Authentication Protection
- Required multi-factor authentication on every account
- Face ID / Touch ID supported, with biometric data staying on your device
- Session expiry and breach-aware password protections
Security & Privacy
Built On Trust From Day One.
When we built Loftd, we started with a simple truth: your financial data is deeply personal. So we designed the product, the infrastructure, and the business model around protecting it—not monetizing it.
Bank-Grade Security
256-Bit Encryption
Never Sold, Ever
Read-Only Access
Our Commitment
A Product Built To Protect You.
Every line of Loftd is written with the assumption that your data is sacred. We have built protections at every layer—how you sign in, how data moves, where it is stored, and who on our team can ever see it.
And our business model is straightforward: you pay us a subscription. Your information is never the product, never the inventory, and never for sale.
— The Loftd team
Industry-Best Data Protection
The layers of defense that keep Loftd locked down—designed so a single mistake never becomes a single point of failure.
Two-Way Data Encryption
- AES-256 encryption for everything stored at rest
- TLS 1.2+ on every byte transmitted between your device and our servers
- Keys handled by managed services with regular rotation
Walled-Off Infrastructure
- Hosted on Supabase, with row-level security enforced at the database
- Each user’s information is fully isolated from every other user
- Defense-in-depth network and runtime controls at every layer
Strict Internal Access
- Our team operates on least-privilege—minimum access needed to do the job
- Customer data is touched only when you request support, with full audit logs
- Never “everyone can see everything”
Bank Connections
How We Connect To Your Banks
We use Plaid for every bank connection—the same secure layer trusted by thousands of finance apps and millions of people every day. When you link an account, you authenticate directly with your bank inside Plaid’s flow. Loftd never sees or stores your bank credentials.
- Your login stays with your bank. Plaid handles the secure handoff; we just receive what you authorize.
- 12k+ institutions across the U.S., Canada, the UK, and Europe.
- Read-only by design. Loftd cannot move, transfer, or modify your accounts—period.
- Revoke anytime. Disconnect any institution from Settings, or use your bank or Plaid dashboard.
Chief Powers Loftd
Powered by Anthropic, Chief organizes your money the way a great accountant would—categorizing transactions, surfacing what matters, and answering the questions you used to put off. The busywork is taken care of, on call whenever you need it.
- Minimum data only. Just the small slice needed to answer the request in front of it—not your whole financial life.
- Never used to train models. Your data is not used to train Anthropic's AI.
- Auto-deleted within 30 days. Anthropic retains processed data for no more than 30 days, then deletes it.
See our Subprocessors page for the full vendor list, and our Privacy Policy for the legal detail.
Privacy & Your Control
You own your data, end to end. Here is what we do with it, what we never do, and how you stay in charge.
What We Use It For
- Showing you a clear picture of your finances
- Categorizing transactions and powering your budget
- Helping Chief answer your questions
- Customer support when you reach out
- Improving features in anonymized, aggregated form
What We Never Do
- Sell your financial data—ever
- Use your data for ads or to profile you for advertisers
- Share data with marketers or data brokers
- Quietly change the rules without telling you
- Access your accounts unless you ask us to
Export Anytime
Download your transactions, budgets, and financial data from Settings in a readable format whenever you want.
Disconnect Banks
Drop any linked institution from Settings; access is revoked instantly through Plaid.
Delete Permanently
Settings → Account → Delete Account removes every trace—transactions, budgets, goals, bank links—within 30 days.
For the full legal detail of how we handle your data, read the Privacy Policy.
Coordinated Security Disclosure
We welcome reports from security researchers and treat every one seriously. If you have found a vulnerability, email security@loftd.app with steps to reproduce.
- We respond fast. Acknowledgement within two business days, and a clear status update while we work the issue.
- Safe harbor. We will not pursue legal action against good-faith research conducted under this policy.
- Coordinated publication. We work with you on the timing of any public write-up so users are protected before details go out.
- Credit when you want it. Researchers can be recognized in our security acknowledgments after the issue is fixed.
FAQs
Can Loftd access or move money in my accounts?
No. Our access is strictly read-only through Plaid. We can see your accounts to inform you, and that is it. Transfers, payments, or any kind of money movement are never possible from Loftd.
Does Loftd store my bank login credentials?
No. You authenticate directly with your bank inside Plaid’s secure flow. Loftd never receives, sees, or stores your bank username or password.
How is my data protected?
All data is encrypted with AES-256 at rest and TLS in transit. Database access is locked down with row-level security on Supabase, multi-factor authentication is required for our team, and every access to customer data is logged and audited.
What safety measures do your third-party partners take?
Our key partners—Plaid for bank connections, Anthropic for AI, and Supabase for infrastructure—operate to industry-leading standards (SOC 2, audited security controls, strict access management). The complete list lives on our Subprocessors page.
How does Loftd keep my information safe when using AI?
Loftd uses Anthropic. Only the minimum data needed for the specific request is sent, Anthropic does not train on your data, and any processed data is deleted within 30 days. Detail is in our Privacy Policy.
Get in touch
Privacy requests
Security reports
In-app support
Settings → Help & Support