Legal

Privacy Policy

Effective date: 26 June 2026 · Last updated: 26 June 2026

The Short Version

1. Introduction

This Privacy Policy explains how UPI Audit ("UPI Audit", "we", "us", or "our") collects, uses, discloses, and protects information when you visit and use the website upiaudit.com and its associated tools (collectively, the "Service").

UPI Audit is a free, privacy-first web tool that lets users in India upload a bank statement PDF and receive a breakdown of their UPI spending. It operates without requiring you to register an account or log in.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. This policy is published in accordance with the Information Technology Act, 2000, the rules made thereunder, and the Digital Personal Data Protection Act, 2023 (India), and aims to be consistent with the General Data Protection Regulation (GDPR) for visitors from the European Economic Area.

2. Information We Collect

2.1 Information you provide (transient)

The only file you provide is your bank statement PDF. It is processed entirely in our server's memory (RAM) to extract and categorize UPI/IMPS transactions, and is never written to disk, logged, or stored. It and all data derived from it are discarded as soon as your results page has been generated and sent to your browser. See Section 3 for details.

If your PDF is password-protected, the password you optionally enter is used only in memory to unlock the file for that single request. It is never stored, logged, or retained, and is discarded along with the file once your results are generated.

2.2 Information collected automatically

  • Usage & device data — pages visited, time on page, device type, browser, and country, collected via Google Analytics 4 (anonymized; see Section 6).
  • IP address — your IP is processed transiently to apply rate limiting (a maximum of 10 uploads per hour per IP) and to protect the Service against abuse and denial-of-service attacks. It is used in-memory for this purpose and is not stored in a database or linked to your transaction data. Standard server access logs maintained by our hosting provider may temporarily record IP addresses for security and operational purposes.
  • Cookies — set by the third-party services we use (Google Analytics and, in production, Google AdSense). See Section 8.

2.3 Information we do NOT collect

By design, UPI Audit is stateless and privacy-first. We do not:

  • Store your bank statement PDF anywhere on our servers
  • Store your transaction data, merchant names, or spending amounts
  • Create or maintain any user accounts or profiles
  • Collect your name, email address, phone number, or other personally identifiable information (unless you voluntarily email us)
  • Send your transaction data to any third-party API (no AI services, no data brokers)
  • Link your bank account or request any ongoing access to your financial data

3. How Your Bank Statement Is Processed

When you upload a PDF to UPI Audit, the following happens:

  1. Your PDF is received by our server via HTTPS and held in RAM only — it is never written to the hard disk.
  2. The server extracts the text content, identifies UPI and IMPS transactions using bank-specific patterns, and categorizes each transaction locally (no external API calls).
  3. A summary object (category totals, merchant breakdown, monthly trend) is generated and passed directly to your browser in the HTTP response.
  4. After the response is sent, the PDF data and all derived transaction data are garbage-collected. There is no cache, session store, or log that retains this information.

This architecture means that even if our server were compromised, there would be no financial data to retrieve — because none is stored.

4. How We Use Information

We use the limited information described above only to:

  • Provide the core function of the Service — analyzing your uploaded statement and displaying your results;
  • Maintain the security, integrity, and availability of the Service (including rate limiting and abuse prevention);
  • Understand aggregate, anonymized usage trends so we can improve the Service;
  • Display advertising that keeps the Service free to use;
  • Respond to you if you contact us directly.

We do not sell, rent, or trade your personal data, and we do not use your bank statement content for any purpose other than generating your on-screen results.

5. Legal Basis & Data Retention

Legal basis (GDPR, where applicable). We process the uploaded PDF on the basis of your consent, given by your act of uploading it for analysis. We process usage data, IP-based rate-limiting data, and serve advertising on the basis of our legitimate interests in operating, securing, and funding a free Service, and — where required — your consent for non-essential cookies.

Retention.

  • Bank statement & transaction data: not retained — held only in memory for the duration of the request, then discarded.
  • Analytics data: retained by Google according to your Google Analytics data-retention settings and Google's policies.
  • Server / security logs: retained only for a short period by our hosting provider for operational and security purposes.

6. Analytics (Google Analytics 4)

We use Google Analytics 4 (GA4) to understand how visitors use UPI Audit. GA4 collects:

  • Pages visited and time spent on each page
  • Device type (mobile / desktop / tablet)
  • Country (not city-level or precise location)
  • Referral source (how you found the site)

This data is anonymized — it does not include your bank statement content, transaction data, or any personally identifiable information. GA4 uses a cookie (_ga) to distinguish unique visitors.

To opt out of Google Analytics tracking across all websites, install the Google Analytics Opt-out Browser Add-on.

7. Advertising (Google AdSense)

In production, UPI Audit displays advertisements served by Google AdSense. Google, as a third-party advertising vendor, may use cookies to serve ads based on your prior visits to this and other websites.

Google's use of advertising cookies enables it and its partners to serve ads based on your interests. You can control or opt out of personalised advertising by:

Ads are not shown during development (when NODE_ENV is not production). For more information, see the How Google uses information from sites that use its services page.

8. Cookies

UPI Audit itself does not set any functional cookies. We use your browser's localStorage only to remember your light/dark theme preference — this stays on your device and is never sent to us. The following cookies may be set by third-party services we use:

Cookie Set by Purpose
_ga, _ga_* Google Analytics Distinguishes unique visitors (anonymized)
IDE, NID Google AdSense Ad personalization (production only)

9. How We Share Information

We do not sell your personal data. We share data only with the limited service providers that operate the Service, and only to the extent necessary:

  • Hostinger — our hosting provider, whose infrastructure runs the Service and may process server logs for operational and security purposes.
  • Google — for analytics (Google Analytics 4) and advertising (Google AdSense), as described above.

We may also disclose information if required to do so by law, or in response to a valid legal request by a public authority.

10. Data Security

All communication with UPI Audit is encrypted via HTTPS (TLS). The server is hosted on Hostinger's managed infrastructure, and access is restricted to authorized personnel only. We apply security headers and upload rate limiting to protect the Service.

Because we do not store any of your financial data, a server breach would not expose your bank statement or transaction history. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

11. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data under the Digital Personal Data Protection Act, 2023 (India), the GDPR, and other applicable laws:

  • Access — to request confirmation of, and access to, the personal data we hold about you;
  • Correction — to request correction of inaccurate or incomplete data;
  • Erasure — to request deletion of your personal data;
  • Objection / restriction — to object to or restrict certain processing;
  • Withdraw consent — to withdraw consent at any time (this does not affect processing already carried out);
  • Grievance redressal — to raise a complaint with our Grievance Officer (Section 12) and, where applicable, with the relevant Data Protection Authority.

Because we do not store your bank statement or transaction data, there is generally no such personal data for us to access, correct, or delete. For any rights relating to analytics or other data, contact us using the details below.

12. Grievance Officer

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023, you may contact our Grievance Officer with any complaint or concern about how your data is handled:

Grievance Officer — UPI Audit

Email: luxemorphstudios@gmail.com

We aim to acknowledge grievances within a reasonable timeframe as required by applicable law.

13. International Data Transfers

The third-party services we use (Google Analytics and Google AdSense) may process data on servers located outside India or your country of residence. Where such transfers occur, those providers are responsible for applying appropriate safeguards (such as standard contractual clauses) in accordance with applicable data-protection law.

14. Third-Party Links

UPI Audit may contain links to third-party websites (banks, UPI apps, etc.). This Privacy Policy applies only to upiaudit.com. We are not responsible for the privacy practices of linked websites, and we encourage you to review their policies.

15. Children's Privacy

UPI Audit is not directed at children under the age of 18, and is intended for use by adults who hold their own bank accounts. We do not knowingly collect any information from children. If you believe a child has provided information through this Service, please contact us and we will investigate.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by an updated "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of UPI Audit after changes constitutes acceptance of the updated policy.

17. Contact Us

For any questions, concerns, or requests related to this Privacy Policy, please contact us:

UPI Audit

Email: luxemorphstudios@gmail.com

Website: upiaudit.com