Security & Data Handling

Last updated: May 2026

Your 1099-B PDF contains sensitive financial information — broker account numbers, security identifiers, dollar amounts, and dates of every trade. We treat it that way. This page explains exactly what happens to your document from the moment you upload it.

How the conversion works

  1. 1. Upload over HTTPS. Your PDF travels from your browser to our servers encrypted with TLS 1.3. The connection is verified by Let's Encrypt.
  2. 2. Server-side extraction. The PDF is written to a temporary file on our server, parsed for text using the open-source pdf-reader Ruby library, and the extracted text is sent to Anthropic's Claude API for structured transaction extraction.
  3. 3. Immediate PDF deletion. Once extraction finishes, the temporary PDF file is permanently deleted from disk. The original document does not persist beyond the processing window.
  4. 4. Structured data storage. The extracted transactions — security descriptions, dates, proceeds, basis, adjustments — are stored in our database so you can review and download them as CSV, TXF, or Excel.
  5. 5. Download via session cookie or email link. Access to your converted files is controlled by a session cookie tied to your browser, or an optional email link if you provided one.

What we do not do

  • We never ask for your broker login. Unlike TurboTax's auto-import or similar tools, 1099-B Converter only needs the PDF. Your brokerage credentials never leave your control.
  • No human review of your documents. Extraction is fully automated through the Anthropic API. No employee, contractor, or operator opens your PDF or reads your transactions.
  • We do not train AI models on your data. Anthropic's API operates under their commercial terms, which exclude API traffic from training. Your transactions are not used to improve any model.
  • We do not sell, share, or rent your data. Your extracted transactions are visible only to you (via your session) and any party you explicitly forward the download to.
  • We do not require an account. You can use the free tier (3 conversions per month per IP) without creating a login or sharing personal information beyond the PDF you upload.

Third parties involved

  • Anthropic (Claude API) — performs the structured extraction. The text content of your 1099-B PDF is transmitted to Anthropic for processing. Anthropic's commercial API policy excludes this traffic from model training. Anthropic commercial terms.
  • Stripe — payment processing for paid conversions. Card details are sent directly to Stripe and never touch our servers. Stripe privacy policy.
  • Hetzner — server hosting in Hetzner's Ashburn, USA data center. Storage and compute are dedicated to this application; no shared tenancy.
  • Cloudflare Turnstile — bot protection. Turnstile is invoked after the first upload per IP to prevent abuse. It does not see your PDF content.

Encryption and infrastructure

  • HTTPS everywhere. All traffic to 1099bconverter.com is HTTPS. Plain HTTP requests are redirected to HTTPS at the proxy layer.
  • Encrypted database connections. Communication between application servers and the database is over a private Docker network not exposed to the public internet.
  • Server-side processing only. PDF parsing happens in a Linux container on our server. No browser-side JavaScript ever sees your raw PDF content; the upload goes straight to the backend.

What's stored, and for how long

  • Original PDF: deleted immediately after extraction completes. Not retained.
  • Extracted transactions (JSON): stored so you can download them in CSV, TXF, or Excel format. Access is controlled by your session cookie.
  • IP address and user agent: stored for rate-limiting and abuse detection. Not used for marketing or profiling.
  • Email address (optional): only stored if you explicitly provided one for the email-link delivery feature. Not used for marketing.
  • Stripe payment metadata: we store the Stripe payment ID for paid conversions to verify entitlement. Card data is on Stripe, not on our servers.

If you need a specific conversion record permanently deleted, email [email protected] with the conversion ID (visible in the URL of your results page) and we'll process the deletion.

What 1099-B Converter is not

We're an extraction tool, not a tax advisor. A few honest distinctions:

  • We extract what's on the PDF. We do not apply RSU or ESPP cost basis adjustments automatically — those require your broker's supplemental statement and your W-2 income data, which we don't have access to.
  • We do not file your return. The output is a CSV, TXF, or Excel file you upload into TurboTax, TaxAct, H&R Block, or hand to your accountant.
  • We do not validate IRS rules. If your 1099-B has unusual codes or your filing scenario is complex (Section 1256, dual-status NRA, large wash sale activity across accounts), the extraction is accurate but the tax treatment is your decision or your preparer's.

Reporting a security issue

If you discover a vulnerability — anything from authorization issues to data exposure — please email [email protected] with details. We respond to security reports within 48 hours and prioritize fixes ahead of feature work.

Related