Security
Last updated: 16 July 2026
Payvii's security model starts from an unusual place: we don't hold your data. The most effective way to protect consumer financial data from a breach of our servers is to not have servers that store it.
Architecture
- Local-first. All financial data is stored in a database on your own device. Payvii operates no data-holding servers, and this website holds no consumer data.
- Read-only bank access. Connections are made through regulated open-banking providers with account-information access only — Payvii cannot move money or change anything at your bank, and never sees your banking login.
- Reversible by design. Imports are audited and can be undone; connections and data can be deleted by you at any time.
Data protection
- All connections to banking providers use TLS 1.2+ encryption in transit.
- Data at rest is protected by device-level full-disk encryption, with application-level database encryption on the committed roadmap ahead of general availability.
- Backups, where used, are encrypted (AES-256) and stored only on media you control.
- Payvii sets no analytics cookies and runs no third-party trackers.
Practices
- Documented information security, data-retention and vulnerability-management policies, reviewed every six months.
- Automated dependency vulnerability alerts and scheduled updates on all Payvii repositories, with severity-based fix timelines.
- Multi-factor authentication on the accounts that control Payvii's code and infrastructure.
Reporting a vulnerability
If you believe you've found a security issue in Payvii or this website, please email hello@payvii.co. Good-faith reports are welcomed and acknowledged within 72 hours. Please don't access data that isn't yours or disrupt the service while investigating.