The short version: your bank connection is read-only and goes through Plaid — SimpleFinances can see transactions to categorize them, but it can never move, send, or withdraw money. Your bank username and password are entered with Plaid and are never stored by SimpleFinances. Sensitive data is encrypted, passwords are hashed, everything travels over HTTPS, and you can delete your data or close your account at any time.
How bank connections work
When you choose to link an account, SimpleFinances uses Plaid, the same bank-connection service used by many major finance apps, to establish the link. The connection is read-only: it retrieves account balances and transaction history so the app can categorize your spending and surface recurring charges. It does not have the ability to initiate transfers, payments, or withdrawals.
You are never required to connect a bank at all. SimpleFinances supports manual entry — you can add accounts and transactions by hand and use the full app without ever linking an institution.
- Bank connections are established and maintained through Plaid.
- Access is read-only — transactions and balances only, no money movement.
- Plaid access tokens are stored encrypted at rest, never in plain text.
- Manual entry is always available if you prefer not to link a bank.
What happens to your bank username and password
You enter your bank credentials inside Plaid's own secure flow, not on a SimpleFinances form. Because of that, SimpleFinances never receives or stores your bank username or password — that login stays between you, Plaid, and your bank. You can unlink a connected institution at any time, both from inside SimpleFinances and directly through your bank.
Encryption
Sensitive fields are encrypted at the database level using AES-256-GCM (an authenticated, industry-standard cipher). Each encrypted value is stored with its own random initialization vector and authentication tag, so identical inputs never produce identical ciphertext and any tampering is detectable. The encryption key is a 256-bit key that, in production, is loaded from a KMS-encrypted secrets store and only ever held in memory — it is never written to disk in plain text alongside the data.
- Field-level encryption of sensitive columns with AES-256-GCM.
- Per-value random IV plus authentication tag (tamper-evident).
- 256-bit key sourced from a KMS-encrypted secure parameter store in production.
- Plaid access tokens and sensitive personal fields are among the values encrypted at rest.
Accounts and passwords
Sign-in is handled through Firebase Authentication (a Google service), including email/password and Google sign-in. When you use a password, it is hashed with bcrypt before storage — SimpleFinances never stores your password in plain text and cannot read it back. Lookup tokens and similar identifiers are hashed with SHA-256 rather than stored in the clear.
HTTPS and browser protections
Every request to SimpleFinances is served over HTTPS/TLS, so data is encrypted in transit between your browser and our servers. The application also sets standard security response headers, including HSTS (forces HTTPS on future visits), X-Frame-Options: DENY (clickjacking protection, so the app can't be embedded in a hostile frame), and X-Content-Type-Options: nosniff.
Deleting your data and closing your account
You are in control of your data. From your account settings you can permanently delete your financial data, and you can close your account entirely. When an account is closed, the teardown revokes every connected Plaid item (so no further data can flow), purges your financial data, removes your user record, and deletes your Firebase authentication login. If you have an active paid subscription, it is canceled and the account teardown completes at the end of the paid period.
- Delete your financial data on demand from account settings.
- Full account closure revokes Plaid access, purges financial data, and deletes your login.
- Paid subscriptions are canceled as part of closing your account.
Needs owner verification Data retention & backups: the exact retention window for backups, server logs, and any records kept for legal or accounting purposes (for example, payment records) after deletion is not stated here and should be confirmed and documented by the owner before this page is treated as a formal policy.
Service providers we rely on
SimpleFinances is built on trusted third-party infrastructure. The providers that handle or process data on our behalf include Plaid (bank connections), Firebase / Google (authentication), Stripe (payments), and cloud hosting infrastructure (Amazon Web Services, with the site delivered through Cloudflare). Payment card details are handled by Stripe and are never stored on SimpleFinances servers.
Needs owner verification Formal certifications & a complete subprocessor list: any claim of SOC 2, ISO 27001, PCI-DSS, or similar compliance certification is not made on this page because it cannot be confirmed from the codebase. If the owner (or a provider on our behalf) holds such certifications and wants them stated, verify and add them here. The provider list above should also be reviewed for completeness (e.g. analytics/marketing tools) before this page is treated as a formal data-processing disclosure.
Reporting a security issue or asking a question
Found a vulnerability, or have a question about how your data is handled? Please get in touch and we'll respond.
Email: [email protected]
Needs owner verification Confirm the preferred security/privacy contact address (a dedicated alias such as [email protected] is recommended over a personal inbox) and any responsible-disclosure or breach-notification commitment you want to publish.
Related: Home · Privacy · Terms · Plans & pricing