Pane

Privacy Policy

Last updated: February 2026

Introduction

Pane is a hosted MCP (Model Context Protocol) server that connects your financial data to AI tools. Operated at pane.money, Pane lets you link your bank accounts once and access them through Claude, ChatGPT, Cursor, or any AI service that supports MCP.

This privacy policy describes what data we collect, how we use it, and how we protect it. By using Pane, you agree to the practices outlined here.

Information We Collect

Account Information

  • Email address (required, unique identifier)
  • Display name (from OAuth provider or user-provided)
  • Profile image URL (from OAuth provider)
  • Email verification status and timestamp

Authentication Data

  • Google OAuth tokens (access token, refresh token, ID token, scopes) stored in our accounts table
  • Magic link verification tokens (email, token, expiration) that expire after use
  • WebAuthn/passkey credentials (credential ID, public key, signature counter, device type, transport methods)
  • Session tokens stored as JWE-encrypted cookies (__Secure-authjs.session-token) with HTTP-only and Secure flags enabled

Financial Data (via Plaid)

When you link financial institutions through Plaid, we collect:

  • Financial institution names and identifiers
  • Account names, types (depository, credit, loan, investment), subtypes, and last 4 digits
  • Account balances (current, available, credit limit)
  • Transaction history: date, amount, currency, merchant name, transaction name, category, pending status
  • Recurring transactions: merchant, average amount, frequency, category, type (subscription/bill/income)
  • Plaid access tokens encrypted at rest using AES-256-GCM with unique initialization vectors
  • Plaid products used: transactions, balance, investments, liabilities, recurring_transactions. We do NOT request auth (account numbers) or identity (personal identification)

Some data is stored locally (transactions, balances, account metadata, recurring transactions, institution info), while other data is fetched live and cached temporarily (investment holdings cached for 15 minutes, liability details cached for 1 hour).

Billing Data (via Stripe)

  • Stripe customer ID and subscription ID
  • Subscription status (active, past_due, canceled, unpaid, trialing)
  • Plan type
  • Payment card details are never stored by Pane. All payment processing is handled by Stripe.

API Keys (for MCP Access)

  • Bcrypt-hashed key (cost factor 12, never stored in plaintext)
  • Key prefix for display (pane_sk_live_xxxxxxxxxxxx...xxxx)
  • User-defined label
  • Creation, last-used, and revocation timestamps

How We Use Your Information

  • To provide the Pane service (connecting financial data to AI tools via MCP)
  • To authenticate your identity and maintain sessions
  • To sync and display your financial data from linked institutions
  • To process subscription billing and metered usage (accounts beyond 10)
  • To enforce privacy scope settings you configure (full, balances_only, balances_and_redacted, hidden)
  • To detect and display recurring transactions (subscriptions, bills, income)
  • To generate financial insights (spending summaries, balance trends, upcoming bills)

Privacy Controls

Each linked financial institution has a configurable privacy scope that controls what data AI tools can access via MCP:

Full

All account data, transactions, and merchant names visible to AI tools

Balances only

Only account balance information; no transactions or merchant details

Balances and redacted

Balances and transactions visible, but merchant names replaced with "Redacted"

Hidden

Account completely hidden from MCP and not visible to any AI tool (still visible to you in the web dashboard)

You can change privacy scope at any time via the web dashboard. Privacy filtering is enforced in the services layer before any data reaches MCP clients.

Third-Party Services

Plaid (Financial Data)

Plaid connects to your financial institutions and provides transaction, balance, investment, and liability data. We request: transactions, balance, investments, liabilities, and recurring_transactions products. We do NOT request auth (account/routing numbers) or identity (SSN, address, phone).

Plaid's privacy policy applies to data they collect: https://plaid.com/legal

When you unlink an institution, we revoke the Plaid access token and delete all associated data.

Stripe (Billing)

Stripe processes all payments. We store only your Stripe customer ID and subscription ID. We never store your payment card details.

Stripe's privacy policy: https://stripe.com/privacy

PostHog (Analytics, Optional)

When enabled, PostHog collects page views, user interactions, and anonymous usage analytics. Your user ID and email may be associated with analytics events. PostHog uses localStorage and cookies for session persistence.

PostHog's privacy policy: https://posthog.com/privacy

Sentry (Error Monitoring, Optional)

When enabled, Sentry captures application errors and performance data for debugging. Request body data is scrubbed before sending to Sentry. We use a 10% sampling rate in production.

Sentry's privacy policy: https://sentry.io/privacy

Resend (Email)

Magic link authentication emails are sent via Resend from [email protected]. Resend processes your email address to deliver authentication emails.

Resend's privacy policy: https://resend.com/legal/privacy-policy

Google (OAuth)

If you sign in with Google, we receive your email, name, and profile picture. We store Google OAuth tokens to maintain your sign-in session.

Google's privacy policy: https://policies.google.com/privacy

Data Security

  • Plaid access tokens encrypted at rest with AES-256-GCM (unique IV and auth tag per token)
  • Encryption master key stored in Kubernetes sealed-secrets, never in source code
  • Session tokens encrypted as JWE (AES-256-CBC with HMAC-SHA512) using HKDF-derived keys
  • API keys hashed with bcrypt (cost factor 12) with plaintext never stored
  • All traffic encrypted in transit via HTTPS (TLS terminated at Cloudflare)
  • DDoS protection via Cloudflare
  • Database deployed within private Kubernetes cluster network
  • Redis cache within private cluster network
  • Rate limiting: 60 requests/minute per user (API), 30/minute + 1000/day (MCP)
  • Structured logging with PII redaction (Pino)

Data Sharing

  • We do NOT sell your personal or financial data
  • Financial data is shared with AI tools ONLY through your personal MCP endpoint, controlled by your privacy scope settings
  • We share data with third parties only as described in the Third-Party Services section
  • We may disclose data if required by law, legal process, or to protect our rights

Your Rights

Access

View all your data in the Pane web dashboard

Correction

Update your account information at any time

Deletion

Delete your account and all associated data (see Data Retention policy)

Portability

Your financial data is accessible via the MCP endpoint and web dashboard

Privacy Controls

Configure per-institution privacy scopes

Revocation

Revoke API keys instantly; unlink financial institutions at any time

For privacy inquiries, contact [email protected]

Cookies

  • __Secure-authjs.session-token: JWE-encrypted session cookie. HTTP-only, Secure. Essential for authentication.
  • PostHog cookies (when analytics enabled): Used for anonymous usage tracking. Can be blocked without affecting core functionality.

Children's Privacy

Pane is not intended for users under 18. We do not knowingly collect data from minors.

Changes to This Policy

We may update this policy. Changes will be posted at this URL with an updated "Last updated" date.

Contact

Email: [email protected]