We rely on the following safeguards for these transfers: (a) your explicit informed consent provided when you create an account and accept these terms; and (b) contractual safeguards (Standard Contractual Clauses and Data Processing Agreements) with each sub-processor. You may withdraw consent at any time by closing your account, which will trigger deletion of your data in accordance with Section 10.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account credentials (email) | For the life of your account, deleted within 30 days of account closure |
| Uploaded bank statement files | Retained in encrypted storage for the life of your account; deleted within 30 days of account closure or on your request |
| Extracted transaction records | Retained for the life of your account; deleted on account closure or on your request |
| Server logs (IP addresses, access logs) | 90 days, then automatically purged |
| Anonymised, aggregated analytics data | Retained indefinitely (cannot be used to identify you) |
9. Your Rights
Under the UAE PDPL and, where applicable, the GDPR, you have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate or incomplete data.
- Erasure: Request deletion of your personal data. You can delete all your data directly from your account dashboard.
- Restriction: Ask us to restrict processing of your data in certain circumstances.
- Portability: Request your transaction data in a machine-readable format (CSV export is available directly from the platform).
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact privacy@kashva.ai. We will respond within 30 days. If you are dissatisfied with our response, you have the right to lodge a complaint with the UAE Data Office.
10. Account Deletion
You may delete your account at any time from your account settings. Upon deletion, we will erase your uploaded statement files, extracted transaction records, and account data within 30 days. Server logs will be purged in accordance with our standard 90-day retention schedule. Anonymised aggregate data that cannot be attributed to you may be retained.
11. Security
We implement appropriate technical and organisational measures to protect your data, including encryption of data at rest and in transit (AES-256 and TLS 1.2+), access controls, role-based permissions, and regular security reviews. In the event of a data breach that is likely to affect your rights, we will notify you and the relevant authority without undue delay.
12. Children
The Service is not directed at persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice on the Service at least 30 days before the change takes effect. Continued use of the Service after that date constitutes acceptance of the updated policy.
14. Contact
For any privacy-related questions or to exercise your rights, contact our Data Protection Officer at privacy@kashva.ai.