FinanceIQBack to app

Privacy Policy

Last updated: April 2026

We keep this simple and honest

FinanceIQ is a personal finance tool that helps you understand your spending. We take your privacy seriously and have designed the system to collect only what we need to make the app work — nothing more.

What we collect

  • Your email address (used to identify your account and for login)
  • Transaction data parsed from your uploaded statements (merchant names, amounts, dates, categories)
  • Financial goals you set within the app
  • Your category corrections and preferences

What we do NOT collect or store

  • Full bank account numbers or routing numbers
  • Social Security Numbers (SSN) or government IDs
  • Passwords — we store only a secure hash, never the plain text
  • Credit card numbers
  • Online banking credentials

How we protect your data

Encryption at rest. The most identifying data on your transactions and profile is encrypted with AES-256-GCM before being stored in our database. This includes merchant names, transaction categories, your financial-profile dollar fields (rent, debt totals, etc.), and your free-text financial concerns. Even if a database backup were ever exposed, this content would be unreadable without our encryption key.

Encryption in transit. All traffic between your browser and our servers is protected by TLS 1.3.

Passwords are hashed using bcrypt. We never store plaintext passwords and cannot recover them; password reset is the only path.

Authentication uses httpOnly cookies that cannot be accessed by JavaScript, mitigating common web attacks. Sessions expire automatically after 15 minutes of inactivity, and accounts lock after 5 failed login attempts.

PII scrubbing. Before we store transaction descriptions, we redact patterns that look like Social Security Numbers and long account numbers. Combined with the parser's design (which never reads account-header sections of statements) and at-rest encryption, this gives three layers of defense against accidental PII storage.

Third parties we use

FinanceIQ runs on a small set of trusted service providers. We share only the minimum data needed and never sell or rent your information.

  • Anthropic (Claude AI): Generates personalized recommendations. We send aggregated category totals, your financial profile, and your goals — never your raw transaction descriptions or merchant names.
  • Stripe: Processes Pro subscription payments. Stripe handles all card data directly; we only see a customer identifier.
  • Resend: Delivers password-reset and account emails. Receives only your email address and the reset link.
  • Railway: Hosts our backend, frontend, and database. All data is stored within Railway in encrypted form as described above.

Uploaded files are deleted after parsing

When you upload a PDF or CSV bank statement, we process it to extract transaction data and then immediately delete the original file. We do not store your raw bank statement. Only the parsed transaction records are retained in our database.

Data sharing

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes. We may use third-party infrastructure services (hosting, database) that process data on our behalf under strict confidentiality agreements.

Deleting your account and data

You can delete your account at any time from the Settings page. When you delete your account, all of your data is permanently and irreversibly deleted, including your email, all transaction records, goals, and recommendations. This cannot be undone.

Contact

If you have questions about this privacy policy or how we handle your data, please contact us at: shapiro.ste@northeastern.edu