Skip to content
PanePaneβ

Privacy Policy

Last updated: February 2026

Introduction

Pane is a hosted MCP (Model Context Protocol) server operated by Real Design, Inc. ("Company," "we," "us," or "our") that connects your financial data to AI tools. Operated at pane.money, Pane lets you link your bank accounts once and access them through Claude, ChatGPT, Cursor, or any AI service that supports MCP.

This privacy policy describes what data we collect, how we use it, and how we protect it. By using Pane, you agree to the practices outlined here.

Information We Collect

Account Information

  • Email address (required, unique identifier)
  • Display name (from OAuth provider or user-provided)
  • Profile image URL (from OAuth provider)
  • Email verification status and timestamp

Authentication Data

  • Google OAuth tokens (access token, refresh token, ID token, scopes) stored in our accounts table
  • Magic link verification tokens (email, token, expiration) that expire after use
  • WebAuthn/passkey credentials (credential ID, public key, signature counter, device type, transport methods)
  • Session tokens stored as JWE-encrypted cookies (__Secure-authjs.session-token) with HTTP-only and Secure flags enabled

Financial Data (via Plaid)

When you link financial institutions through Plaid, we collect:

  • Financial institution names and identifiers
  • Account names, types (depository, credit, loan, investment), subtypes, and last 4 digits
  • Account balances (current, available, credit limit)
  • Transaction history: date, amount, currency, merchant name, transaction name, category, pending status
  • Recurring transactions: merchant, average amount, frequency, category, type (subscription/bill/income)
  • Plaid access tokens encrypted at rest using AES-256-GCM with unique initialization vectors
  • Plaid products used: transactions, balance, investments, liabilities, recurring_transactions. We do NOT request auth (account numbers) or identity (personal identification)

Some data is stored locally (transactions, balances, account metadata, recurring transactions, institution info), while other data is fetched live and cached temporarily (investment holdings cached for 15 minutes, liability details cached for 1 hour).

Billing Data (via Stripe)

  • Stripe customer ID and subscription ID
  • Subscription status (active, past_due, canceled, unpaid, trialing)
  • Plan type
  • Payment card details are never stored by Pane. All payment processing is handled by Stripe.

API Keys (for MCP Access)

  • Bcrypt-hashed key (cost factor 12, never stored in plaintext)
  • Key prefix for display (pane_sk_live_xxxxxxxxxxxx...xxxx)
  • User-defined label
  • Creation, last-used, and revocation timestamps

How We Use Your Information

  • To provide the Pane service (connecting financial data to AI tools via MCP)
  • To authenticate your identity and maintain sessions
  • To sync and display your financial data from linked institutions
  • To process subscription billing and metered usage (accounts beyond 10)
  • To enforce privacy scope settings you configure (full, balances_only, balances_and_redacted, hidden)
  • To detect and display recurring transactions (subscriptions, bills, income)
  • To generate financial insights (spending summaries, balance trends, upcoming bills)

Privacy Controls

Each linked financial institution has a configurable privacy scope that controls what data AI tools can access via MCP:

Full

All account data, transactions, and merchant names visible to AI tools

Balances only

Only account balance information; no transactions or merchant details

Balances and redacted

Balances and transactions visible, but merchant names replaced with "Redacted"

Hidden

Account completely hidden from MCP and not visible to any AI tool (still visible to you in the web dashboard)

You can change privacy scope at any time via the web dashboard. Privacy filtering is enforced in the services layer before any data reaches MCP clients.

Third-Party Services

Plaid (Financial Data)

Plaid connects to your financial institutions and provides transaction, balance, investment, and liability data. We request: transactions, balance, investments, liabilities, and recurring_transactions products. We do NOT request auth (account/routing numbers) or identity (SSN, address, phone).

Plaid's privacy policy applies to data they collect: https://plaid.com/legal

When you unlink an institution, we revoke the Plaid access token and delete all associated data.

Stripe (Billing)

Stripe processes all payments. We store only your Stripe customer ID and subscription ID. We never store your payment card details.

Stripe's privacy policy: https://stripe.com/privacy

Crisp (Customer Support Chat)

When enabled, Crisp provides a live chat widget on our website. Crisp may collect your IP address, browser information, device type, pages visited, and any messages you send through the chat. If you are signed in, your email address may be associated with your chat session.

Crisp's privacy policy: https://crisp.chat/en/privacy/

PostHog (Analytics, Optional)

When enabled, PostHog collects page views, user interactions, and anonymous usage analytics. Your user ID and email may be associated with analytics events. PostHog uses localStorage and cookies for session persistence.

PostHog's privacy policy: https://posthog.com/privacy

Sentry (Error Monitoring, Optional)

When enabled, Sentry captures application errors and performance data for debugging. Request body data is scrubbed before sending to Sentry. We use a 10% sampling rate in production.

Sentry's privacy policy: https://sentry.io/privacy

Resend (Email)

Magic link authentication emails are sent via Resend from [email protected]. Resend processes your email address to deliver authentication emails.

Resend's privacy policy: https://resend.com/legal/privacy-policy

Google (OAuth)

If you sign in with Google, we receive your email, name, and profile picture. We store Google OAuth tokens to maintain your sign-in session.

Google's privacy policy: https://policies.google.com/privacy

Data Security

  • Plaid access tokens encrypted at rest with AES-256-GCM (unique IV and auth tag per token)
  • Encryption master key stored in environment variables, never in source code
  • Session tokens encrypted as JWE (AES-256-CBC with HMAC-SHA512) using HKDF-derived keys
  • API keys hashed with bcrypt (cost factor 12) with plaintext never stored
  • All traffic encrypted in transit via HTTPS (TLS terminated at Cloudflare)
  • DDoS protection via Cloudflare
  • Database deployed within private network
  • Redis cache within private cluster network
  • Rate limiting: 200 requests/minute per user (API), 30/minute + 1000/day (MCP)
  • Structured logging with PII redaction (Pino)

Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal or financial data, we will:

  • Investigate and take steps to contain the breach as quickly as possible
  • Notify affected users via email without unreasonable delay, and no later than as required by applicable law
  • Provide information about the nature of the breach, the types of data affected, steps we are taking to address it, and recommended actions you can take to protect yourself
  • Report the breach to relevant regulatory authorities as required by applicable law

Data Sharing

  • We do NOT sell your personal or financial data
  • Financial data is shared with AI tools ONLY through your personal MCP endpoint, controlled by your privacy scope settings
  • We share data with third parties only as described in the Third-Party Services section
  • We may disclose data if required by law, legal process, or to protect our rights

Data Location and Transfers

Pane's infrastructure, including our database and application servers, is hosted in the United States. By using Pane, you consent to the transfer and processing of your data in the United States. Third-party services (Plaid, Stripe, PostHog, Sentry, Crisp, Resend) may process data in their own data centers, which may be located outside your country of residence. Please review their respective privacy policies for details on their data handling locations.

Your Rights

Access

View all your data in the Pane web dashboard

Correction

Update your account information at any time

Deletion

Delete your account and all associated data (see Data Retention policy)

Portability

Your financial data is accessible via the MCP endpoint and web dashboard

Privacy Controls

Configure per-institution privacy scopes

Revocation

Revoke API keys instantly; unlink financial institutions at any time

For privacy inquiries, contact [email protected]

State-Specific Privacy Rights (United States)

California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose for collecting it, and the categories of third parties with whom we share it
  • Right to delete: You may request deletion of your personal information. Account deletion through the web dashboard fulfills this right.
  • Right to correct: You may request correction of inaccurate personal information
  • Right to opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is no need to opt out because no sale or sharing occurs.
  • Right to non-discrimination: We will not discriminate against you for exercising any of these rights

Categories of personal information collected: Identifiers (email, name), financial data (account balances, transactions), internet activity (analytics, error logs), inferences (spending summaries, categorization).

To exercise these rights, contact [email protected]. We will verify your identity before processing any request. We aim to respond within 45 days.

Virginia, Colorado, Connecticut, and Other States

Residents of states with comprehensive privacy laws (including Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others) have similar rights to access, correct, delete, and port their personal data. We do not sell personal data or use it for targeted advertising. To exercise any state privacy rights, contact [email protected].

Canadian Privacy Rights (PIPEDA)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws provide you with additional privacy rights.

Meaningful Consent

We obtain your meaningful consent before collecting, using, or disclosing your personal information. By creating a Pane account and linking your financial institutions, you consent to the collection and use of your data as described in this policy. You may withdraw consent at any time by deleting your account.

Purpose Limitation

We collect and use your personal information only for the purposes identified in this policy: providing the Pane service, processing payments, maintaining security, and improving our service through optional analytics.

Access and Correction

You have the right to access and correct your personal information. You can view your data through the Pane dashboard and update your account information at any time. For additional access requests, contact [email protected].

Retention

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected. When you delete your account, all personal and financial data is permanently removed from our systems.

Accountability

Our privacy officer is responsible for our compliance with PIPEDA. For privacy inquiries or complaints, contact [email protected]. If your concern is not resolved to your satisfaction, you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

Additional Rights for EEA Residents (GDPR)

Legal Basis for Processing

  • Contract performance: Processing necessary to provide the Pane service, including financial data aggregation, account management, and MCP connectivity.
  • Legitimate interest: Security monitoring, fraud prevention, and service reliability.
  • Consent: Analytics and optional data sharing features. You can withdraw consent at any time through Settings.

Additional EEA Rights

In addition to the rights described above, EEA residents have the right to:

  • Restrict processing of your personal data
  • Object to processing based on legitimate interest
  • Data portability: export your data in a machine-readable format (available in Settings)
  • Lodge a complaint with your local supervisory authority

International Data Transfers

Pane is hosted in the United States. Your data is processed by our sub-processors, including Plaid, Stripe, and PostHog, which may transfer data internationally. These transfers are protected by Standard Contractual Clauses (SCCs) or applicable adequacy decisions. See our Sub-Processor List for details.

Data Protection

Real Design, Inc. is a small team with fewer than 250 employees and does not engage in large-scale systematic monitoring of data subjects, and is therefore exempt from the Article 37 requirement to appoint a Data Protection Officer. For privacy inquiries related to GDPR, contact [email protected].

Cookies and Tracking

  • __Secure-authjs.session-token: JWE-encrypted session cookie. HTTP-only, Secure. Essential for authentication.
  • PostHog cookies (when analytics enabled): Used for anonymous usage tracking. Can be blocked without affecting core functionality.
  • Google Analytics cookies (when analytics enabled): Used for page view tracking and usage analytics. Consent-gated, only loaded after you accept analytics in the consent banner. Can be blocked without affecting core functionality.
  • Crisp cookies (when chat widget enabled): Used for chat session persistence. Consent-gated, only loaded after you accept analytics in the consent banner. Can be blocked without affecting core functionality.

All analytics services (PostHog, Google Analytics, and Crisp) are consent-gated and will not load until you accept analytics tracking through the consent banner. Pane does not respond to Do Not Track (DNT) browser signals as there is no industry standard for compliance. However, you can control tracking through the consent banner and privacy controls described above.

Children's Privacy

Pane is not intended for users under 18. We do not knowingly collect data from minors. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as soon as possible. If you believe we have collected information from a minor, please contact [email protected].

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated through the Service or via email at least 14 days before they take effect. Changes will be posted at this URL with an updated "Last updated" date. Your continued use of Pane after changes take effect constitutes acceptance of the updated policy.

Contact

Real Design, Inc.

Email: [email protected]