Security & privacy
How pocketii handles sign-in, data in transit, and your exports. This is a technical summary, not legal advice.
Authentication
Sessions use signed JWT access tokens and rotating refresh tokens. Passwords are hashed with bcrypt. OAuth (Google, Apple) uses standard authorization flows; we do not store third-party passwords.
Transport & storage
Production traffic should use HTTPS (TLS). Bank link tokens and sensitive integration secrets are encrypted at rest when
ENCRYPTION_KEY is configured. Gmail OAuth tokens are stored encrypted in the expense database when a key is present.
Your data
Pocketii has no ads, and we do not sell your data. Data processing is limited to product functionality like budgeting, forecasting, and connected account sync.
Back to settingsProfiling & automated insights
Some features combine your cash-flow, goals, and portfolio data to produce scores, surplus estimates, and suggestions. These outputs are for your information only and are not individualized investment, tax, or legal advice. Where applicable law treats this as automated decision-making or profiling, you may request a copy of your data (including exports), ask questions, or object by contacting support. The in-app data export includes related fields when services are configured.