How We Keep Your Financial Data Safe

When you connect your bank accounts to any app, you're trusting that company with sensitive information. We take that trust seriously. This article explains exactly how we protect your data—no marketing fluff, just the technical details.

The Short Version

How Bank Connections Work

WIMD uses Plaid and SimpleFin to connect to your bank. Here's what happens when you link an account:

1. You authenticate with your bank – Through Plaid or SimpleFin's secure interface, not ours. We never see your username or password.
2. Your bank issues a token – This token gives us read-only access to your transactions and balances. We cannot initiate transfers, payments, or any other actions.
3. We store the token securely – The token is encrypted with AES-256-GCM before it ever touches our database.
4. We fetch your transactions – Using the token, we pull transaction data. We only receive the information needed to display your accounts—never full account numbers.

Encryption Standards

All sensitive data is encrypted:

• At rest: AES-256 encryption—the same standard used by banks and government agencies
• In transit: TLS 1.3 for all connections between your browser, our servers, and third-party services
• Database: Encrypted storage with keys managed through secure key management systems

What About AI?

We use AI to categorize your transactions. Here's exactly what we send to AI providers:

The AI processes data in real-time and doesn't store it. We use providers that are explicitly opted out of using customer data for model training.

Authentication Security

Your WIMD account is protected by:

• Secure password hashing – We use bcrypt with high work factors. We cannot see your password.
• Two-factor authentication – Optional but recommended. Adds a second layer of protection.
• Session management – Sessions expire automatically. Suspicious activity triggers re-authentication.
• Rate limiting – Protection against brute-force attacks on login.

Our Business Model Protects You

This matters more than you might think. Many "free" financial apps make money by selling your data to advertisers, lenders, or data brokers. When the product is free, you're the product.

WIMD is different. We charge a subscription. That's how we make money. Your data isn't our product—our software is. This alignment means we have no incentive to share, sell, or monetize your financial information.

We Will Never

• Sell your data to third parties
• Share your information with data brokers
• Show you targeted ads based on your finances
• Use your data to train AI models for other purposes

Third-Party Services

We use trusted partners to run WIMD. Each has access only to the data they need:

• Plaid/SimpleFin – Bank connections (transaction data)
• Stripe – Payment processing (billing info only, we never see card numbers)
• OpenRouter/Google – AI categorization (anonymized transaction descriptions only)
• Resend – Email delivery (email addresses for account notifications)

For complete details on each service, see our Security page.

What You Can Do

Security is a shared responsibility. Here's how you can help protect your account:

1. Use a strong, unique password – Don't reuse passwords from other sites.
2. Enable two-factor authentication – It takes 2 minutes to set up and significantly increases security.
3. Keep your email secure – Your email is used for password resets. Protect it.
4. Review connected accounts – Periodically check what's connected and remove any you no longer use.

Questions?

Security isn't something we ship once and forget. If you have questions about how we handle your data, or if you notice anything that doesn't look right, contact us at [email protected].