WIMM Premium
May 30, 2026

How to Evaluate a Finance App's Security Before You Trust It With Your Bank

Five concrete questions to ask any finance app before you connect your bank or share your transactions. Plus how WIMM answers each one in defensible, specific terms.

Connecting a bank account to a finance app is one of the most consequential digital decisions most households make. The app gets a live feed of your spending, your balances, often your income, and a path to your bank that should be tightly controlled. Most apps treat this like signing up for a newsletter. They should not.

This article is a five-question checklist for any finance app you are considering, from WIMM to YNAB to whatever the next hot fintech is. The questions work even if you never use WIMM. For each one, we show what a good answer looks like, what a bad answer looks like, and how WIMM answers it.

If you read only one section, read the last one (The pattern).

Question 1: What specific encryption do you use, and where does it apply?

Bad answer: "Bank-grade encryption" or "military-grade encryption." This is marketing jargon. It does not name an algorithm and it does not name what gets encrypted.

Good answer: A specific algorithm name (AES-256-GCM, ChaCha20-Poly1305) and the specific fields it protects (bank tokens, 2FA secrets, API keys). Bonus points if they name a separate password hashing algorithm (scrypt, argon2id, or bcrypt). Passwords should never be encrypted; they should be hashed, which is a one-way operation that even the company itself cannot reverse.

How WIMM answers: AES-256-GCM for Plaid access tokens and TOTP secrets. Scrypt for passwords. Bcrypt for backup recovery codes. TLS for all traffic between your browser and our servers. Every algorithm by name. Every protected field by name. The full breakdown is on /security.

Question 2: Who actually sees my bank login?

Bad answer: Vague language about "secure bank connections" with no further detail. If the app cannot tell you who handles the bank-login handshake, assume it might be them, and ask why.

Good answer: A named third-party intermediary that owns the credential flow, and an explicit statement that the app itself never sees or stores your bank password.

How WIMM answers: Plaid handles the bank-login flow. Your bank password goes directly from your browser to Plaid, the same service that powers Venmo, Robinhood, and most modern fintech apps. WIMM receives an encrypted access token, not your credentials. We can pull your transactions with that token, but we cannot log into your bank as you. If the access token is ever compromised, you revoke it from your bank's app and the connection breaks immediately.

Question 3: Who else sees my transactions?

This question matters because finance apps with AI features often send your transactions to OpenAI or another AI provider. That is not inherently bad if it is done right. It is bad when it is done without disclosure.

Bad answer: Silence on the question, or vague references to "AI partners" without naming them.

Good answer: A named list of every external service that touches your transaction data, the minimum fields each one receives, and a link to each provider's privacy policy. You should be able to map every external service to a specific purpose.

How WIMM answers: A complete third-party data flow table on /security. Anthropic (Claude), OpenAI (GPT-4o), and DeepSeek each receive only the merchant name, amount, and date when categorizing a transaction. No account numbers, no personal identifiers, no balances. PayPal sees payment confirmations. Resend sees the contents of transactional emails. Vercel hosts the app. Neon hosts the database. Cloudflare handles edge traffic. Nine providers total, each with a direct link to their own privacy policy.

Question 4: Can I get my data out, and can I close my account?

Bad answer: "Contact support" or, worse, no answer at all. If you cannot find an export feature and cannot find an account-deletion path, that is the answer.

Good answer: A documented data-export feature (CSV at minimum, ideally PDF or JSON), a documented account-deletion path with a stated timeframe, and a written commitment about what happens to backups.

How WIMM answers: CSV and PDF export from inside the app at any time. Account deletion by email to privacy@wimm.money, with the request acknowledged within 7 days and completed within 30 days. If WIMM ever shuts down, every user receives a final export and 90 days of read-only access before the service is taken offline. The full policy is at /legal/privacy.

Question 5: What happens if you get breached?

Bad answer: Nothing publicly stated. Or, vaguely, "we take security seriously." Every company says they take security seriously. What they do when something goes wrong is the actual signal.

Good answer: A stated time window for breach disclosure, a stated channel (email plus a public page), and a documented intake address for security researchers (responsible-disclosure policy). Most US states require disclosure within a specified time anyway. A public commitment shorter than the legal minimum tells you the company has thought about this in advance instead of improvising under pressure.

How WIMM answers: A public commitment to disclose any security incident affecting your data within 72 hours, by email and on our security page. Reports of security issues go to security@wimm.money. We respond within 3 business days and we do not pursue legal action against good-faith researchers. The full statement is on /security.

The pattern

Notice what good answers have in common. They are specific. They name algorithms, providers, time windows, dollar amounts, and contact points. Bad answers stay vague on purpose, because vagueness is what lets a company change its behavior later without breaking a stated promise.

If you read a finance app's security pitch and walk away with only feelings (warm, fuzzy, reassured) and no facts (algorithms, providers, days, dollars), that is itself the signal. Real security writeups look more like a technical reference than a brochure.

This applies to budgeting apps, banks, brokerages, tax software, and any other product that holds your financial data. The five questions above are not WIMM-specific. They are the questions everyone should ask.

How WIMM measures up

We tried to build a /security page that earns a clean answer on every one of these questions. Specific algorithms, named providers, documented commitments, public mailbox. The Plaid handshake means we never see your bank login. The AI providers see only what they need for categorization. Your data is exportable at any time. Account deletion is documented. Breach disclosure has a stated window.

We are a small one-person team based in the US. We do not run ads, sell data, or use behavioral tracking inside the WIMM app. Our marketing site (this one, wimm.money) uses anonymized PostHog page-view analytics for product improvement. We disclose that on /security alongside everything else, because the distinction between "app" and "marketing site" matters and we would rather over-disclose than under-disclose.

The point of writing this article is not to claim WIMM is the only honest option. It is to give you a framework to evaluate any tool you are considering, including ours. If we ever stop being honest about any of the five questions above, you now have the criteria to call us on it.

Try it without committing anything

You can explore WIMM end-to-end without an account at app.wimm.money/demo. No bank connection, no card on file, no email required. The demo populates with sample data so you can click around the budgets, the bills, the transactions, and the dashboards. None of your real financial data is involved.

When you are ready to read the full security commitments before signing up, wimm.money/security consolidates every claim in this article (and more) into one scannable page.

Try WIMM today

The demo loads with realistic data and no signup. See what this article describes in action.

Get PremiumTry the Demo