Privacy Policy

Swippee ("Swippee", "we", "us") is a developer API based in Nepal. Our service converts bank statement documents into structured data on behalf of our developer customers.

Contact: hello@swippee.com.

• We are a document-parsing service. Our customers (developers, MFIs, fintechs, accounting firms) send us bank statement files they obtained from their own end users.
• We are not a bank, payment company, or licensed financial institution.
• We do not screen-scrape, log into, or access any bank portal on behalf of any user. We never handle bank credentials.

For each parse request we receive and briefly process:

• The bank statement file (PDF / image / spreadsheet).
• The structured data extracted: account holder name, account number, period, transactions, balances, derived signals.
• API metadata: customer organization ID, API key ID, file name, file size, timestamps, IP address.

For each customer organization we store:

• The owner's email address (used for sign-in only).
• API keys (stored as SHA-256 hashes, never as plaintext).
• Plan, quota, and usage counters.

• Raw statement files: retained briefly to complete the parse and any webhook redelivery, then deleted. Default: 24 hours.
• Structured parse results: retained for the lifetime of the originating organization so it can be re-fetched via GET /v1/reports/:id. Deleted on request.
• API metadata / usage events: retained for billing and abuse-prevention, typically 24 months.

We do not sell personal information. We share data only:

• With sub-processors strictly required to run the service: hosting, database, email, and payment processing.
• With our customer (the organization that submitted the file) by returning the parse result.
• With law enforcement only when compelled by valid legal process under Nepali law.

• All traffic is TLS-encrypted in transit.
• API keys are stored as SHA-256 hashes, not plaintext.
• Sessions are httpOnly + SameSite=Strict cookies.
• We can produce an access audit on request.

End users whose statements are processed: contact the organization that uploaded your statement. They are the data controller; Swippee is the processor.

Customer organizations: you may export or delete all data associated with your organization at any time by emailing hello@swippee.com. Deletion requests are honoured within 30 days.

Swippee's infrastructure is hosted outside Nepal with reputable cloud providers (currently in US and Singapore regions). By using Swippee you consent to processing in those jurisdictions.

Material changes will be announced via email to customer organizations at least 30 days before they take effect.