Security
Quincena is a budgeting tool for your paychecks. The most sensitive thing it ever holds is an account nickname and four digits — and that is a deliberate design choice. Here is exactly how your information is protected.
No bank logins — ever
Quincena has no bank syncing at all. There is no Plaid, no bank credentials, no account or routing numbers, and no third-party access to your money. You type in nicknames and the last four digits of your accounts, and that is the entirety of what we ever ask for. This is our single biggest security feature: we can't leak what we never collect.
What we store — and what we don't
- We store: your email address, the budget you enter (pay schedule, income amounts, expense names/amounts, account nicknames and last-four digits, debt balances and rates), and — if you upgrade — your subscription status and a Stripe customer reference.
- We never store: bank or brokerage credentials, full account, card, or routing numbers (the forms reject them), Social Security numbers, or any password.
Encryption
All traffic is encrypted in transit over HTTPS, and HTTP Strict Transport Security (HSTS) forces every connection to stay encrypted. Your data is encrypted at rest in the database.
Your data is yours alone
Access is enforced with row-level security: your budget is readable only by your own authenticated account, at the database layer — not just in the interface. Budget writes go exclusively through server-side code scoped to your account, so nothing can be altered from another session.
Passwordless sign-in
You sign in with a one-time email link or code — there is no Quincena password to guess, reuse, or steal. Sessions are protected against cross-site request forgery, and sign-in links are validated against our own origin so they can't be used to redirect you elsewhere.
Payments
Subscriptions are handled by Stripe, a PCI-compliant payment processor. Your card details go straight to Stripe and are never seen or stored by Quincena — we only receive a signed confirmation that your subscription is active.
Hardening
- Security headers on every response: HSTS, frame-blocking (clickjacking protection), MIME-sniffing protection, and a strict referrer policy.
- No advertising trackers and no cross-site tracking cookies.
- We do not sell or rent your information to anyone.
You're always in control
Export your entire budget as a CSV anytime, and delete your account — along with all of its data — with one action in Settings. Deleting your account also cancels any active subscription first, so you're never left being charged.
Reporting a vulnerability
Found a security issue? We want to hear about it. Email support@quincena.moneywith the details and we'll respond promptly. Please give us a reasonable chance to fix an issue before disclosing it publicly.