Where your data lives, and how it leaves.
Purrfin is built EU-resident, manual-first, and opt-in for everything that touches your bank. Here's what that means in practice.
A management layer over the financial life you already run.
Today, that means typing in transactions yourself, dropping in a CSV, or sharing a statement straight from your bank app. There is no bank connection. Manual entry is the path the app is designed around, not a fallback.
Soon, that will optionally include read-only bank linking. Opt-in per account, region-appropriate, encrypted with an extra layer, transactions only. Until that ships, nothing from your bank reaches Purrfin's servers except what you explicitly send.
Purrfin will never have permission to move money. Bank linking, when it arrives, will be transactions-only, read-only, opt-in per account.
Where your data lives.
Every Purrfin service runs in the EU or UK. Your data is encrypted while it travels and while it sits on disk. An extra layer of encryption for the most sensitive fields is on the roadmap.
App server
EU-hosted
Encrypted in transit
Database
EU-hosted
Encrypted on disk
Authentication
EU-hosted
Sign in with Google or a magic link, no passwords stored
No Purrfin services run outside the EU or UK. Data doesn't cross regions unless you explicitly share it with a third party (see Third Parties below).
Four tiers, in plain English.
Not all data deserves the same protection. Purrfin sorts every piece of data into one of four tiers, so the right controls apply automatically.
Public
Data with no personal component. If this leaked, it would be mildly annoying and nothing more.
Account
The minimum we need to operate the service and reach you. Visible to support staff under strict access controls.
Financial
The data that makes the app useful. In shared groups, transaction descriptions stay between you and the group owner. Account nicknames never leave your device.
Credentials
Credentials that can read from your bank. Purrfin doesn't collect any today. When bank linking ships, tokens live here and nowhere else.
Nadeem Shaik
nadeem@example.comIndigo Otter
Personal details erasedYour name leaves. The history stays.
While you're a member of a shared group, fellow members see your name and avatar. Leave or delete your account, and the transactions in that group keep their amounts and dates so other members' history is intact. Every personal detail about you, though, is permanently erased.
A friendly placeholder name (a colour and animal combination, from a pool of about 1,500) takes your place. The placeholder is consistent within that group, but different across other groups, so nobody can connect the dots between groups you don't share with them.
Past members also keep read-only access to their historical data in a group after leaving. The group switcher labels it (read-only). Their past contributions stay visible to them, and the group's history stays intact for everyone else.
Deletion that actually deletes.
Deletion is confirmed by email. We send you a single-use link, and we never store the link itself, only a one-way fingerprint of it. Once you confirm, the cleanup runs immediately.
Permanently erased
Transaction descriptions (the most sensitive financial data)
Account nicknames
Your email address and display name
Personal budgets and groups that only had you in them
IP addresses and device info from your audit log (cleared at 90 days)
Your audit log itself (cleared at 1 year)
What survives, and why
Transaction amounts and dates inside shared groups, so the math still works for everyone else
A placeholder name in place of yours, so nobody can identify you
Budget categories on shared transactions
If you ever want a copy of your data before deletion, reach out via the in-app support channel. A self-serve data download tool is on the compliance roadmap.
Sign in without a password.
Purrfin uses Google sign-in and magic-link email sign-in. No passwords are stored, ever. Sessions are issued from EU servers and re-verified on every request.
Lock the app. Not your account.
Use your device passkey as an in-app privacy lock, not a sign-in factor. You're already signed in; this is for handing your phone to someone and not wanting them to scroll through your finances.
Passkey re-verify
Face ID, Touch ID, or device PIN. Your choice, separate from sign-in.Every write is recorded.
Every change in Purrfin (created, updated, deleted, member invited, account deleted) is written to a tamper-evident audit log. We use it only to investigate security incidents and prevent fraud.
The audit log is never used for marketing, analytics, or product improvement. IP addresses and device info are cleared after 90 days. The log entry itself is kept for one year, then erased.
Audit log entries
Quiet work, said out loud.
We have open compliance milestones we're not pretending are done. The privacy impact review, an extra encryption layer for sensitive fields, bank linking, and portfolio sharing are all tracked on our roadmap → When they ship, this page will reflect it; until they do, this paragraph is here so you don't have to ask.
Who else sees your data.
We use a small number of trusted services to run Purrfin. Here is the full list. If a vendor isn't on this page, we don't share your data with them. Every service that handles your data is hosted in the EU or UK.
| Service | What it does | Where data goes |
|---|---|---|
Supabase | Sign-in with Google or magic link | EU-hosted |
TwelveData | Market prices and exchange rates | No user data sent |
Resend | Transactional email (invites, deletion confirmation) | Email address only |
Sentry | Error monitoring, with sensitive fields masked before they leave your device | Sensitive fields masked before capture |
AWS | App hosting | UK |
Google Cloud + MongoDB Atlas | Database hosting | EU |
Ready to start? Purrfin is free during beta.