Privacy Policy

Blueprint Ledger LLC ("Blueprint Ledger," "we," "us," "our") is a Texas limited liability company with a mailing address at 5900 Balcones Drive STE 100, Austin, TX 78731. We operate the website at blueprintledger.com and the bank statement extraction service offered through it (the "Service").

This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over it.

We collect the following categories of information:

2.1 Account information

When you sign in, we receive your name, email address, and profile photo from your identity provider. We do not receive your password.

2.2 Content you upload

When you upload a bank statement PDF, we receive and store the PDF, the text and images extracted from it, and the structured transaction data we produce. This may include account-holder names, account numbers, transaction dates and amounts, vendor descriptions, and check images embedded in the statement.

2.3 Review activity

When you review and edit extraction results, we store your edits, approvals, and the timestamps at which you submitted them.

2.4 Usage and device data

We log technical information needed to operate and secure the Service: IP address, request timestamps, user-agent string, the endpoints you access, and error events. We use this data for security, rate limiting, debugging, and capacity planning.

2.5 Communications

If you contact us by email, we retain the contents of your messages and our replies.

We do not collect biometric information, government identification numbers, or precise geolocation data. We do not knowingly collect information from children under 16.

We use the information described above to:

• Provide, operate, and improve the Service;
• Extract structured transaction data from the PDFs you upload and return that data to you;
• Authenticate you and maintain your session;
• Bill you for paid plans (when applicable);
• Detect, prevent, and respond to fraud, abuse, and security incidents;
• Comply with applicable laws and respond to legal process;
• Communicate with you about the Service.

We do not sell or rent your personal information. We do not use your uploaded content or extraction results to train our own or any third party's machine-learning models.

We share information only as described below. We require each service provider to handle the information consistently with this Privacy Policy and applicable law.

4.1 Service providers

We rely on third-party service providers to operate the Service. They fall into the following categories:

• Hosting and content delivery — to operate the website and a redundant copy of our extraction service;
• Identity verification — to authenticate users via third-party sign-in providers;
• Natural-language processing — to extract structured transaction data from uploaded statements and to standardize vendor names;
• Business directory lookup — to verify and standardize the names of businesses appearing in transaction descriptions;
• Payment processing — to charge subscription fees, when you select a paid plan.

Each service provider receives only the information necessary to perform its function. By contract, none of these providers may use your information for their own purposes, including model training. Business customers may request a current list of named sub-processors by emailing contact@blueprintledger.com.

4.2 Compliance and protection

We may disclose information if we believe in good faith that disclosure is necessary to: comply with a law, regulation, legal process, or governmental request; enforce our Terms of Service; detect, prevent, or address fraud, security, or technical issues; or protect the rights, property, or safety of Blueprint Ledger, our users, or the public.

4.3 Business transfers

If Blueprint Ledger is acquired, merges with another entity, or sells substantially all of its assets, your information may be transferred as part of that transaction, subject to the commitments in this Privacy Policy.

We do not sell or share your personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

We store information in the United States. By using the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have different data-protection laws than your jurisdiction.

We retain your account information for as long as your account is active. We retain uploaded PDFs and extraction results so that you can return to past extractions and re-export results, unless you delete them or request deletion. Server logs are retained for up to twelve (12) months.

You can request that we delete your data at any time by emailing contact@blueprintledger.com. We will delete the data within thirty (30) days unless we are required to retain it by law (for example, to comply with tax, accounting, or audit obligations).

We apply technical and organizational measures designed to protect your information from unauthorized access, use, alteration, and disclosure. A more detailed description of our security practices is available on our Security page. No security measure is perfect; we will notify you and any applicable regulator of a personal-data breach as required by law.

Depending on where you live, you may have the following rights with respect to the information we hold about you:

• Access — request a copy of the personal information we hold about you;
• Correction — request that we correct inaccurate or incomplete information;
• Deletion — request that we delete your personal information;
• Portability — receive your data in a structured, machine-readable format;
• Restriction or objection — ask us to limit or stop certain processing;
• Withdraw consent — where we rely on your consent, withdraw it at any time;
• Non-discrimination — exercise any of the rights above without us treating you differently as a result.

To exercise any of these rights, email contact@blueprintledger.com. We will verify your identity (typically by confirming control of the email address associated with your account) and respond within the time required by law.

8.1 California residents

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you the rights described above. You may designate an authorized agent to make requests on your behalf. We do not sell or "share" (as those terms are defined under the CCPA) your personal information.

8.2 Other U.S. state residents

Several other U.S. states have enacted privacy laws that grant their residents rights similar to those under the CCPA — including Virginia (under the VCDPA), Colorado (under the CPA), Connecticut (under the CTDPA), Utah (under the UCPA), and other states that have since followed. The rights vary slightly by state — for example, Colorado and Connecticut grant a specific right to opt out of targeted advertising, while Utah does not include a right to correct inaccurate information — but the practical rights are substantially the same. We honor verifiable consumer requests from residents of any state whose law grants the right being exercised. Contact us at the email below to make a request.

8.3 EU, UK, and EEA residents

If you are in the European Union, the United Kingdom, or the European Economic Area, the General Data Protection Regulation (GDPR) or UK GDPR applies. Our lawful bases for processing are: performance of a contract (to provide the Service); our legitimate interest (in operating, securing, and improving the Service); consent (where you have given it); and compliance with a legal obligation. You have the right to lodge a complaint with a supervisory authority.

The Service is intended for use by businesses and is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact contact@blueprintledger.com and we will delete it.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) or by posting a notice on the Service before the change takes effect. The "Effective" date at the top of this page shows when the current version took effect.

For questions about this Privacy Policy or our information practices, contact us at: