Security

Trust & Security

How we protect your data and money

How we protect your data

We never see your bank login details. Bank connections are handled securely by Plaid, an FCA-authorised provider.
We store no names, email addresses, or personally identifiable information in our database.
All data is encrypted in transit (TLS) and sensitive credentials are encrypted at rest using Google Cloud KMS.
Your data is hosted in Google Cloud's European data centres (europe-west1).
You can export all your data or delete your account at any time from Settings.

Regulatory status

PennyPath is a personal finance tracking tool. It does not provide financial advice, investment advice, or credit broking services.

Bank account connections are provided through Plaid Financial Ltd, which is authorised and regulated by the Financial Conduct Authority (FRN 804718) as an Authorised Payment Institution for Account Information Services.

PennyPath does not hold your money, provide credit, or make transactions on your behalf. Your funds remain with your bank at all times.

Third-party services

We use a small number of trusted services to operate PennyPath. Here is exactly what each one does and where your data is processed:

Service	Purpose	Region
Firebase Auth (Google)	Account sign-in and authentication	EU/US
Google Cloud Platform	Application hosting, database, encryption	EU
Plaid Financial Ltd	Bank account connections (FCA authorised)	UK
PostHog	Anonymous product analytics (with your consent)	EU
Resend	Email delivery (bill reminders, welcome email)	US
Google Fonts	Typography (Inter typeface)	Global CDN

Complaints

If you are unhappy with any aspect of PennyPath, please contact us at security@pennypath.co.uk. We aim to acknowledge complaints within 2 business days and resolve them within 8 weeks.

Security disclosures