Security

Last updated: July 3, 2026

The Short Version

Basin is built local-first: your budget lives on your device, not our servers. The only data that leaves your phone is what an optional feature needs to work — and when it does, it's encrypted in transit and at rest. Basin never sees your bank password and never sells your data.

Local-first by design

Your transactions, budget, goals, and daily number are computed and stored on your device. There's no account to create and nothing to upload just to use Basin, so the most sensitive picture of your finances never leaves your phone.

Bank credentials you never share with us

Bank linking is handled by Plaid, a regulated data provider used by thousands of financial apps. You enter your bank login directly with Plaid over an encrypted connection — Basin never receives, sees, or stores it. Basin only ever holds an access token that lets it read transactions, and you can revoke it anytime by disconnecting in Settings.

Encryption in transit and at rest

When a feature does sync data — like linked-bank transactions — it travels over HTTPS/TLS and is stored on managed infrastructure with encryption at rest and encrypted backups. Access tokens are encrypted before they're stored, and your data is scoped to your own account, never mixed with anyone else's.

Biometric app lock

Turn on Face ID or Touch ID and Basin asks the operating system to verify it's you before the app opens. The biometric check happens entirely on your device — Basin never sees or stores your fingerprint or face data.

No trackers, no data sales

Basin doesn't embed ad SDKs, session-replay tools, or third-party analytics that follow you around. We keep only the limited operational logs needed to run the service and fix bugs, and we never sell or rent your information.

You stay in control

Disconnect your bank, export a full backup of your data, or delete everything from your device at any time. Removing the app clears its local data, and disconnecting a bank removes the associated transactions and token from our servers.

Found a vulnerability?

We take security reports seriously. If you believe you've found a vulnerability, please email us with the details and steps to reproduce. We'll acknowledge your report and keep you posted on the fix.

security@basinbudget.com

Looking for the full policy? Read our Privacy Policy and Terms.