Security

FinContext handles sensitive financial data. This page explains how the service is designed to protect that data. Our philosophy: assume the worst, minimize what we store, and make the service incapable of moving money.

Read-Only Bank Access

FinContext connects to your bank accounts through Plaid using read-only scopes. The service can see balances, transactions, and account metadata, but it cannot initiate transfers, send payments, or modify your accounts in any way. This is not a policy we follow. It is an architectural limit.

Authorized AI assistants (via MCP) may update transaction labels (merchant name and category overrides) that FinContext stores locally on your behalf. These labels do not propagate back to your bank. No MCP operation can move money or alter bank-provided data.

Encryption

Sensitive credentials (such as Plaid access tokens) are encrypted at the application level before they reach the database, using a key that is not accessible to the database itself. Encryption keys support zero-downtime rotation: prior ciphertext remains readable during a configured rotation window while new writes use the current key. All data is also encrypted at rest by our cloud infrastructure provider, and all data in transit is protected by TLS. We never log, display, or export Plaid access tokens.

Database Access & Tenant Isolation

Each user's data is isolated at the database layer. Queries that touch financial data are scoped to the authenticated user's identity, enforced both at the application level and at the database level. Privileged database operations require an elevated role that the running service does not hold.

No Plaintext Credentials

We never see your bank username or password. When you link a bank, credentials go directly from you to Plaid. Payment data is handled entirely by Stripe; we do not collect or receive card numbers, last-4 digits, card brand, expiry, or any other card metadata from Stripe. We receive only a Stripe customer ID, a subscription ID, and subscription status. Your FinContext account password is hashed with a modern password hashing algorithm before storage.

Account & Data Deletion

You can delete your account at any time from account settings. Deletion removes your account record, Plaid access tokens, and associated financial data. Stripe retains payment records separately as required by financial regulations. Server logs are purged after 30 days.

Incident Response

If we become aware of a security incident affecting your account, we will notify you by email without unreasonable delay and in any event within 72 hours of becoming aware of the incident, along with a description of what happened and what you should do. We will also notify regulators as required by applicable law.

Reporting a Security Issue

Found a vulnerability? We appreciate responsible disclosure. Email [email protected] with a description of the issue and steps to reproduce. Please allow us reasonable time to fix the issue before public disclosure.