How we protect your data
Spaife handles sensitive financial data, so security and honesty come first. Here's exactly what we do today, who we work with, and what we're still building — no claims we can't back up.
The protections in place right now
Encrypted in transit & at rest
Traffic is protected with TLS in transit, and your data is encrypted at rest by our cloud provider.
Read-only connections
When you link an account, Spaife reads records to build your estimate. It can never move your money.
We never sell your data
No selling or renting to data brokers or advertisers — ever. It’s written into our Privacy Policy.
Export & delete anytime
Your records belong to you. Export them, or request deletion of your account and data, whenever you want.
Trusted infrastructure
Built on Google Cloud / Firebase, with provider-managed encryption, access controls, and monitoring.
Secure sign-in
Sign in with Google, Apple, or email. Passwords are managed and hashed by Firebase Authentication — we never store them ourselves.
Subprocessors
The trusted services that help run Spaife. They process data only to provide their service to us, under their own security and data-processing commitments.
Google Cloud / Firebase
Hosting, authentication, database, and file storage
Stripe
Payment processing — card details are handled by Stripe (PCI-DSS), not stored by us
Planned — not yet active
AI provider (e.g. Google Gemini)
Will power optional AI-assisted features — not yet enabled
Account aggregators (e.g. Plaid / Pinwheel)
For read-only account connections — not yet enabled
You stay in control
- Export: download your records in a portable format at any time.
- Deletion: request account deletion and we remove your data from active systems within 30 days (backups within 90).
- No lock-in: leave whenever you like — your data goes with you.
Full details of what we collect and why are in our .
Found a security issue?
We welcome responsible disclosure. Email security@spaife.com with the details and steps to reproduce. Please give us reasonable time to investigate and fix before any public disclosure, and don't access or modify data that isn't yours.
Machine-readable contact: /.well-known/security.txt
Honest about our compliance status
Spaife is in active development and has not completed an independent security audit (such as SOC 2). We don't display badges or certifications we don't hold — when we earn them, you'll see them here.
Our roadmap
- • [ Formalize our security policies and access reviews — target: TBD ]
- • [ Independent penetration test — target: TBD ]
- • [ SOC 2 Type II — target: TBD ]
Built carefully, in the open
Questions? security@spaife.com