Privacy
We treat your data with the same caution a tax tool should: nothing leaves your browser that doesn't have to, and nothing we receive sticks around longer than required to render your summary.
Files you upload
- Transmitted over HTTPS (TLS 1.2+).
- Parsed in memory only on the server.
- The temporary upload file PHP creates is explicitly deleted before the result page renders.
- We do not write your CSV, your transactions, or your summary to disk anywhere.
- We do not send your data to any third party.
What we never store
- No accounts, no logins, no usernames. There's nothing to sign up for.
- No cookies for app state. The app is fully stateless.
- No persistent tracking. Each visit is independent.
- No analytics of your transactions. The analytics described below count page views, not the contents of the files you upload.
Analytics: Cloudflare Web Analytics
We use Cloudflare Web Analytics to measure basic site traffic — how many people visit, which pages they look at, roughly where they're from. This helps us know if the site is reaching the people it's meant to help.
What it collects
- Page views (URL, referrer, page title)
- Browser type, OS, device class
- Country (derived from IP at the edge — the IP itself isn't stored)
- Core Web Vitals (page-load performance metrics)
What it does NOT collect
- Cookies (none set, none read)
- Personally identifiable information
- IP addresses in clear (anonymized at the edge before processing)
- Cross-site tracking (the beacon doesn't follow you to other sites)
- Browser fingerprinting
The beacon is loaded from static.cloudflareinsights.com and is
visible in your browser's developer tools network tab if you'd like to confirm.
Server logs (operational only)
Cloudflare and the origin server both keep standard web request logs (timestamp, URL path, response code, anonymized client info). These exist for security and debugging — for example, if someone abuses the upload endpoint, we can investigate. They are not used for analytics, not shared with third parties, and rotated within standard retention windows.
Third parties
The only third party in the request path is Cloudflare (CDN, DDoS protection, edge SSL, web analytics). Cloudflare's privacy policy lives at cloudflare.com/privacypolicy.
We do not use:
- Google Analytics, Facebook Pixel, or any ad-network tracker
- A/B testing, heatmap, or session-replay services
- Tracking pixels of any kind
Questions?
Want to verify something specific, or have a privacy question we didn't answer? Use the contact form. Messages are protected by Cloudflare Turnstile (no cookies, no fingerprinting) so we can avoid posting an address that bots can scrape.