Pennyweightpennyweight

Security

Pennyweight is built so the people who use it never have to worry about who can see their numbers. This page describes how we protect your data.

Bank connections via Plaid

Pennyweight uses Plaid Inc. to connect to your financial institutions. Pennyweight never sees, receives, or stores your bank username or password. Plaid's connection is read-only — it lets us see transactions and balances, never move money or change account settings. You can disconnect any institution at any time, which stops further data retrieval through Plaid for that institution.

Encryption

All traffic between your device and Pennyweight uses TLS 1.2 or higher. Data at rest is stored on Amazon Web Services with KMS-managed encryption. Sensitive fields are additionally encrypted at the application layer.

Authentication

Your account is protected by email and password authentication, with optional time-based one-time passwords (TOTP) for two-factor authentication. Authentication is handled by Clerk, an identity platform that maintains a SOC 2 Type II attestation.

How we use your data

We don't sell your data. We don't share it with advertisers. We don't use it to train machine-learning models that span across users. AI features operate only on your own data, in your own session. The full details are in our Privacy Policy.

Reporting a vulnerability

If you believe you've found a security issue, please email security@pennyweight.ai. We'll acknowledge receipt within 48 hours and work with you on a coordinated disclosure. We do not pursue legal action against good-faith security researchers.