How we protect your data

We use TrueLayer (FCA FRN: 901096) for Open Banking connections. TrueLayer is authorised and regulated by the Financial Conduct Authority.

CoreFi receives read-only access to your bank data. We cannot make payments, move money, or modify your accounts.

Your bank credentials are never shared with CoreFi. Authentication happens directly with your bank via TrueLayer's secure OAuth flow.

You can disconnect your bank at any time from Settings. When disconnected, we stop fetching new data.

All connections use TLS 1.3 (the same encryption used by banks) for data in transit.

Data at rest is encrypted using AES-256 on Supabase-managed PostgreSQL databases.

HMRC Government Gateway tokens are encrypted with AES-256-GCM using a separate key before storage.

API keys are hashed (SHA-256) before storage. We cannot see your API keys after creation.

Row Level Security (RLS) on every database table ensures users can only see their own data.

All API endpoints verify authentication before returning data.

Admin access is restricted to specifically flagged accounts and is not available through the standard interface.

Session tokens use HttpOnly, Secure, SameSite cookies to prevent XSS and CSRF attacks.

Export all your data in JSON or CSV format at any time from Settings.

Request a full data deletion under GDPR. We delete everything within 30 days.

We never sell, share, or provide your data to third parties for advertising or profiling.

Calculation results and financial tools are processed on our servers and stored only in your account.

HMRC Government Gateway connection uses OAuth 2.0 with PKCE — the same flow used by HMRC's own apps.

We include legally required Fraud Prevention Headers in all MTD API calls, as mandated by HMRC.

HMRC tokens are stored encrypted (AES-256-GCM) and refreshed automatically. Tokens expire if unused.

You can disconnect from HMRC at any time. CoreFi does not submit returns to HMRC on your behalf.

Hosted on Vercel (frontend) and Supabase (database) — both SOC 2 Type II compliant.

Database hosted in the EU. Backups are taken automatically and encrypted.

Content Security Policy, X-Frame-Options, HSTS, and other security headers are applied on all pages.

Rate limiting protects all public API endpoints from abuse.