Security

Last updated: 6 July 2026

Our approach

The most effective security decision in MoneyFitApp was made on day one: we never hold your bank credentials, because we never connect to your bank. There is no bank feed to breach. What we do hold — the figures you type in — is protected as described below, in plain English.

Signing in

Accounts are managed by Amazon Cognito, AWS's dedicated authentication service. Your password is handled entirely by Cognito — we never see it and never store it, in any form. Email verification is required when you sign up.

Protecting your data

  • Everything between your device and our servers travels over encrypted connections (HTTPS) — there is no unencrypted path
  • Your data is stored in AWS S3 as a single file private to your account, currently in AWS's US East region
  • Access is isolated per account: the storage permissions are scoped so a signed-in account can only ever reach its own file, never anyone else's
  • Server-side operations that touch your subscription verify you own it before doing anything

Payment security

Card and PayPal details are handled entirely by Lemon Squeezy, our merchant of record. They never pass through or rest on our systems. The credentials we use to talk to Lemon Squeezy are held server-side only — they are never present in the code that runs in your browser.

Your part

Use a strong, unique password for MoneyFitApp — a password manager makes that easy. We will never email you asking for your password, and no legitimate MoneyFitApp screen will ever ask for bank logins.

Found a problem?

If you believe you have found a security vulnerability, please email support@moneyfitapp.com with the details. Reports are read by the developer directly and taken seriously. For what data we hold and why, see the Privacy page.