Permitted & Prohibited Uses

This Acceptable Use Policy explains what you may and may not do with BankStatement Savvy.

Effective date: August 1, 2025

Owner/Operator (Controller)

AEY GROUP

P.O. Box 5863, Nairobi, Kenya

Website

https://bankstatementsavvy.com

Contact (Abuse/Compliance)

compliance@bankstatementsavvy.com

Privacy/Data Requests

hello@aey-group.com

Introduction

This Acceptable Use Policy ("AUP") explains what you may and may not do with BankStatement Savvy (the "Service"). It is part of our Terms of Service and Privacy Policy. If you violate this AUP, we may suspend or terminate access, and we may take legal action where required.

1. Scope & Definitions

Service

Our web app, API, workers, and related infrastructure converting PDF bank statements to CSV/XLSX/JSON/Markdown, plus tools (filters/merge/exports) and analytics-free utilities.

Customer Content

Files you upload (e.g., bank statement PDFs), settings, and outputs we generate for you.

You

The account owner and your authorized users.

2. Permitted Uses (What the Service is For)

Business Operations

  • • Accounting & bookkeeping tasks
  • • Financial reporting & reconciliation
  • • Expense tracking, budget planning, cash-flow analysis
  • • Tax preparation support (with professional review)

Personal Finance

  • • Personal budgeting & expense categorization
  • • Downloading/organizing your own banking data
  • • Preparing documents for tax filing or loan applications

Professional Services

  • • Work performed by accountants, bookkeepers, tax preparers, lenders, underwriters, auditors, consultants on behalf of their clients (with proper authority)

Research & Education

  • • Academic/market research, financial education, trainings & workshops (with de-identified or properly authorized data)

Important Requirement

You must have the right and authority to upload/process any document (e.g., you are the account holder or you have client consent/engagement authority).

3. Prohibited Uses (Strictly Not Allowed)

Illegal or Harmful Activity

  • • Money laundering, fraud, sanctions evasion, tax evasion, identity theft
  • • Using stolen/illegally obtained documents or credentials
  • • Violating financial, privacy, export, or consumer-protection laws

Unauthorized Access & Security Abuse

  • • Attempting to bypass authentication, exploit vulnerabilities, or access another user's data
  • • Reverse engineering, scanning, scraping internal endpoints, or load-testing without written permission
  • • Uploading malware or content that disrupts systems

Service Abuse & Fair-Use Violations

  • • Automating requests to overwhelm the Service, or excessive API calls beyond plan limits
  • • Resale or redistribution of the Service to third parties without our written consent
  • • Circumventing usage limits, page/credit quotas, billing, or rate limits
  • • Using throwaway or fraudulent identities for free trials or LTD gaming

Inappropriate or Infringing Content

  • • Documents containing illegal content or content you are not authorized to process
  • • Content that infringes IP or publicity/privacy rights
  • • Harassment, hate speech, or abusive behavior through support channels

Prohibited Data Types (Without Written Approval & Controls)

  • • Full unredacted payment card PAN + CVV (PCI data), government ID scans where prohibited, credentials/secrets unrelated to the document itself
  • • Special-category data under GDPR unless strictly necessary, lawful, and you have a valid legal basis and safeguards

4. Data Protection & Confidentiality (Your Responsibilities)

  • Only upload data you are authorized to process and that is necessary for the task (data minimization).
  • Do not include credentials or secrets in uploads/support tickets.
  • Validate outputs before using them in accounting, filings, or underwriting; OCR/AI and parser outputs may contain errors.
  • Respect all applicable laws: GDPR/UK-GDPR, CPRA/CCPA, GLBA-like obligations where applicable, and any industry rules that apply to you.

5. API-Specific Rules

  • Keep API keys confidential; rotate if compromised.
  • Respect rate limits and backoff headers; no scraping or benchmarking publication without consent.
  • Do not build a competing "conversion at scale" service on top of our API without a commercial license.

6. Fair-Use & Rate Limiting

To protect stability, we may throttle or cap:

  • Concurrent jobs, pages/min, files/day, API requests/min
  • Excessive retries, repeated failed uploads, or abusive patterns

We'll surface reasonable limits in docs or your plan. Contact us for higher quotas.

7. Compliance Requirements (Summary)

You must comply with:

  • All applicable laws & regulations, including financial and privacy laws
  • Our Terms of Service, Privacy Policy, this AUP, and any DPA or API terms that apply to your plan
  • Export/sanctions controls (no use from or for restricted jurisdictions/parties)

8. Enforcement Ladder

First Violation

Warning and temporary suspension; we may request remediation steps and evidence of compliance.

Repeated Violations

Extended suspension, reduced access, mandatory compliance review, potential plan downgrade or quota hard caps.

Serious Violations (e.g., illegal activity, data theft, large-scale abuse)

Immediate termination, permanent ban, preservation of records, and referral to authorities where required.

We may remove or disable access to any content that violates this AUP and take steps to prevent recurrence.

9. Reporting Violations or Security Issues

  • • Email: compliance@bankstatementsavvy.com
  • • Subject: "Policy Violation Report"
  • • Include: description, steps to reproduce, relevant logs/screenshots, and your contact info

Good-Faith Security Research

If you discover a vulnerability, please report privately with no data exfiltration beyond minimal proof, and allow reasonable time to remediate. We won't pursue legal action against good-faith, coordinated disclosure that respects user privacy and the law.

10. Changes to This AUP

We may update this AUP from time to time. Changes take effect when posted; material changes will be notified via email or in-app. Your continued use after the effective date constitutes acceptance.

Quick Alignment with Our Other Legal Docs

Privacy & Security

Encryption in transit/at rest; default file retention per plan; deletion within 30 days after cancellation; logs ~12 months; billing records 7 years (see Privacy Policy).

Hosting/Transfers

Primarily USA; international transfers safeguarded (SCCs/DPF where applicable).

Sub-processors

DigitalOcean, AWS, Mixpanel, GA4, Google Search Console, PostHog, Sentry, Paystack (see /legal/subprocessors).

Marketing/GPC

We honor GPC where applicable and provide consent controls (see /legal/cookies).

By using the Service, you confirm you've read and agree to this AUP.