[muchcomment]

I fiddled with an SPA for personal finance, and I used the js file API in combination with a <input type="file" /> to load a local file and Papa Parse [1] to parse the CSV. You could do all this stuff client side, then push the non-sensitive information (like spending category, date and amount) to your API.

There's a lot you can do frontend and keep your backend simple/stupid. If you host the data in Google Drive or Dropbox, you wouldn't be responsible at all for the potentially sensitive information.

1: http://papaparse.com/