Security

Your data, your control.

Finstracker never asks for bank credentials, never sells your data, and gives you a one-click CSV export to walk away with everything.

How we handle your account

Passwords are hashed with bcrypt (12 rounds) before they ever land on disk. The plain password is never logged, never stored, and never sent over the wire after the initial signup or login request.

Auth uses JWT bearer tokens signed with a server-only secret. Tokens expire after 7 days, after which you're bounced back to the login screen.

What we collect

  • A username (you choose it)
  • A bcrypt hash of your password
  • The cards, transactions, and perks you add yourself

That's it. No bank credentials, no email tracking pixels, no third-party analytics SDKs in the app shell.

Privacy policy

We don't sell, share, or rent your data. We don't run ads. We don't profile you for any purpose other than running the app you signed up for.

If you delete your account, every card, transaction, and perk you owned is hard-deleted from our database within 24 hours. There's no soft-delete graveyard.

Google Calendar integration

Finstracker offers an optional "Sync to Calendar" feature that creates reminder events in your Google Calendar for the credit-card perks you're tracking, so you don't miss expiration deadlines. This integration is off by default and only activates if you explicitly click Connect Google in Settings.

What we request: the https://www.googleapis.com/auth/calendar.events scope, which lets us create and update events on your primary Google Calendar, plus openid and email so we can show you which Google account is connected.

What we do with it: when you click Sync to Calendar, we create one all-day event per upcoming perk on its deadline date, with reminders set 7 days and 1 day before. The event description contains the perk title, dollar value, and the card it's attached to. That's the only write we make.

What we do not do: we never read your existing calendar events. We never list, modify, or delete events that Finstracker did not create. We never send Google Calendar data to our servers or to any third party.

Where the access token lives: entirely in your browser's localStorage on the device you connected from. We do not transmit it to our backend. It expires after one hour and is refreshed transparently the next time you sync.

How to revoke: click Disconnect in Settings and the access token is immediately revoked with Google and erased from your browser. You can also revoke access at any time from myaccount.google.com/permissions. Events already created in your calendar remain there (we don't delete your calendar data on disconnect); you can remove them manually from Google Calendar if you wish.

Finstracker's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Terms of service

Finstracker is provided as-is. You're responsible for the accuracy of the data you enter. We make a best effort to keep the service available, but for a beta-scale deploy there is no formal SLA.

You may not use Finstracker to track activity that is not yours, or to circumvent any credit card issuer's terms.

Cookies

Finstracker uses one piece of browser storage: a JWT in localStorage so you stay logged in for 7 days. We don't set tracking cookies. We don't use third-party cookies for advertising or analytics.

Known trade-offs

A stolen JWT is valid until it expires because there is no server-side revocation list. For a single-tenant beta deploy this is an acceptable trade-off. For a multi-tenant production deploy we'd add a short access-token lifetime plus refresh tokens. There's no rate limiter on the login route today, which is on the roadmap.

Reporting a vulnerability

If you find a security issue, please email us directly rather than opening a public issue. We'll respond within 48 hours.

See what your cards are actually doing for you.

30-day Premium trial. No credit card required.

Start your free trial