Security

Taly handles your financial data, so security isn’t a feature — it’s the foundation. Here’s how we protect it, in plain English.

Bank-grade encryption Read-only bank access We never sell your data Your data stays yours

Found a vulnerability? Please email security@taly.app. We welcome responsible disclosure and will work with you on a fix.

Your bank connection

When you link a bank, you connect through Plaid — the same secure service used by many major finance apps. What that means for you:

We never see your bank password. You enter it directly with Plaid, in Plaid’s own secure screen — it’s never shared with us.
Access is read-only. Taly can read your transactions and balances to help you budget. It cannot move money, make payments, or change anything at your bank.
You’re in control. Disconnect any bank anytime from Settings → Accounts. Disconnecting immediately revokes Taly’s access through Plaid.

Encryption

In transit: every connection uses TLS 1.2+ (HTTPS). There is no unencrypted fallback — your data is encrypted the moment it leaves your device.
At rest: the keys that connect to your bank are encrypted with AES‑GCM at the application layer, with the encryption key held in a managed secrets store separate from the database. Even a stolen database copy can’t reuse them. Your data is additionally encrypted at rest by our database provider.

We never sell your data

Taly makes money one way: subscriptions. We do not sell, rent, or share your financial data with anyone for advertising or marketing — ever. There are no ads in Taly. The only companies that touch your data are the infrastructure providers below, acting as processors under signed agreements so we can run the service.

Signing in & protecting your account

Sign in with email + password (strong passwords enforced), a one-tap magic link, Google, or Apple.
Two-factor authentication (2FA) is available — turn on an authenticator app for an extra layer, and keep one-time recovery codes in case you lose your device.
On mobile, you can lock the app behind Face ID / Touch ID / fingerprint.
Passwords are never stored in plain text — they’re hashed by our authentication provider, and we never log them.

Backups & your data is yours

Export anytime. Download a full backup of your data from Settings whenever you want — optionally auto-backed-up to your own Google Drive, and iCloud on iPhone.
Server backups. The database is backed up so your data can be recovered from a failure, and a snapshot is taken before any in-app “restore” so you can undo it.
Delete anytime. Deleting your account runs a complete purge: it revokes every linked bank through Plaid and removes your data. Your data belongs to you, not us.

Built on trusted infrastructure

We don’t reinvent the hard parts. Taly runs on established providers that maintain SOC 2 certifications:

Plaid

Secure, read-only bank connections

Supabase

Database & authentication, encrypted at rest

Render

Application hosting, managed TLS

Stripe

Payments — we never store card numbers

Monitoring

We monitor the service for errors and unusual activity, with automatic alerting. Our error reporting is configured to strip out your financial details (amounts, vendors, descriptions) before any diagnostic data leaves the system — so debugging never exposes your money.

An honest note

Taly is built and run by a solo developer and is in active, pre-launch development. We hold ourselves to real security practices — encryption, least-privilege access, multi-factor authentication on our own systems, a defined process for patching vulnerabilities, and a documented plan for handling incidents. We don’t claim certifications we don’t have (no SOC 2 report of our own yet), and we rely on our SOC 2-certified providers for the infrastructure layer. We’d rather be straight with you than oversell.

Questions about how your data is handled? See the Privacy Policy for the full detail, or email security@taly.app.

Last updated 2026-06-03. Published at taly.app/security.