Sorafin Privacy Policy
Overview
Sorafin is a native Mac and iOS application for personal finance management. It is not a web application and does not operate any servers. All financial data is stored locally on your device — it never leaves your device except via Plaid's own API when you connect a financial institution.
What Data We Collect
We collect nothing. Sorafin does not operate servers, does not have user accounts, and does not receive any data from your device.
Your financial data (accounts, transactions, balances) is fetched from Plaid and stored locally on your device in an encrypted SQLite database (SQLCipher AES-256). That data never touches a Sorafin server because no such server exists.
Authentication
Sorafin authenticates you via Touch ID or Face ID (biometric authentication provided by your device's Secure Enclave). There are no passwords, no Sign In with Apple, and no third-party OAuth. No identity data is transmitted anywhere.
Data Storage
| What | Where | How protected |
|---|---|---|
| Financial accounts & transactions | Your device (SQLite) | SQLCipher AES-256 encryption at rest |
| Plaid access token | Your device (Keychain) | iOS/macOS Keychain, Secure Enclave-backed on Apple Silicon |
| Biometric credential | Your device (Secure Enclave) | Never leaves the chip; managed entirely by the OS |
No data is stored in any cloud service, server, or database operated by Sorafin.
Plaid Integration
Sorafin uses Plaid to connect to your financial institutions. The Plaid link flow runs entirely on your device:
- A
link_tokenis requested directly from Plaid on your device. - You complete the Plaid Link UI on your device.
- The resulting
public_tokenis exchanged for anaccess_tokendirectly on your device. - The Plaid
access_tokenis stored in your device's Keychain.
Plaid never communicates with a Sorafin server. Plaid holds your bank credentials and raw financial data per Plaid's own Privacy Policy.
Third-Party Data Processors
| Service | Purpose | What they receive |
|---|---|---|
| Plaid | Bank account connection and transaction retrieval | Your bank credentials (held by Plaid, not Sorafin); Plaid access token stored locally on your device |
Sorafin does not use analytics services, crash reporting, advertising networks, or tracking of any kind.
Data Deletion
To delete all your data: delete the Sorafin app. The OS removes the app's data directory (which contains the SQLite database) automatically. The Keychain entry for your Plaid access token is also removed when you delete the app. There is no account to cancel and no server-side data to request deletion of.
No Server, No Logs, No IP Collection
Sorafin does not operate servers, does not log network addresses, does not write access logs, and does not maintain session tokens. You are the sole operator of your own data.
Contact
Questions or concerns? Open an issue at the Sorafin GitHub repository.