Security

FinNudge was built with a security-first mindset. We handle read-only access to your financial accounts and take that responsibility seriously. We apply industry-standard encryption, use vetted infrastructure providers, and follow the principle of least privilege throughout our systems.

We never store your bank login credentials. We never initiate transactions on your behalf. And we never share your financial data with advertisers or data brokers.

All data transmitted between your browser (or mobile device) and FinNudge servers is encrypted using TLS 1.2 or higher (Transport Layer Security). This includes:

• All API requests and responses between the FinNudge app and our backend.
• All communication between FinNudge and Plaid's servers when syncing your transaction data.
• All communication between FinNudge and Stripe when processing subscription payments.

We enforce HTTPS across all FinNudge domains and reject plaintext HTTP connections. HTTP Strict Transport Security (HSTS) headers are set to prevent protocol downgrade attacks.

All data stored in our database (including your transaction history, account metadata, and profile information) is encrypted at rest using AES-256. This encryption is managed by our infrastructure provider (Supabase, which runs on AWS). Database backups are also encrypted using the same standard.

FinNudge uses Plaid Technologies, Inc. to connect to your financial institutions. Plaid is a leading financial data infrastructure provider trusted by thousands of apps and millions of consumers.

Key security properties of our Plaid integration:

• We never see your bank credentials.When you link an account, you authenticate directly with your bank through Plaid's hosted Link interface. Your username and password are transmitted only between your browser and Plaid. They never touch FinNudge servers.
• Read-only access. The access token Plaid provides to FinNudge is scoped to read-only access for transaction history and account balances only. FinNudge cannot initiate transfers, pay bills, or make any changes to your financial accounts.
• Encrypted token storage. The Plaid access token we hold (not your bank password, just a revocable API token) is stored encrypted in our database. It cannot be used to access your bank directly.
• You can revoke access at any time. Disconnect a linked account from Settings → Linked Accounts, or revoke access directly at the Plaid Portal. Revocation is immediate and permanent.

FinNudge is hosted on two managed platforms that publish their own security and compliance documentation:

• Supabase (database & authentication): runs on AWS. Row-Level Security (RLS) policies at the database layer ensure that each user can only access their own data. Even a misconfigured API endpoint cannot expose another user's records.
• Vercel (web application hosting): our Next.js application is deployed on Vercel, which runs on AWS infrastructure. Vercel provides edge-layer DDoS protection, automatic TLS certificate management, and isolated deployment environments.

For each provider’s current compliance attestations, see their public trust pages: supabase.com/security and vercel.com/security.

We apply the principle of least privilege throughout our systems:

• Access to production databases is restricted to authorised engineering personnel only, protected by multi-factor authentication (MFA).
• All access to production systems is logged and audited. We review access logs regularly.
• Database Row-Level Security (RLS) ensures that application-level code can only query rows that belong to the authenticated user, providing a second layer of defence beyond application logic.
• API keys and secrets (including Plaid credentials, Stripe keys, and Supabase service keys) are stored in environment secrets management, never in source code or version control.

Your financial data is used solely to power features within your FinNudge account. We do not sell, rent, or trade your personal information or transaction data to any third party, including data brokers, advertisers, financial institutions, or analytics companies. This is an unconditional commitment and is not subject to change based on your subscription tier.

Subscription payments are processed by Stripe, Inc., a PCI DSS Level 1 certified payment processor. FinNudge never stores, transmits, or has access to your credit card number, CVV, or bank account details used for payment. All payment card data is tokenised and handled exclusively by Stripe.

We take security reports seriously and appreciate responsible disclosure. If you believe you have found a security vulnerability in FinNudge, please report it to us promptly so we can investigate and remediate it before it is publicly disclosed.

• Email: security@finnudge.money
• Include: a description of the vulnerability, steps to reproduce it, and any proof-of-concept you have. Please do not access, modify, or delete data that belongs to other users.
• Response time: We aim to acknowledge all security reports within 48 hours and provide a remediation timeline within 7 business days.
• Scope: The FinNudge web application at finnudge.money and all associated APIs. Stripe, Plaid, and Supabase have their own responsible disclosure programmes; please report vulnerabilities in their systems directly to them.

We do not have a formal bug bounty programme at this time, but we genuinely appreciate researchers who help make FinNudge more secure.

In the unlikely event of a security incident that affects your personal data, we will notify you promptly at the email address on your account, describe what data was affected, what we are doing to remediate the situation, and what steps you should take to protect yourself. We will also notify relevant regulatory authorities as required by applicable law.

For general security questions that are not vulnerability reports, please contact us at hello@finnudge.money. For vulnerability disclosures, use security@finnudge.money.