Information Security Policy

Expense Planner

Version 1.0 — Effective 2026-05-02

Purpose

This Information Security Policy establishes Expense Planner’s approach to protecting the confidentiality, integrity, and availability of customer financial data and the systems that process it. It documents the security controls in place, defines responsibilities, and articulates the operational practices that minimize risk of unauthorized access, modification, or disclosure of information.

The policy is designed to meet contractual and regulatory obligations applicable to a consumer-facing personal finance application that integrates with banking data aggregators, including obligations under the Plaid End User Privacy Policy, Apple App Store Review Guidelines, and applicable U.S. data protection laws.

Scope

This policy applies to:

Information in any form — written, recorded electronically, or stored on backend systems — that is collected, processed, or transmitted by the Expense Planner application or its supporting backend services.
All systems used to store, process, or transmit Expense Planner data, including the iOS application, the Supabase backend project, source code repositories, developer workstations, and any third-party services integrated by the operator.
The sole operator of Expense Planner (currently a solo developer) and any future contractors, contributors, or third parties granted privileged access to production systems.
Data entrusted to Expense Planner by end users, including but not limited to: account credentials (managed by Plaid, never seen by Expense Planner), Plaid access tokens, financial transaction history, account balances, account names, and user-generated metadata such as category overrides and transaction notes.

Background

Expense Planner is a personal finance application available on iOS that helps end users aggregate and review their spending across linked financial institutions. The product is operated by a single developer (“the operator”) and is currently in early-stage release.

This document is the overarching information security policy. Where appropriate, it incorporates the substance of related policy areas inline rather than as separate documents, in keeping with the operational scale of the company. Where Expense Planner grows in scope, individual sub-policies will be split out. The policy areas covered inline include:

Acceptable Use
Asset Management
Backup and Disaster Recovery
Data Classification, Retention, and Protection
Encryption and Authentication
Incident Response
Responsible Disclosure
Risk Assessment
Software Development Life Cycle
System Access Management
Vendor Management
Vulnerability Management

Information Security Objectives

It is the policy of Expense Planner that information in all its forms shall be protected from accidental or intentional unauthorized modification, destruction, or disclosure throughout its life-cycle. This protection extends to the equipment and software used to process, store, and transmit that information.

The information security goals of Expense Planner are:

Confidentiality: Each user’s financial data is accessible only to that user and to the operator under controlled, audited circumstances.
Integrity: Stored transaction and account data is accurate, complete, and protected against unauthorized modification.
Availability: Application and backend services are available when needed, with downtime minimized through reliance on managed infrastructure providers offering documented uptime commitments.

Specific objectives derived from these goals:

Protect user financial data from internal, external, deliberate, or accidental threats.
Enable secure user-controlled access to financial data without exposing other users’ data.
Maintain clarity about the responsibilities of the operator with respect to user data.
Ensure business continuity through reliance on managed services with documented backup and recovery procedures.
Limit data collection to what is operationally required to deliver the product.

Roles and Responsibilities

The Operator of Expense Planner serves as the responsible party for information security and is accountable for:

The design, development, maintenance, and enforcement of the controls described in this policy.
Vendor relationships with Supabase, Plaid, Apple, and any other service providers.
Reviewing access logs, security alerts, and incident reports.
Responding to security incidents and user data inquiries.
Annual review and update of this policy.

The operator’s contact email for security matters is on file with Plaid and may be obtained on request via the application’s support contact.

Policy Review

This policy shall be reviewed and, where necessary, updated at least annually, and additionally upon any of the following triggers:

Addition of a new third-party service provider with access to user data.
Material change to the application’s data collection or processing practices.
A security incident or near-miss that suggests an existing control is insufficient.
A significant change to the regulatory environment affecting consumer financial applications.

The reviewed policy will be re-dated and the change history retained in the application’s source control system.

Exceptions

There are currently no exceptions to this policy. Any future exceptions must be documented in writing, justified by business need, time-bounded, and subject to compensating controls. Exceptions will be reviewed annually as part of the policy review.

Policy

Operator Awareness

The operator maintains awareness of relevant security developments through:

Subscribing to security advisories from primary vendors (Supabase, Plaid, Apple).
Subscribing to GitHub Dependabot security alerts on the application repository.
Periodic review of OWASP Top 10 and OWASP Mobile Top 10 guidance.
Reviewing this policy at least annually.

If additional contractors or contributors are added in the future, they will acknowledge this policy in writing prior to receiving access to production systems and complete equivalent security awareness review annually.

Workstation Security

The operator’s primary development workstation is configured with:

Full-disk encryption (FileVault on macOS) enabled.
Auto-lock with password protection after a short period of inactivity.
A non-trivial account password and biometric (Touch ID / Face ID) authentication.
Automatic operating system security updates enabled.
Antivirus / endpoint protection through macOS built-in XProtect and Gatekeeper.
No production credentials stored in plaintext on the local filesystem outside macOS Keychain or .envrc files marked git-ignored.

Backups of the workstation are performed via Time Machine to an encrypted external volume. Source code is additionally backed up via remote git hosting (GitHub).

Acceptable Use

Expense Planner systems and data may be used only for the following purposes:

Operating, maintaining, and improving the Expense Planner application.
Investigating and responding to user-reported issues, where access to a specific user’s data is justified, time-bounded, and logged.
Compliance with valid legal process.

Prohibited uses include, but are not limited to:

Accessing user financial data for personal interest unrelated to a legitimate operational need.
Sharing user financial data with any third party except as required by law or as part of an authorized incident response.
Disclosing access tokens, API keys, or other credentials to any party.
Using user data for marketing, advertising, profiling, or analytics beyond aggregate usage metrics that contain no personal financial detail.

Data Classification

Data handled by Expense Planner is classified into the following tiers:

Tier	Description	Examples
Restricted	Data that, if exposed, would directly harm a user.	Plaid access tokens, raw transaction history, account balances, account numbers (last-4 only — full numbers are never collected)
Confidential	Data that, if exposed, would expose user identity or activity.	User email addresses, user IDs, sign-in metadata, application logs containing user identifiers
Internal	Operator-only data with no end-user impact.	Aggregate usage counts, infrastructure metrics, application logs without user identifiers
Public	Information intended for public release.	Marketing copy, App Store listing, this policy document

All Restricted and Confidential data is subject to the encryption, access control, and retention requirements set out elsewhere in this policy.

Data Retention

Active user data: Retained for the lifetime of the user’s account.
Account deletion: When a user deletes their Expense Planner account, all Restricted and Confidential data associated with that account, including the Plaid access token, is deleted from the production database within seven (7) days. Backups containing the deleted data age out per the backup retention schedule.
Backups: Daily managed backups are retained for the period offered by the backend provider’s plan (currently seven days for Supabase Pro).
Application logs: Retained for 30 days. Logs do not contain Plaid access tokens, full account numbers, or transaction descriptions; they may contain user IDs and request metadata.

Encryption

In transit: All connections between the iOS application and the Supabase backend, and between the backend and Plaid, are protected by TLS 1.2 or higher. Apple App Transport Security (ATS) is enabled with no exceptions in the iOS application.
At rest — backend: All data in the Supabase Postgres database is encrypted at rest using AES-256 by the underlying managed infrastructure (AWS RDS).
At rest — Plaid access tokens: Stored only server-side in the encrypted database, never transmitted to the iOS client and never logged.
At rest — iOS client: Supabase session tokens are stored in the iOS Keychain, which is encrypted using device-specific hardware keys and gated by the user’s device passcode. Cached transaction data is stored in SwiftData, protected by iOS data-protection class NSFileProtectionComplete (default for Keychain) and CompleteUntilFirstUserAuthentication (default for SwiftData).

Authentication and Access Management

End users authenticate to the application via:

Sign in with Apple (preferred), or
Email and password (handled by Supabase Auth, with passwords stored as bcrypt hashes by the provider — plaintext passwords are never seen by Expense Planner backend code).

End users may also enable an in-app Face ID lock screen for an additional access control layer at the device level.

Operator access to production systems:

Access to the Supabase backend dashboard requires multi-factor authentication.
Access to Plaid Dashboard requires multi-factor authentication.
Access to the Apple Developer / App Store Connect account requires multi-factor authentication.
Access to the source code repository requires multi-factor authentication.
Production database queries are performed via the Supabase SQL editor or service-role key. The service-role key is treated as Restricted credential material; it is stored only in the operator’s Keychain and in Supabase Edge Function environment variables.

User-isolation in the database is enforced via Postgres Row-Level Security policies on every user-scoped table; the application’s anon and authenticated keys cannot read other users’ rows even in the presence of an application-layer bug.

Inactive operator credentials, if any (e.g. unused service tokens), are reviewed and revoked promptly upon detection.

Software Development Life Cycle

Source code is maintained in a private git repository.
Production deployments of Edge Functions and database migrations are performed by the operator from the local workstation using the official Supabase CLI.
iOS releases are built and uploaded via Xcode to App Store Connect; release builds are signed with the operator’s Apple Developer ID.
Dependencies are reviewed before introduction; security advisories on existing dependencies are monitored via GitHub Dependabot.
No customer data is used in development or test environments. The Plaid Sandbox environment, with its synthetic test users, is used exclusively for development and testing.

Vendor Management

Expense Planner relies on the following critical service providers. Each is reviewed for security posture before integration; current providers were selected on the basis of public security documentation and established industry use.

Vendor	Purpose	Security Documentation
Supabase	Managed Postgres, authentication, edge functions, file storage	SOC 2 Type II, HIPAA available on enterprise tier
Plaid	Financial data aggregation	SOC 2 Type II, ISO 27001, end-user privacy policy
Apple	iOS distribution, Sign in with Apple, App Store payments	Apple Platform Security guide
GitHub	Source code hosting	SOC 2 Type II, ISO 27001

The list of vendors with access to user data will be reviewed annually. New vendors will be evaluated against equivalent security baselines before integration.

Vulnerability Management

Dependencies: Application and backend dependencies are kept current. Critical and High severity advisories are addressed within 30 days of disclosure; lower severity within 90 days.
Operating systems: macOS development workstation, iOS test devices, and the managed backend infrastructure all receive automatic security updates.
Code review: All changes to security-sensitive code paths (authentication, authorization, secret handling) are reviewed before deployment, even when there is only one operator (review-by-self via reading the diff before pushing).
Penetration testing: No formal penetration test has been conducted at this stage. As the user base grows, a third-party penetration test will be commissioned.

Backup and Disaster Recovery

The Supabase backend retains daily database backups per the active plan; point-in-time recovery is available within the backup retention window.
Source code is backed up via the remote git hosting provider, plus the operator’s local working copies.
In the event of catastrophic failure of the backend provider, the recovery objective is to restore service within seven (7) days using the most recent available backup. End users will be notified of any data loss exceeding 24 hours.
The operator’s workstation is backed up via Time Machine to local encrypted media.

Incident Response

An information security incident is any event that compromises, or is reasonably suspected to compromise, the confidentiality, integrity, or availability of Expense Planner systems or user data.

In the event of a suspected incident, the operator will:

Contain. Take immediate steps to limit further exposure (revoke credentials, disable affected services, take affected systems offline).
Investigate. Determine scope: which users, which data, what time window, what root cause.
Notify. Notify affected users without undue delay, and in any case within 72 hours of confirming an incident has occurred. Notifications will describe what data was affected, what is being done, and what users should do. Where Plaid access tokens may have been exposed, Plaid will additionally be notified at security@plaid.com so tokens can be invalidated.
Remediate. Address the root cause, document the fix, and adjust controls to prevent recurrence.
Document. Record the incident, response timeline, and lessons learned in a private incident log.

Regulatory notification (e.g. state data breach notification statutes) will be made as required by law.

Responsible Disclosure

Security researchers who identify a vulnerability in Expense Planner are encouraged to report it to the operator via the security contact email associated with the App Store listing. The operator commits to:

Acknowledging receipt of vulnerability reports within seven (7) days.
Providing an initial assessment within 30 days.
Working in good faith with the reporter to remediate confirmed vulnerabilities.
Not pursuing legal action against researchers who act in good faith, do not access or modify other users’ data beyond what is minimally necessary to demonstrate the issue, and provide the operator a reasonable opportunity to remediate before public disclosure.

Risk Assessment

The operator performs an informal risk assessment at least annually, identifying the most significant threats to user data and evaluating whether existing controls remain adequate. Current top-of-mind risks include:

Compromise of the operator’s Supabase or GitHub account credentials. Mitigation: Multi-factor authentication, hardware-key-backed second factor where supported, strong unique passwords stored in a password manager.
Inadvertent exposure of secrets via source code commits. Mitigation: .gitignore rules for environment files, git-secrets style hooks, never inlining service-role keys in source.
Vulnerability in a critical dependency. Mitigation: Dependabot alerts, prompt patching cadence.
Compromise of a vendor (Supabase, Plaid). Mitigation: Vendor selection bias toward providers with established security posture; readiness to migrate or revoke if a provider’s security materially changes.
Loss or theft of the operator’s workstation. Mitigation: Full-disk encryption, auto-lock, remote wipe via Find My Mac, no production secrets persisted outside Keychain.

Acceptable Use of Mobile and Endpoint Devices

The operator’s iOS test devices used to build and validate Expense Planner releases are configured with:

Device passcode enabled.
Automatic iOS updates enabled.
“Find My iPhone” enabled with remote wipe available.
No production user data — testing is performed against the operator’s own account or against Plaid Sandbox accounts.

If contractors or contributors join in the future, the same baseline will apply to any device used to access production systems.

Enforcement

The operator is responsible for compliance with this policy. Where additional contributors or contractors join in the future, they will be subject to access revocation and, in cases of serious misconduct, contractual termination for material non-compliance with this policy.

Suspected non-compliance may be reported to the operator via the security contact email.

Document control

Version	Date	Author	Notes
1.0	2026-05-02	Operator	Initial policy issued in connection with Plaid Production access application.

Information Security Policy — Expense Planner

Privacy and security documentation for the Expense Planner iOS app.