Encryption
Bank tokens encrypted at rest
Plaid access tokens are encrypted with AES-256-GCM before being written to the database.
AES-256-GCM — protects plaid access tokens
Passwords hashed with scrypt
Account passwords are hashed with scrypt, a memory-hard key derivation function. We never store or have access to your plain-text password.
scrypt — protects account passwords
2FA secrets encrypted
TOTP secrets are encrypted with AES-256-GCM. Backup recovery codes are hashed with bcrypt.
AES-256-GCM + bcrypt — protects two-factor authentication
TLS in transit
All traffic between your browser and our servers uses TLS (HTTPS).
TLS — protects all network traffic
Authentication
- Email + password sign-in, with passwords hashed by scrypt.
- Optional TOTP two-factor authentication (Google Authenticator, Authy, 1Password, etc.).
- Backup recovery codes, bcrypt-hashed, shown once at 2FA setup.
- Trusted-device support: remember a device for 30 days so 2FA is not prompted on every login from your own machine.
Data isolation
Every database query is scoped to the authenticated user's ID. There is no shared access to financial data across users unless you explicitly join a household and mark specific accounts as shared. Even within a household, accounts you mark private remain invisible to other members.
Third-party data flow
Every external service WIMM uses and the minimum data it sees. Provider names link to their privacy policies.
| Provider | Role | What they see |
|---|---|---|
| Plaid | Bank connections | Your bank login credentials (we never see them) and your transactions (we receive these via an encrypted token). |
| Anthropic (Claude) | AI categorization, primary | Transaction merchant name, amount, and date. No account numbers, no personal identifiers. |
| OpenAI (GPT-4o) | AI categorization, fallback | Same as Anthropic — merchant, amount, date only. |
| DeepSeek | AI categorization, tertiary fallback | Same as Anthropic — merchant, amount, date only. |
| PayPal | License payments | Your PayPal email address and a payment confirmation. We never receive your card number or bank details. |
| Resend | Transactional email | Your email address and the contents of password resets, household invitations, and notifications. |
| Vercel | Application hosting | Standard request metadata (IP, user-agent) for serving traffic and short-lived application logs for reliability. |
| Neon | PostgreSQL database hosting | All application data, encrypted at rest at the storage layer in addition to our application-layer encryption. |
| Cloudflare | DNS, TLS, edge protection | Request metadata (IP addresses, timing) used to deliver and protect traffic. No application data. |
| PostHog | Marketing-site analytics | Anonymized page views and marketing events on wimm.money (the public marketing site). The WIMM app itself at app.wimm.money does NOT use third-party analytics. |
Infrastructure
- Application hosting on Vercel with short-lived application logs and no behavioral profiling.
- PostgreSQL database hosted by Neon with encryption at rest at the storage layer, in addition to our application-layer encryption above.
- Cloudflare in front for DNS, TLS, and edge DDoS protection.
- Dependency security: GitHub Dependabot enabled, security audit on every CI run.
Responsible disclosure
We welcome responsible disclosure of security issues. Email security@wimm.money with details. We respond within 3 business days and will not pursue legal action against good-faith researchers.
We commit to disclosing any security incident affecting your data within 72 hours, by email and on our security page.