← FocusLedger
Security

Your money data, treated like money.

FocusLedger connects to your bank and knows your spending, so this page states exactly how that data is protected — specifically, not vaguely. Built by a CPA; audited like one.

🏦 We never see your bank credentials

Bank connections run through Plaid, the same infrastructure used by Venmo and American Express. You log in on Plaid's screens — your bank username and password are never sent to, stored by, or visible to FocusLedger.

Our access is read-only: we can see transactions and balances to help you track them. We cannot move money, ever.

🔐 Encryption, at rest and in transit

The access tokens Plaid gives us are encrypted at rest with AES-256-GCM — the same class of encryption banks use. Everything travels over TLS (HTTPS), enforced with strict transport security so connections can't be downgraded.

💳 We never see your card number

Subscription payments run entirely through Stripe's hosted checkout. Your card details go directly to Stripe — they never pass through or get stored on FocusLedger's servers.

🔑 Passwords & sign-in

Passwords are hashed with PBKDF2-SHA512 at 100,000 iterations with a unique 32-byte salt per account — never stored in a recoverable form. Prefer not to have a password at all? Sign in with Google.

Password-reset and account-deletion links are single-use, stored only as SHA-256 hashes, and expire fast (1 hour and 24 hours respectively). Login endpoints are rate-limited against guessing attacks.

📊 Analytics that can't follow you

Inside the app there are no third-party trackers. Our own analytics use an anonymous identifier that is re-scrambled every day (daily-salted hashing), which makes tracking any person across days mathematically impossible — even for us. No analytics cookies.

Honest footnote: our public marketing pages use a standard ad-conversion pixel. Your in-app life — tasks, money, check-ins — is never shared with ad platforms.

🚪 Your data, your exit

Account deletion is self-service — no emails to write, no retention dark patterns. Request it in Settings, confirm via a single-use link, and your data is removed.

Unsubscribing from email is one reply ("no more") and it is honored automatically, immediately, and permanently.

🐛 Found a vulnerability?

Tell us: hello@focusledger.net. Security reports go to the founder directly and get read same-day. We'll credit you (or keep you anonymous — your call) and tell you when it's fixed.

This page describes current practice and is kept in sync with the codebase — when the implementation changes, this page changes in the same release. See also our Privacy Policy and Terms. Questions? hello@focusledger.net.