Privacy by default. Your data stays put. Purrfin is fully usable without ever connecting a bank. Bank linking is opt-in and on the roadmap. How we handle your data →

Security & privacy

Where your data lives, and how it leaves.

Purrfin is built EU-resident, manual-first, and opt-in for everything that touches your bank. Here's what that means in practice.
What Purrfin is

A management layer over the financial life you already run.

Today, that means typing in transactions yourself, dropping in a CSV, or sharing a statement straight from your bank app. There is no bank connection. Manual entry is the path the app is designed around, not a fallback.

Soon, that will optionally include read-only bank linking. Opt-in per account, region-appropriate, encrypted with an extra layer, transactions only. Until that ships, nothing from your bank reaches Purrfin's servers except what you explicitly send.

Purrfin will never have permission to move money. Bank linking, when it arrives, will be transactions-only, read-only, opt-in per account.

Infrastructure

Where your data lives.

Every Purrfin service runs in the EU or UK. Your data is encrypted while it travels and while it sits on disk. An extra layer of encryption for the most sensitive fields is on the roadmap.

App server

EU-hosted

Encrypted in transit

Database

EU-hosted

Encrypted on disk

Authentication

EU-hosted

Sign in with Google or a magic link, no passwords stored

No Purrfin services run outside the EU or UK. Data doesn't cross regions unless you explicitly share it with a third party (see Third Parties below).

Data classification

Four tiers, in plain English.

Not all data deserves the same protection. Purrfin sorts every piece of data into one of four tiers, so the right controls apply automatically.

1

Public

Data with no personal component. If this leaked, it would be mildly annoying and nothing more.

ExamplesMarket data, expense category names
EncryptionEncrypted in transit and on disk
On deletionNo personal info, nothing to delete
2

Account

The minimum we need to operate the service and reach you. Visible to support staff under strict access controls.

ExamplesYour email address, audit log metadata
EncryptionEncrypted on disk
On deletionKept while your account is active, cleared when you delete it
3

Financial

The data that makes the app useful. In shared groups, transaction descriptions stay between you and the group owner. Account nicknames never leave your device.

ExamplesTransaction descriptions, account nicknames, budget names
EncryptionEncrypted on disk today, with an extra layer on the roadmap
On deletionPermanently erased when you delete your account
4

Credentials

Credentials that can read from your bank. Purrfin doesn't collect any today. When bank linking ships, tokens live here and nowhere else.

ExamplesFuture bank-linking tokens (not yet collected)
EncryptionExtra encryption layer from day one
On deletionNever logged. Never included in data downloads.
Before
NS

Nadeem Shaik

nadeem@example.com
Active member
Lodging · ¥120,000
Food · ¥38,400
Transit · ¥12,000
account deleted
After
IO

Indigo Otter

Personal details erased
Placeholder name
Lodging · ¥120,000
Food · ¥38,400
Transit · ¥12,000
Shared groups and your privacy

Your name leaves. The history stays.

While you're a member of a shared group, fellow members see your name and avatar. Leave or delete your account, and the transactions in that group keep their amounts and dates so other members' history is intact. Every personal detail about you, though, is permanently erased.

A friendly placeholder name (a colour and animal combination, from a pool of about 1,500) takes your place. The placeholder is consistent within that group, but different across other groups, so nobody can connect the dots between groups you don't share with them.

Past members also keep read-only access to their historical data in a group after leaving. The group switcher labels it (read-only). Their past contributions stay visible to them, and the group's history stays intact for everyone else.

Account deletion

Deletion that actually deletes.

Deletion is confirmed by email. We send you a single-use link, and we never store the link itself, only a one-way fingerprint of it. Once you confirm, the cleanup runs immediately.

Permanently erased

Transaction descriptions (the most sensitive financial data)

Account nicknames

Your email address and display name

Personal budgets and groups that only had you in them

IP addresses and device info from your audit log (cleared at 90 days)

Your audit log itself (cleared at 1 year)

What survives, and why

Transaction amounts and dates inside shared groups, so the math still works for everyone else

A placeholder name in place of yours, so nobody can identify you

Budget categories on shared transactions

Shared transactions survive only where the group still has active members who rely on that history. Your name is replaced by your placeholder name. Once the group has no active members, those records go too.

If you ever want a copy of your data before deletion, reach out via the in-app support channel. A self-serve data download tool is on the compliance roadmap.

Authentication

Sign in without a password.

Purrfin uses Google sign-in and magic-link email sign-in. No passwords are stored, ever. Sessions are issued from EU servers and re-verified on every request.

Google OAuthFederated sign-in via your Google account
Magic linkSingle-use link emailed to you, no password required
Privacy lock
Optional

Lock the app. Not your account.

Use your device passkey as an in-app privacy lock, not a sign-in factor. You're already signed in; this is for handing your phone to someone and not wanting them to scroll through your finances.

Passkey re-verify

Face ID, Touch ID, or device PIN. Your choice, separate from sign-in.
Audit trail

Every write is recorded.

Every change in Purrfin (created, updated, deleted, member invited, account deleted) is written to a tamper-evident audit log. We use it only to investigate security incidents and prevent fraud.

The audit log is never used for marketing, analytics, or product improvement. IP addresses and device info are cleared after 90 days. The log entry itself is kept for one year, then erased.

Audit log entries

TRANSACTION_CREATEDYou · just now
BUDGET_UPDATEDPartner · 2 min ago
MEMBER_INVITEDYou · 1 hr ago
BUDGET_GROUP_CREATEDYou · yesterday
Device info cleared at 90 days · entry erased at 1 year
Open work

Quiet work, said out loud.

We have open compliance milestones we're not pretending are done. The privacy impact review, an extra encryption layer for sensitive fields, bank linking, and portfolio sharing are all tracked on our roadmap → When they ship, this page will reflect it; until they do, this paragraph is here so you don't have to ask.

Shipped
Tamper-evident audit log on every changePhase 0
Shipped
Email-confirmed account deletion with full cleanupPhase 0
Shipped
EU-only data hosting confirmedPhase 0
Shipped
Sensitive details split from transaction and account recordsPhase 1
Shipped
Sharing roles, placeholder names, and past-member read accessPhase 2
Planned
Privacy impact review completePhase 3
Planned
Extra encryption layer for the most sensitive fieldsPhase 3
Planned
Bank account linking (read-only, opt-in, region-appropriate)Phase 4
Planned
Portfolio sharing with role-based visibility on cost basisPhase 5
Planned
EU compliance representative, data download tool, security incident proceduresOperational
Third parties

Who else sees your data.

We use a small number of trusted services to run Purrfin. Here is the full list. If a vendor isn't on this page, we don't share your data with them. Every service that handles your data is hosted in the EU or UK.

ServiceWhat it doesWhere data goes

Supabase

Sign-in with Google or magic link

EU-hosted

TwelveData

Market prices and exchange rates

No user data sent

Resend

Transactional email (invites, deletion confirmation)

Email address only

Sentry

Error monitoring, with sensitive fields masked before they leave your device

Sensitive fields masked before capture

AWS

App hosting

UK

Google Cloud + MongoDB Atlas

Database hosting

EU

Ready to start? Purrfin is free during beta.

Security & Privacy — Purrfin · Purrfin