Curl Budget
Privacy & Security

Data Protection

Data Protection

Your financial data is sensitive. Curl Budget employs multiple layers of security to protect your information at rest, in transit, and throughout our systems.

Encryption

Data in Transit

All data moving between your device and our servers is encrypted:

  • TLS 1.3 - Latest transport layer security
  • HTTPS only - No unencrypted connections
  • Certificate pinning - Prevents man-in-the-middle attacks

When you sync transactions or access your data, it travels through encrypted channels that can't be intercepted.

Data at Rest

Your data stored on our servers is encrypted:

  • AES-256 encryption - Bank-grade encryption standard
  • Encrypted databases - All stored data is encrypted
  • Encrypted backups - Even backups are protected

Even if someone accessed our storage directly, they couldn't read your data without encryption keys.

Key Management

Encryption keys are:

  • Stored separately from data
  • Rotated regularly
  • Managed with industry best practices
  • Never accessible to unauthorized parties

Infrastructure Security

Cloud Security

Our infrastructure is hosted on secure cloud providers:

  • SOC 2 certified - Regular security audits
  • ISO 27001 compliant - Information security standards
  • PCI DSS compliant - Payment card industry standards

Network Security

Our network is protected by:

  • Firewalls - Block unauthorized access
  • Intrusion detection - Monitor for suspicious activity
  • DDoS protection - Defend against attacks
  • Network segmentation - Limit access between systems

Access Controls

Internal access is tightly controlled:

  • Principle of least privilege - Staff only access what they need
  • Multi-factor authentication - Required for all internal access
  • Audit logging - All access is logged
  • Regular access reviews - Permissions reviewed periodically

Application Security

Secure Development

Our code is developed securely:

  • Security testing - Regular vulnerability scanning
  • Code review - All changes reviewed
  • Dependency monitoring - Third-party library security tracked
  • Bug bounty - Rewarding security researchers

Authentication

Your account is protected by:

  • Passwordless login - Magic links eliminate password risks
  • Session management - Secure token handling
  • Device verification - New devices require verification

API Security

Our APIs are secured:

  • Authentication required - No anonymous access
  • Rate limiting - Prevent abuse
  • Input validation - Reject malicious requests
  • Output encoding - Prevent injection attacks

Data Minimization

What We Collect

We only collect data necessary for the service:

  • Transaction data from connected accounts
  • Account metadata (names, types, balances)
  • Your preferences and settings
  • Usage data for app improvement

What We Don't Collect

We don't store:

  • Your bank login credentials (handled by Plaid)
  • Full account numbers (only last 4 digits)
  • Social Security numbers
  • Unnecessary personal details

Data Retention

Your data is retained:

  • While your account is active
  • During grace periods after subscription ends
  • For a limited time after account deletion
  • As required by law

Third-Party Security

Plaid

Plaid handles bank connections:

  • Bank-level security - Trusted by major institutions
  • Credential isolation - We never see your bank password
  • Read-only access - Can't move money
  • SOC 2 Type II certified - Regular audits

Apple

Apple accounts use Apple's security:

  • Apple ID authentication
  • Apple's encryption standards
  • Two-factor authentication required

Payment Processing

Subscription billing through Apple:

  • Apple handles all payment data
  • We never see credit card numbers
  • Follows Apple's security standards

Your Security Role

Protect Your Email

Since we use magic link authentication:

  • Your email is your login
  • Protect your email account
  • Use strong email passwords
  • Enable 2FA on your email

Device Security

Secure your devices:

  • Use device passcodes/biometrics
  • Keep devices updated
  • Don't jailbreak/root devices
  • Be cautious on public WiFi

Account Hygiene

Maintain account security:

  • Sign out on shared devices
  • Review connected accounts periodically
  • Report suspicious activity immediately

Incident Response

If Something Happens

We have procedures for security incidents:

  • Detection - Monitoring systems alert us
  • Response - Security team investigates immediately
  • Notification - We notify affected users as appropriate
  • Remediation - We fix issues and prevent recurrence

Reporting Issues

If you notice something wrong:

  • Contact us immediately at hello@curlbudget.com
  • Describe what you observed
  • We take all reports seriously
  • We'll investigate and respond

Compliance

Standards We Follow

  • GDPR - European data protection
  • CCPA - California consumer privacy
  • SOC 2 - Security controls (via our providers)
  • PCI DSS - Payment card security (via Apple)

Regular Audits

Our security is verified through:

  • Third-party security assessments
  • Penetration testing
  • Compliance audits
  • Continuous monitoring

Privacy & Security

How Curl Budget protects your financial data.

Bank Connection Security

How Plaid securely connects your bank accounts to Curl Budget.

On this page

Data ProtectionEncryptionData in TransitData at RestKey ManagementInfrastructure SecurityCloud SecurityNetwork SecurityAccess ControlsApplication SecuritySecure DevelopmentAuthenticationAPI SecurityData MinimizationWhat We CollectWhat We Don't CollectData RetentionThird-Party SecurityPlaidApplePayment ProcessingYour Security RoleProtect Your EmailDevice SecurityAccount HygieneIncident ResponseIf Something HappensReporting IssuesComplianceStandards We FollowRegular AuditsRelated Features