Privacy Policy

Last updated: April 2026

Accountir is a personal accounting application. This policy describes what data we collect, how it is stored, and your rights regarding that data.

1. Data We Collect

Account Information

• Email address — used for login and account identification. Stored in plaintext (required for authentication).
• Password — stored as a one-way cryptographic hash (argon2). We never store or have access to your plaintext password.
• API key — stored as a hash with a prefix for identification. The full key is shown once at creation and never stored.

Security Data

• TOTP secret — your two-factor authentication secret, encrypted at rest using AES-256-GCM.
• Recovery codes — stored as one-way hashes.

Session Data

• IP address — recorded when you log in and with API requests, for security monitoring.
• User agent — your browser identifier, recorded with sessions.
• Session tokens — used to maintain your login state. Expire after 30 days.

Financial Data (via Plaid)

When you connect a bank account through Plaid, we store:

• Plaid access tokens — encrypted at rest (AES-256-GCM). Used to sync your transactions.
• Institution name and metadata — encrypted at rest.
• Account names, types, and last-4 digits — encrypted at rest.
• Transaction sync cursors — encrypted at rest. Used to track sync progress.

Transaction data itself is synced to your local Accountir desktop application and is not stored on our servers. Our server acts as a proxy to retrieve transactions from Plaid and pass them to your local app.

Billing Data

• Stripe customer ID and subscription ID — used to manage your subscription. Payment details (card numbers, etc.) are handled entirely by Stripe and never touch our servers.

Usage Data

• API request logs — HTTP method, path, status code, and response time. Used for monitoring and debugging. Retained for 90 days.

2. How We Protect Your Data

• All financial data and secrets are encrypted at rest using AES-256-GCM with a server-side encryption key.
• All connections use TLS (HTTPS).
• Passwords are hashed with argon2 (computationally expensive to brute-force).
• Two-factor authentication is mandatory for all accounts.
• The database is hosted on a managed PostgreSQL service with encrypted storage.

3. Data Sharing

We do not sell, rent, or share your data with third parties, with the following exceptions:

• Plaid — we exchange tokens with Plaid to access your bank data on your behalf. Plaid's privacy policy governs their handling of your data.
• Stripe — payment processing is handled by Stripe. Their privacy policy governs payment data.
• Law enforcement — we may disclose data if required by law.

4. Data Retention

• Account data is retained while your account is active.
• Session data expires after 30 days.
• API request logs are retained for 90 days.
• You may delete your account at any time, which removes all associated data.

5. Your Rights

• You may disconnect bank accounts at any time (removes stored tokens and account data).
• You may delete your account, which removes all stored data.
• You may request an export of your data by contacting us.

6. Consent

By creating an account and using Accountir, you consent to the collection and processing of data as described in this policy. You may withdraw consent at any time by deleting your account.

7. Contact

For questions about this privacy policy or your data, contact: privacy@accountir.com

← Back to login