Trust

Security & trust

A forecasting tool earns the right to your numbers by never putting them at risk. Here, in plain terms, is how we hold that line — and an honest account of what we do not yet claim.

Last reviewed: June 1, 2026

The short version. ProFinanceCast never asks for your bank password and cannot see your accounts. The figures you enter are encrypted on your own device before they ever reach us. We don't sell your data, we don't show ads inside the app, and we never use your numbers to train AI. You can export or erase everything in two clicks.

Bank accessNone. You type your numbers. We never request or store bank credentials.

EncryptionAES-256-GCM on your device, TLS 1.3 in transit.

Card detailsWe never see them. PayPal handles every payment.

Your data, soldNever. No advertisers. No data brokers. No exceptions.

AI trainingNever on your numbers. Sage answers, then forgets.

OwnershipIndependent & EU-built. Funded by subscriptions, not investors.

No bank connection — by design

Most finance apps ask you to link your bank through an aggregator. That hands a third party your live banking credentials and a permanent read-only key to your accounts. We made the opposite choice on purpose: there is no bank link to compromise, because there is no bank link at all. You enter your income, debts, and goals by hand (or paste a CSV), and the model forecasts from there. If our database were ever breached, an attacker would find encrypted figures you typed — never a route into your actual money.

Your numbers are encrypted before they leave your browser

Your forecast inputs are encrypted on your device with AES-256-GCM — stored locally in localStorage and IndexedDB — before any server contact. In transit, everything moves over TLS 1.3. At rest on the server, your financial records sit in isolated, access-controlled tables protected by database-level row security, so one account can never read another's.

The math runs in your browser

Your forecast is computed locally, on your own machine — not round-tripped to a server on every slider drag. That's faster, it works the instant the page loads, and it means the heavy lifting on your figures happens where you can see it, under your control.

What we never do

We never sell your personal or financial data to anyone.
We never share your financial figures (income, expenses, savings, debts, goals) with advertisers — they're never used to target ads, and ads never run inside the logged-in app.
We never use your data to train AI models — ours or anyone else's.
We never email you marketing you didn't explicitly opt into.

The ground we build on

We run on infrastructure that carries its own independent certifications — and we're careful to attribute those correctly (they belong to our providers, not to us):

Supabase — database, authentication, and storage; SOC 2 Type II, GDPR-compliant, hosted in an EU region.
Vercel — hosting and serverless functions; SOC 2.
PayPal — PCI-DSS Level 1 payment processing. Your card never touches our servers.
Error monitoring (Sentry) is configured to scrub financial figures, user IDs, and emails before anything leaves your browser. Analytics (Plausible, Cloudflare) are cookie-free and collect no personal data.

The full list of sub-processors, with their Data Processing Agreements, lives in our privacy policy.

Sage AI: what it sees, and what it forgets

When you ask Sage a question, it sends the AI provider (Groq, with Google Gemini as fallback) your query, the recent conversation, and your profile figures so it can answer usefully. Under the API terms we operate on, those prompts and answers are retained only long enough to reply and are not used to train the models. Sage is a feature you choose to use — if you never ask it anything, your figures are never sent to an AI provider.

You stay in control

Export everything as CSV or JSON — Settings → Data → Export.
Delete your account and all associated data — Settings → Data → Delete account, processed within 24 hours.
Turn off the email digest or any optional processing — Settings → Notifications.
Your full GDPR rights — access, correction, portability, objection, restriction, and the right to complain to your data-protection authority — are detailed in the privacy policy.

What we don't claim

Trust is easier to earn by being straight about the edges. So, plainly:

ProFinanceCast is not itself SOC 2 certified. Our infrastructure providers are; we are a small independent operation and have not yet commissioned our own audit.
We have not yet commissioned a third-party penetration test. When we do, we'll publish the summary here.
We are not a regulated financial-services firm and give no investment advice — ProFinanceCast is a forecasting and educational tool.
No system is unbreakable. We follow industry best practice and review our security on each material release, but we will never tell you risk is zero.

If any of the above changes, this page changes with it.

Found a vulnerability?

We're grateful for responsible disclosure. If you believe you've found a security issue, email us with the details and steps to reproduce — please give us a reasonable window to fix it before any public disclosure.

Report a security issue: email support@profinancecast.com with the subject line "Security report". We aim to acknowledge within 2 business days. For privacy and data requests, write to privacy@profinancecast.com.