Read-only accessEnd-to-end encryptionPrivacy by designEU data residency

Security at Savyy

Protecting your financial data is foundational to everything we build. From infrastructure design to application logic, every layer of our platform enforces strict security controls to keep your information safe and under your control.

Get startedLearn more

Built for trust

Multiple layers of defense work in concert to protect your financial data at every stage.

Read-Only Bank Access

Savyy operates with strictly read-only permissions on your bank accounts. We cannot initiate payments, execute transfers, or modify your accounts in any way — we can only retrieve transaction data.

No transaction initiation capability
View-only bank connection
Encryption at Every Layer

All data is protected using industry-standard cryptographic protocols. Data in transit is secured with TLS 1.2+, and data at rest is encrypted with AES-256. Sensitive fields use AES-256-GCM authenticated encryption.

TLS 1.2+ encryption in transit
AES-256-GCM encryption at rest
Privacy by Design

Personal information is stripped and anonymized before any analytical or AI processing. We never sell, share, or expose your raw financial data to third parties.

Data anonymization at ingestion
Zero third-party data sharing
Secure Authentication

Authentication is powered by a battle-tested open-source framework with OAuth 2.0, email-based one-time passwords, and cryptographically signed session tokens to ensure only you can access your account.

Multi-factor authentication
Signed session management

European Infrastructure

Our platform is distributed across PlanetScale, Hetzner, and Cloudflare — all configured to operate within European regions.

PlanetScale

All relational data is hosted on PlanetScale, a managed database platform backed by Google Cloud infrastructure in European regions, delivering enterprise-grade availability and horizontal scalability.

Hetzner (Germany)

Application servers and compute workloads run on Hetzner infrastructure in Germany, providing high-performance European hosting with full data sovereignty.

Cloudflare (EU)

Object storage and edge services are operated through Cloudflare, with data jurisdiction configured to the European Union for secure, low-latency asset delivery.

Encrypted Backups

Automated encrypted backups with point-in-time recovery ensure data durability and rapid restoration across all infrastructure layers.

How we protect your data

A clear overview of the safeguards applied to your financial information.

Data Protection
1

All personal information is anonymized before any analytical or AI processing

2

Your raw financial data never leaves our secured infrastructure perimeter

AI & Data Privacy

When AI is used to categorize transactions, only anonymized, non-identifiable data is transmitted — never your personal information, account numbers, or raw transaction details.

No-Training Guarantee

No-training directive enforced on all AI API calls
Data anonymized and stripped of PII before processing
No personal identifiers transmitted to AI providers
Merchant names hashed with SHA-256 before transmission

Cybersecurity Assessments

Proactive security posture through continuous monitoring and independent evaluation.

We conduct regular external cybersecurity audits and penetration testing to identify and remediate vulnerabilities before they can be exploited.

Periodic external security audits and penetration testing
Continuous monitoring and threat detection across all systems
Independent security professionals evaluate our infrastructure
Structured vulnerability remediation with tracked timelines

Security FAQ

Answers to common questions about how we safeguard your data.

Is my financial data secure?

Yes. All data is encrypted with AES-256 at rest and TLS 1.2+ in transit. Sensitive fields such as IBANs and provider tokens use AES-256-GCM authenticated encryption with per-record initialization vectors.

Do you share my data with anyone?

No. We never sell, rent, or share your personal financial data. The only external processing involves anonymized transaction metadata sent to AI models for categorization — no personally identifiable information is ever included.

What happens to my data if I delete my account?

Upon account deletion, all personal data and financial records are permanently purged from our systems within 30 days, in accordance with our data retention policy.

How do I report a security concern?

We welcome responsible disclosure. If you identify a potential vulnerability or have security concerns, please contact our team and we will acknowledge your report within 24 hours.

Where is my data stored?

All data is hosted within the European Union — on PlanetScale (managed database on Google Cloud, EU region), Hetzner (Germany) for application compute, and Cloudflare (EU jurisdiction) for object storage and edge delivery.

Questions about security?

Our team is available to address any security or privacy inquiries.

Get in Touch

Have a security concern, a privacy question, or discovered a potential vulnerability? We value responsible disclosure and are committed to transparency about our security practices. We will respond within 24 hours.

Contact us
Security & Privacy | Savyy