Trust · Where your data lives
Here is exactly what FinPlanTools stores, where it lives, and how to get rid of it — laid out per deployment mode, with no bank-level-security hand-waving. Every claim on this page maps to code you can read.
01 Two modes
Run FinPlan fully local and our servers never enter the picture. Or connect the hosted server for zero-install setup — and even then, what we hold is a short-lived scratch copy, not a record of you.
One thing is true in both modes: your conversation runs through your AI provider — Anthropic, OpenAI, or Google. Local mode means our servers see nothing. It does not mean the model sees nothing. If you want the model kept out of the loop too, that is a question for your provider's privacy terms, not ours.
02 What we never touch
Account sync reads a file you export from Monarch. FinPlan never sees a bank login, and there is no account-aggregator connection to break.
There is no Social Security number field in the data model. FinPlan does not ask for one, and there is nowhere to put one.
There is no analytics, no tracking, and no third party that receives your financial data. Nothing about you is a product.
03 Hosted, in detail
When a tool needs your full profile, the document is uploaded and stashed under a random 128-bit handle in the server's temporary directory. It has a 60-minute time-to-live: the server stops resolving it once it expires, and the next request for an expired handle gets nothing back and clears the file. The directory is ordinary container storage with no persistent volume attached, so every deploy starts it empty. There is no database of your finances — only this transient copy.
An account is optional and exists only to issue API keys. It lives in Supabase and holds your email plus your keys. We never store a raw API key — only its SHA-256 fingerprint, so the key is shown to you exactly once at creation and can never be read back, by us or anyone. Keys carry an expiry (90 days by default), and you can revoke any of them yourself, at any time, from the dashboard.
The server runs on Railway; accounts and keys live in Supabase. Deleting an API key is self-serve and immediate. Your uploaded state needs no delete button — it expires on its own within the hour. Removing the account record itself (your email) is not yet self-serve; until it is, ask us and we will remove it.
04 The exits
Your data is plain JSON — the same format going in and coming out. Nothing is locked in a proprietary schema or a cloud you cannot reach.
A tool you cannot walk away from is a trap. FinPlan is built so you can leave with everything, in a format you already own.
Read the code
Don't take our word for it. Read the source.
Every claim on this page is enforced by code, and the plugin that talks to your assistant is open for inspection.