Alenjo handles financial data, so security is not optional. It is foundational. This page explains how we protect your information at every layer, what responsibilities fall on the services we use, and what you can do on your end.
Your Bank Credentials
The most important thing to know: Alenjo never sees your bank username or password.
When you connect a bank account, you interact with Plaid, a financial data platform used by thousands of apps. Plaid opens a secure, sandboxed widget where you log in directly with your bank. Your credentials are exchanged between your browser, Plaid, and your bank. They never pass through our servers.
What we receive from Plaid is a read-only access token. That token lets us request your balances and transactions, but it cannot be used to move money, make payments, or modify your accounts in any way.
Data in Transit
Every connection between your browser and our services uses HTTPS with TLS encryption. This applies to:
Requests to our database (Supabase)
Requests to Plaid's API
Loading the app itself from GitHub Pages
Any third-party resources (fonts, logos)
There are no unencrypted connections. All data in transit is encrypted. Full stop.
Data at Rest
Your data is stored in Supabase, which runs on PostgreSQL. Supabase encrypts all data at rest and runs in SOC 2 Type II compliant infrastructure.
We enforce row-level security on every table in our database. This means your data is isolated at the database level. Each query is automatically scoped to your user ID. Even if a vulnerability existed in our application code, the database itself would prevent cross-user data access.
Authentication
Alenjo uses email and password authentication through Supabase Auth. Here is how it works:
Your password is hashed using bcrypt before storage. We never store it in plain text.
When you sign in, you receive a short-lived JSON Web Token (JWT) that expires after one hour.
Your session is cleared every time you close or reload the app. There is no "remember me." You sign in fresh each time.
All server-side functions verify your JWT before processing any request.
Alenjo does not currently support two-factor authentication. We plan to add it in the future.
Server-Side Functions
Alenjo runs a small number of server-side functions on Supabase Edge Functions. These handle the sensitive operations that should not happen in your browser:
Plaid token exchange. Converts the temporary public token from Plaid's widget into a permanent access token. This happens server-side so the access token is never exposed to the client.
Transaction syncing. Periodically fetches your latest transactions from Plaid and stores them in the database.
Account cleanup. When you disconnect a bank, this function deletes all associated data and revokes the Plaid access token.
Every edge function requires a valid, authenticated session token. Unauthenticated requests are rejected.
What We Do Not Do
We do not store your bank login credentials. Ever.
We do not have write access to your bank accounts. We can only read balances and transactions.
We do not run analytics or tracking scripts. There are no third-party scripts monitoring your behavior.
We do not use cookies.
We do not transmit financial data to any service other than Plaid (to fetch it) and Supabase (to store it).
Client-Side Security
On the frontend:
All user-generated content is escaped before rendering to prevent cross-site scripting (XSS).
The app uses a self-destructing service worker that clears all browser caches on every load. This prevents stale or compromised cached data from persisting.
We set strict cache-control headers to prevent browsers from storing sensitive pages.
No financial data is stored in local storage. Only UI preferences like your last-viewed tab.
Third-Party Security
We rely on a small number of trusted services. Here is how each handles security:
Plaid. SOC 2 Type II certified, regularly audited, handles bank credentials in an isolated environment. Plaid's infrastructure is built specifically for financial data and is used by major financial institutions. Read more about Plaid's security.
Supabase. SOC 2 Type II compliant, runs on AWS with encryption at rest and in transit. Row-level security enforced at the database layer. Read more about Supabase security.
GitHub Pages. Serves the static app files over HTTPS. No user data is processed by GitHub.
What You Can Do
Use a strong, unique password. Your Alenjo password should not be the same as your bank password or any other service.
Do not share your login. Alenjo accounts are single-user. Sharing access means sharing visibility into all connected financial data.
Disconnect banks you no longer use. If you close a bank account or stop using Alenjo with a particular institution, disconnect it in Settings. This deletes the data and revokes the Plaid access token.
Keep your device secure. Alenjo runs in your browser. If someone has access to your unlocked device, they could access your session.
Reporting a Vulnerability
If you find a security issue, please email isaiahaaguilar1@gmail.com. We take every report seriously and will respond promptly. Please do not publicly disclose vulnerabilities before we have had a chance to address them.