StatementPull is a financial technology service operated by Lexcrypta LLC ("Lexcrypta", "we", "us", or "our"), a Michigan limited liability company. StatementPull enables mortgage borrowers ("Borrowers") to securely share verified bank statements with their mortgage broker ("Brokers") through a Plaid-powered bank connection.
This Privacy Policy explains how we collect, use, store, and protect information from both Brokers and Borrowers who use StatementPull. Our contact information is provided in Section 13.
Our core commitment: StatementPull is designed from the ground up with a zero-storage architecture for financial data. Bank statement PDFs pass through our system in memory and are never written to disk. We are a conduit, not a custodian.
We use the data we collect solely to provide the StatementPull service:
We do not use your data for advertising, profiling, data brokering, or any purpose unrelated to the direct delivery of StatementPull services.
Key fact: StatementPull uses Plaid solely to generate an asset report (bank statement PDF). We request read-only access to transaction and balance history only. We never receive, store, or transmit your bank login credentials at any time.
When a Borrower completes the Plaid Link flow:
Plaid's collection and use of data is governed by their own Privacy Policy at plaid.com/legal/privacy-policy. By using StatementPull's connect flow, Borrowers also agree to Plaid's End User Privacy Policy.
StatementPull requests the minimum data scope necessary: the Plaid Assets product only, limited to the number of months requested by the Broker.
StatementPull does not store borrower financial data. Bank statement PDFs are transmitted directly from Plaid to the Broker's email and are never written to disk, database, or any persistent storage on StatementPull infrastructure. This is a core architectural and compliance commitment.
StatementPull does not store:
What StatementPull does store (in our Supabase database):
We do not sell, rent, or trade personal data. We share data only with the following service providers, strictly as necessary to operate the service:
| Provider | Purpose | Data shared |
|---|---|---|
| Plaid Inc. | Bank connection & asset report generation | Borrower initiates connection directly; StatementPull receives completed PDF only |
| Stripe Inc. | Payment processing | Broker payment method; no card data touches StatementPull servers |
| Supabase Inc. | Database hosting | Broker accounts, pull request metadata |
| Vercel Inc. | Serverless hosting | Request logs (IP, path, timestamp) |
| Resend Inc. | Transactional email | Broker email address, borrower email address (for connect link delivery) |
All providers are contractually bound to use data only as necessary to provide their services and are prohibited from using it for their own commercial purposes.
We may disclose data if required by law, court order, or to protect the rights, property, or safety of StatementPull, our users, or the public.
Despite these measures, no system is 100% secure. If you believe your account has been compromised, contact us immediately at security@statementpull.com.
| Data type | Retention period |
|---|---|
| Broker accounts | Duration of account + 7 years after closure |
| Pull request metadata (reference, dates, status, cost) | 7 years (financial compliance) |
| Borrower name & email | Deleted after PDF delivery confirmed |
| Bank statement PDFs | Never stored — transmitted immediately |
| Plaid access tokens | Deleted after report retrieval |
| Server logs | 90 days, then purged |
Brokers may request deletion of their account and associated metadata at any time by contacting us. Certain records may be retained where required by law.
Depending on your jurisdiction, you may have the following rights regarding your personal data:
To exercise any of these rights, contact us at privacy@statementpull.com. We will respond within 30 days.
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
Note: StatementPull does not sell personal information to third parties. We do not engage in cross-context behavioral advertising.
To submit a CCPA request, contact privacy@statementpull.com with "CCPA Request" in the subject line.
StatementPull is intended exclusively for licensed mortgage brokers and adult borrowers (18 years of age or older) in connection with mortgage applications. We do not knowingly collect personal information from individuals under 18. If we become aware that we have inadvertently collected personal information from a minor, we will delete it promptly.
We may update this Privacy Policy from time to time. For material changes, we will notify Brokers via email at least 14 days before changes take effect. The current version is always available at statementpull.com/privacy.
We aim to respond to all privacy inquiries within 5 business days.
We take data protection seriously. Reach out anytime.
Contact Privacy Team →