Read-only accessAES-256 encryptionPrivacy by designEU data residency

Security at Savyy

Protecting your financial data is foundational to everything we build. From infrastructure design to application logic, every layer of our platform enforces strict security controls to keep your information safe and under your control.

Built for trust

Multiple layers of defense work in concert to protect your financial data at every stage.

Read-Only Bank Access

Savyy operates with strictly read-only permissions on your bank accounts. We cannot initiate payments, execute transfers, or modify your accounts in any way. We can only retrieve transaction data.

No transaction initiation capability
View-only bank connection
Encryption at Every Layer

All data is protected using industry-standard cryptographic protocols. Data in transit is secured with TLS 1.2+, and data at rest is encrypted with AES-256. Sensitive fields use AES-256-GCM authenticated encryption.

TLS 1.2+ encryption in transit
AES-256-GCM encryption at rest
Privacy by Design

Automatic categorization strips identifiers from transaction descriptions. Every other AI feature is off by default and receives data only after you enable it. Your data is never sold.

AI features off by default
No model training on your data
Secure Authentication

Authentication is powered by a battle-tested open-source framework with OAuth 2.0, email-based one-time passwords, and cryptographically signed session tokens to ensure only you can access your account.

Multi-factor authentication
Signed session management

European Infrastructure

Our platform is distributed across PlanetScale, Hetzner, and Cloudflare, all configured to operate within European regions.

PlanetScale

All relational data is hosted on PlanetScale, a managed database platform backed by Google Cloud infrastructure in European regions, delivering high availability and horizontal scalability.

Hetzner (Germany)

Application servers and compute workloads run on Hetzner infrastructure in Germany, providing high-performance European hosting with full data sovereignty.

Cloudflare (EU)

Object storage and edge services are operated through Cloudflare, with data jurisdiction configured to the European Union for secure, low-latency asset delivery.

Encrypted Backups

Automated encrypted backups with point-in-time recovery ensure data durability and rapid restoration across all infrastructure layers.

How we protect your data

A clear overview of the safeguards applied to your financial information.

Data Protection
1

Identifiers are stripped from transaction descriptions before automatic categorization

2

Beyond the AI features you enable, your financial data stays within our EU infrastructure

AI & Data Privacy

AI requests are processed by Anthropic and OpenAI through Vercel AI Gateway, and only after you enable AI features in the app; the one exception is instrument search, which sends only the search text you type. Automatic transaction categorization sends sanitized descriptions with identifiers removed; the assistant sends the financial data needed to answer the questions you ask it. Your name, email, and banking credentials are never transmitted.

No-Training Guarantee

Explicit opt-in consent checked server-side on every AI feature request
Identifiers stripped from descriptions before automatic categorization
Name, email, and banking credentials never sent to AI providers
No model training on your data, by us or by our providers

Cybersecurity Assessments

Proactive security posture through continuous monitoring and independent evaluation.

We conduct regular external cybersecurity audits and penetration testing to identify and remediate vulnerabilities before they can be exploited.

Periodic external security audits and penetration testing
Continuous monitoring and threat detection across all systems
Independent security professionals evaluate our infrastructure
Structured vulnerability remediation with tracked timelines

Security FAQ

Answers to common questions about how we safeguard your data.

Is my financial data secure?

Yes. All data is encrypted with AES-256 at rest and TLS 1.2+ in transit. Sensitive fields such as IBANs and provider tokens use AES-256-GCM authenticated encryption with per-record initialization vectors.

Do you share my data with anyone?

We never sell or rent your data. We share it only with the service providers needed to run Savyy, such as our banking aggregator and payment processor. If you enable AI features, the data described in our privacy policy is processed by Anthropic and OpenAI. Automatic categorization sends transaction descriptions with identifiers removed, and none of it is used to train their models.

What happens to my data if I delete my account?

Upon account deletion, all personal data and financial records are permanently purged from our systems within 30 days, in accordance with our data retention policy.

How do I report a security concern?

We welcome responsible disclosure. If you identify a potential vulnerability or have security concerns, please contact our team and we will acknowledge your report within 24 hours.

Where is my data stored?

All data is hosted within the European Union: on PlanetScale (managed database on Google Cloud, EU region), Hetzner (Germany) for application compute, and Cloudflare (EU jurisdiction) for object storage and edge delivery.

Questions about security?

Our team is available to address any security or privacy inquiries.

Get in Touch

Have a security concern, a privacy question, or discovered a potential vulnerability? We value responsible disclosure and are committed to transparency about our security practices. We will respond within 24 hours.

Contact us