Security & privacy.
Persistence exists to show you your money — not to take liberties with it. Here is exactly how your financial data is protected, in plain language.
Connecting your bank
Your bank credentials never touch Persistence
Account linking is handled by Plaid, the same connectivity service used by apps like Venmo and American Express. You sign in to your bank inside Plaid's secure window; Persistence never sees, receives, or stores your banking username or password.
What we receive instead is a revocable access token tied only to the data you approved. You can unlink an institution at any time, which invalidates that token.
Read-only by design
Persistence reads balances, transactions, and account metadata to build your dashboard. It cannot move money, make payments, or place trades. Automation features only ever propose actions for you to review.
How your data is stored & moved
- Encrypted in transit — every connection to Persistence (web, desktop, and API) uses TLS/HTTPS. There are no unencrypted endpoints.
- Encrypted at rest — your data lives in a managed PostgreSQL database hosted on infrastructure with disk-level encryption at rest.
- Bank tokens are double-encrypted — the Plaid access tokens that link your accounts are additionally encrypted at the application level (AES‑256‑GCM) before being stored, so even direct access to the database does not expose a usable token.
- Hashed passwords — if you use email sign-in, your password is stored only as a bcrypt hash. Sign in with Google and we never handle a password at all.
- Short-lived sessions — access tokens expire after 15 minutes and are renewed via rotating refresh tokens, limiting the value of any intercepted token.
- OS-level key storage — the desktop app stores your session in the Windows Credential Manager (the operating system's keychain), not in a file.
- Signed updates — desktop app updates are cryptographically signed and verified before they install, so an attacker can't impersonate an update.
- Hardened API — every request is authenticated, rate-limited, and served with hardened security headers.
AI features
What the AI sees
When you use AI insights or chat, relevant parts of your financial picture (balances, recent transactions, bills, goals) are sent to Anthropic's Claude API solely to generate your answer. Under Anthropic's commercial API terms, that data is not used to train their models.
AI features are optional — the dashboard and HUD work without them.
Privacy practices
- We do not sell your data. No advertisers, no data brokers, no "anonymized" data sales. The business model is subscriptions, full stop.
- Minimal third parties — your data is shared only with the services that make the product work: Plaid (bank connectivity), Anthropic (AI features), and our hosting providers (Railway for the API and database, Vercel for the web app). Google is involved only if you choose Google sign-in.
- Your data is yours — unlink institutions at any time, download a complete export of everything we hold (Sidebar → Account → Export my data), or permanently delete your account and all associated data in-app. Deletion also revokes your bank connections at Plaid.
Reporting a security issue
Responsible disclosure
Found a vulnerability? Email support@persistence.finance or report privately via GitHub vulnerability reporting and we will respond as quickly as possible. Please don't test against accounts that aren't yours.
This page describes the measures in place today and is updated as the product evolves. Persistence is in active development; features like subscriptions and additional regions may introduce new processors, and this page will be updated before they do. Last updated: June 11, 2026.