Security
PFO holds some of your most sensitive information, so security shapes how the whole app is built rather than something added at the end. Two rules sit underneath everything here: we can never touch your money, and the AI never learns who you are.
We can never move your money
PFO is information-only. Bank connections are read-only, so the app can read your transactions to show you where you stand and nothing more. The feeds come from a licensed data partner under Australia's Consumer Data Right (open banking), which grants no payment or write access of any kind — only permission to read the accounts you choose. You authorise each connection, and you can switch it off whenever you want. Rather not connect a feed? Add and update your accounts by hand.
The AI never learns who you are
This is the part most people worry about: handing financial data to an AI. So we built the coach to answer your questions without ever knowing who you are. Every question runs through these steps first:
Your identity is stripped
Merchant, account, goal and holding names are replaced with anonymous, typed tokens — for example, "Merchant 1 · food delivery" — before your question is assembled.
The reverse-map never leaves us
The lookup that could turn those tokens back into real names stays on our own servers. It is never sent to the AI provider — so even a complete prompt log on their side reveals nothing about who you are or who you bank and shop with.
Never used for training
Your financial data is never used to train any model, ours or the provider's, and your receipts stay out of the AI path entirely.
Grounded answers only
The coach answers from your real numbers. If a figure isn't in your accounts, it won't invent one.
Your data is stored in Australia
PFO runs on Google Cloud in Sydney (australia-southeast1). Your accounts, transactions and receipts are stored onshore, not shipped offshore. (When the coach reasons over your numbers, only the anonymised tokens above ever leave, never your identity.)
Encryption
In transit. Every connection to PFO uses TLS, and we enforce HTTPS with a strict-transport policy (HSTS) on both this website and the app's API, so traffic can't be silently downgraded.
At rest. Your data is encrypted at rest in our database, and receipts are encrypted too. The most sensitive secrets — your two-factor key and any bank-feed tokens — get a second layer of encryption under a dedicated key kept separate from the one that signs your login, so no single leaked key can unlock everything.
Your account
- Passwords are hashed with Argon2id, a modern memory-hard algorithm — we never store, log or see your actual password.
- Two-factor authentication using any standard authenticator app is available for an extra layer on sign-in.
- Sessions use short-lived access tokens with rotating refresh tokens and reuse detection: if a stolen token is ever replayed, that session is revoked automatically.
- Rate limiting on sensitive endpoints blunts brute-force and abuse.
No ads, no selling your data
PFO makes money one way: your subscription. No ads, no product commissions, and we never sell or rent your personal information. That keeps our interests lined up with yours, because your data only ever works for you.
Your data is yours
Export everything — JSON, a PDF statement, or a full archive — whenever you want. You can also delete your account and all its data from inside the app, and that deletion is permanent.
Reporting a security issue
Found a vulnerability? We want to hear from you. Email security@personalfinancialofficer.com; it's listed in our security.txt. We welcome responsible disclosure and will work with you to confirm and fix it.
PFO is an independent Australian company. This page describes our security as it stands today, and we'll keep it current as our practices change. It's here for transparency, not as a contractual warranty. See also our Privacy Policy.