How we stop Zuckers from seeing your bank details
This is how we make sure that the only person who sees your details is you.
We know keeping your data yours can be a struggle. That's why we make sure that working in Messenger doesn't mean sharing your personal details with them.
How we stop Facebook getting access to bank details or transactions
We take a few steps to make sure data you input is always secure.
Your account setup - where you input personal details and link your bank account - is done in a secure webview. A webview is a website embedded into Facebook Messenger generated by our servers, not by Facebook. This means that Facebook can not see it or what happens there.
You will also notice this when you perform certain actions in Plum like check your investments or savings. If you notice a new window open rather than normal chat you are in a webview 🔒
What else do you do to protect my data?
- We never store (or have access to) your bank login details
- We get read-only access to your transaction data, so in the unlikely event of a breach, no money can be transferred out of your bank account
- We use symmetric cryptography (AES) to store any sensitive data
- We use state-of-the-art password algorithms
- We use 256-bit TLS encryption to communicate between the browser and our servers
- We are a registered data controller and always act in compliance with the Data Protection Act
- Our servers run on Amazon's cloud, trusted by some of the biggest financial institutions in the world
How do you move money if you don't store my bank login details?
Users connect Plum to their bank account in two ways: (i) read-only access to your bank account to determine auto-savings and insights (ii) a Direct Debit Mandate (like your phone company or gym membership) for the auto-savings.
Your bank login details are transmitted encrypted from the webview at sign up to our server and is then forwarded to Yodlee, our aggregation partner, for further encryption and safe storage.
Yodlee is the world leader in transaction aggregation, the process of granting applications read-only access to your data and has been around for 17 years. It supports over 5000 financial institutions worldwide and is used by a number of major banks in the US and the UK as well. You can read more on Yodlee's security practices here.
What happens to my data if I cancel?
If you cancel your Plum account your Direct Debit Mandate is cancelled immediately. We also disconnect your bank account from Plum and cease all fetching of account data. This means we can no longer see data like your bank account, bank account number, sort code, balances, and transaction data.
Canceling does not automatically delete historical information held on the service Plum provided for you; such as your Plum transactions (deposits, withdrawals, investments) or identifiers such as your email address. If you would like to fully scrub these details from the Plum database, just let us know by emailing our support team at firstname.lastname@example.org and ask for a 'data deletion'.
Do you sell any data?
We value our users privacy and will never sell your data, personal details or transaction information. We keep our lights on with a £1 monthly fee for users who use the Investments feature.
If you have any other questions about how security works at Plum email email@example.com
Want to get started?