Security

Last updated July 2026

PFO holds some of your most sensitive information, so security shapes how the whole app is built rather than something added at the end. Two rules sit underneath everything here: we can never touch your money, and the AI never learns who you are.

We can never move your money

PFO is information-only. Bank connections are read-only, so the app can read your transactions to show you where you stand and nothing more. The feeds come from a licensed data partner under Australia's Consumer Data Right (open banking), which grants no payment or write access of any kind — only permission to read the accounts you choose. You authorise each connection, and you can switch it off whenever you want. Rather not connect a feed? Add and update your accounts by hand.

The AI never learns who you are

This is the part most people worry about: handing financial data to an AI. So we built the coach to answer your questions without ever knowing who you are. Every question runs through these steps first:

01

Your identity is stripped

Merchant, account, goal and holding names are replaced with anonymous, typed tokens — for example, "Merchant 1 · food delivery" — before your question is assembled.

02

The reverse-map never leaves us

The lookup that could turn those tokens back into real names stays on our own servers. It is never sent to the AI provider — so even a complete prompt log on their side reveals nothing about who you are or who you bank and shop with.

03

Never used for training

Your financial data is never used to train any model, ours or the provider's, and your receipts stay out of the AI path entirely.

04

Grounded answers only

The coach answers from your real numbers. If a figure isn't in your accounts, it won't invent one.

Your data is stored in Australia

PFO runs on Google Cloud in Sydney (australia-southeast1). Your accounts, transactions and receipts are stored onshore, not shipped offshore. (When the coach reasons over your numbers, only the anonymised tokens above ever leave, never your identity.)

Encryption

In transit. Every connection to PFO uses TLS, and we enforce HTTPS with a strict-transport policy (HSTS) on both this website and the app's API, so traffic can't be silently downgraded.

At rest. Your data is encrypted at rest in our database, and receipts are encrypted too. The most sensitive secrets — your two-factor key and any bank-feed tokens — get a second layer of encryption under a dedicated key kept separate from the one that signs your login, so no single leaked key can unlock everything.

Your account

No ads, no selling your data

PFO makes money one way: your subscription. No ads, no product commissions, and we never sell or rent your personal information. That keeps our interests lined up with yours, because your data only ever works for you.

Your data is yours

Export everything — JSON, a PDF statement, or a full archive — whenever you want. You can also delete your account and all its data from inside the app, and that deletion is permanent.

Reporting a security issue

Found a vulnerability? We want to hear from you. Email security@personalfinancialofficer.com; it's listed in our security.txt. We welcome responsible disclosure and will work with you to confirm and fix it.

PFO is an independent Australian company. This page describes our security as it stands today, and we'll keep it current as our practices change. It's here for transparency, not as a contractual warranty. See also our Privacy Policy.

Get early access