Legal
Last updated: July 13, 2026. This policy explains what we collect, why we collect it, and your choices.
Merchant Statement Scanner (“Service,” “we,” “us,” or “our”) is operated by CMS Max (Evolution Marketing). The Service helps business owners, payment agents, and ISOs upload and analyze merchant processing statements to understand fees, rates, and effective cost.
Contact: merchantstatementscanner.com/contact. Website: merchantstatementscanner.com.
This Privacy Policy applies to information we collect when you visit our website, create an account, use the dashboard, upload statements, manage clients, subscribe to billing, or contact us. It does not cover third-party websites or processors you may link to from our marketing content.
When you register or sign in, we collect your name, email address, password (stored as a secure hash — we never store plaintext passwords), and optional profile details you provide. Admins may hold elevated access flags for support and operations.
You may store merchant clients including business names, merchant IDs (MIDs), processor names, phone numbers, emails, notes, and related fields. You control what you enter; we process it to provide the Service.
You may upload merchant processing statements as PDF files. We extract and store derived fields such as volume, fees, rates, categories, and effective rate using automated rules and, where configured, artificial intelligence (OpenAI). Statement files and extracted results are associated with your account and optional client records.
Subscriptions are processed by Stripe. We store Stripe customer and subscription identifiers and status so we can unlock paid features. Full card numbers are handled by Stripe — we do not store complete payment card data on our servers.
We automatically collect standard server logs (IP address, browser type, timestamps, request paths, error diagnostics) needed for security, reliability, and abuse prevention. If you accept analytics cookies, we also load Google Analytics (measurement ID G-CRSY62P2PL) to understand site usage (pages viewed, approximate geography, device type). Analytics scripts are not loaded until you consent.
If you use password reset, welcome email, or contact us, we process the content of those messages and delivery metadata via our email provider (Mailgun).
We do not sell your personal information. We do not use your merchant statements to train public AI models for unrelated products.
Where GDPR or UK GDPR applies, we rely on:
Necessary: session and authentication cookies, security tokens, and your cookie preference itself (stored in local browser storage so we remember your choice).
Analytics (optional): Google Analytics cookies and scripts only after you click “Accept analytics” on our cookie banner. You can choose “Necessary only” to use the site without analytics, or change your mind later via Cookie settings in the footer.
Browser controls can block cookies; some features (sign-in) may not work without necessary cookies.
We use trusted vendors who process data on our instructions, for example:
These providers may process data in the United States or other countries. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) offered by those vendors.
We retain account, client, and statement data while your account is active and for a reasonable period afterward if needed for backups, disputes, fraud prevention, or legal obligations. You may request deletion of your account and associated data via the contact form. Some records may be retained longer if required by law or for legitimate security purposes.
We use industry-standard measures including HTTPS, hashed passwords, access controls, and least-privilege practices for administrative tools. No method of transmission or storage is 100% secure; you are responsible for keeping your credentials confidential and for the lawfulness of data you upload (including merchant statements that may contain third-party information).
Depending on your location, you may have rights to:
To exercise rights, use the contact form from the email address on your account. We may verify your identity before fulfilling requests. You may also lodge a complaint with a supervisory authority if you are in the EEA/UK.
The Service is for business use and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.
We may update this policy as the Service evolves. We will post the revised version on this page with an updated “Last updated” date. Material changes may also be communicated by email or in-product notice when appropriate. Continued use after changes means you acknowledge the updated policy.
See also our Terms of Service. For cookie preferences on this device, use Cookie settings in the site footer.
Use the contact form — we respond to privacy requests as quickly as we can.