← Back to Financial Autopsy
Legal

Privacy Policy

Financial Autopsy is built privacy-first. This policy explains exactly what data we collect, how we use it, and the steps we take to keep it safe.

Last updated: March 2026

1. What we collect

We collect only the minimum data needed to run the service. Here is an exhaustive list:

  • Email address (hashed) — your email is immediately hashed with SHA-256 and only the hash is stored. We cannot reverse this to recover your original address.
  • Password (hashed) — bcrypt hashed before storage. We never store your plaintext password.
  • Uploaded financial files — CSV and OFX files you manually upload. These are processed to extract transaction records and then discarded. Raw file contents are not retained long-term.
  • Transaction records — date, amount, description, and category for each transaction derived from your uploads.
  • Categorization rules — rules and labels you define to auto-categorize future transactions.
  • AI chat messages — messages you send in the AI chat feature. See section 4 for details on third-party processing.
We do not collect your name, phone number, address, bank credentials, or any government-issued ID number.

2. How we use your data

Your data is used solely to provide the Financial Autopsy service:

  • Authenticating you when you sign in
  • Displaying your transaction history, summaries, and spending charts
  • Running automated categorization using your saved rules
  • Powering AI chat responses about your financial data
  • Detecting and flagging anomalies or duplicate transactions

We do not use your data for advertising, profiling, or any purpose beyond operating the features you actively use.

3. Data storage & security

  • Database — Neon PostgreSQL, hosted on AWS infrastructure with encryption at rest and in transit (TLS 1.2+).
  • Application hosting — Vercel edge network. All traffic is served over HTTPS.
  • Passwords — bcrypt with a cost factor of 10 or higher. Salted individually per account.
  • Email — stored only as a SHA-256 hash. There is no lookup table or reversible mapping.
  • Session tokens — short-lived JWT tokens. Stored in memory only; not written to localStorage or cookies outside the session.
No system is perfectly secure. In the event of a breach that affects your data, we will notify affected users as required by applicable law.

4. Third-party services

Financial Autopsy uses a small number of third-party services. We do not sell your data to any third party, ever.

  • OpenAI — when you use the AI chat feature, your messages and relevant transaction context are sent to OpenAI's API for processing. OpenAI's API data usage policy applies. Data sent to OpenAI is not used to train their models under the current enterprise API policy.
  • Neon — managed PostgreSQL database provider. Your transaction data resides on Neon-managed infrastructure. See Neon's Privacy Policy.
  • Vercel — application hosting and CDN. Access logs may be retained by Vercel per their standard policies. See Vercel's Privacy Policy.
We do not integrate with any advertising networks, analytics trackers, or data brokers. No third party receives your financial data for commercial purposes.

5. No bank connection

Financial Autopsy does not connect to your bank account. We have no integration with Plaid, Yodlee, or any open banking API. You upload statement files (CSV or OFX) manually — we never have access to your banking credentials, account numbers, or real-time account data.

Your bank login details are never requested, stored, or transmitted by Financial Autopsy.

6. Data deletion

You have the right to delete your account and all associated data at any time. To request deletion:

  • Email us at support@financialautopsy.com with the subject line "Delete my account".
  • We will permanently delete your account, transaction records, categorization rules, and all other stored data within 30 days.
  • Because your email is stored only as a hash, we will ask you to provide the email address you registered with so we can compute the matching hash and locate your account.

We do not retain backups of deleted accounts beyond standard database backup retention windows (typically 7 days).

7. Cookies & local storage

Financial Autopsy does not use third-party cookies or advertising cookies. We use browser local storage for:

  • Your authentication token (to keep you signed in between sessions)
  • Your theme preference (light or dark mode)

Clearing your browser's local storage for this site will sign you out and reset your preferences. No other data is stored client-side.

8. Contact

If you have questions about this Privacy Policy or how your data is handled, please contact us:

  • Email: support@financialautopsy.com

We aim to respond to all privacy inquiries within 5 business days.