Last updated: March 5, 2026
Stache uses industry-standard security practices to protect financial data and maintain system integrity. Stache does not sell, rent, or trade personal financial data. This page summarizes the core security policies that govern how Stache protects user data, including our Information Security Policy, Access Control Policy, and Data Retention & Deletion Policy.
Stache collects limited financial data through the Plaid API, including account balances, transaction data, and account metadata required for reconciliation and reporting. Financial institution credentials are never stored by Stache. Authentication with financial institutions occurs directly through Plaid Link.
All communications between users, infrastructure, and external services are encrypted using TLS 1.2 or higher. Encryption is enforced through Vercel HTTPS infrastructure, Apple App Transport Security (iOS/macOS apps), Supabase encrypted database connections, and Plaid API HTTPS connections. HTTP traffic is prevented through HSTS headers.
All consumer data stored by Stache is encrypted at rest using infrastructure-level AES-256 encryption provided by Supabase. This includes Plaid access tokens, account balances, transaction records, user account data, and file storage objects.
Users authenticate using secure identity providers including Google OAuth. Authentication is required before accessing financial data or connecting financial institutions through Plaid.
Stache infrastructure is hosted on managed platforms including:
These providers implement industry-standard security controls including network isolation, encryption, and system monitoring.
Software dependencies and infrastructure components are regularly updated. Security practices include monitoring dependency security advisories, applying security updates, and replacing end-of-life software.
In the event of a suspected security incident, affected credentials are revoked or rotated, impacted systems are reviewed, and remediation steps are implemented. Users will be notified if an incident is determined to impact consumer data.
Access to Stache systems and infrastructure is limited to only the access necessary to operate the platform.
Users may only access financial data associated with their own account. Database row-level security (RLS) policies enforce this restriction, ensuring that queries are automatically scoped to the authenticated user.
Role-based access control is implemented within the database and application layers. Administrative operations require elevated roles. Standard users cannot access administrative functions.
Production infrastructure access is restricted to authorized administrators. Administrative access is managed through Google Workspace, Vercel authentication, and Supabase administrative roles.
Stache never stores financial institution login credentials. Authentication occurs directly through Plaid Link. Plaid securely manages authentication with financial institutions.
Users may disconnect financial institutions at any time. When a financial institution is disconnected, the Plaid access token is revoked, synchronization stops, and future data imports cease. Historical transaction data may remain in the user account to preserve financial records and reporting.
Users may request deletion of their Stache account. When a deletion request is submitted, financial institution access tokens are revoked, user authentication credentials are removed, and associated financial data is scheduled for deletion. A 30-day grace period allows users to cancel or export their data before permanent removal.
Transaction data may be retained while a user account remains active in order to provide financial management features. Limited operational records may be retained for security monitoring, fraud prevention, and legal compliance.
If you believe you have discovered a security vulnerability in Stache, please report it to support@stache.finance. For full details on how we handle your data, see our Privacy Policy.