How Steady handles your data

When you connect a bank account, Steady receives read-only access to the following information:

• Account names and types (e.g. cheque, savings, credit card)
• Account balances
• Transaction history — merchant name, amount, date, and category

We do not access your bank login credentials, credit card numbers, or any information that could be used to move money.

Your financial data is used solely to power Steady's features:

• Categorise your spending automatically
• Track progress toward savings goals
• Calculate your safe-to-spend amount
• Detect recurring bills and subscriptions
• Provide personalised financial insights
• Generate your financial health score

We never use your data for advertising, profiling, or selling to third parties.

Steady connects to your bank through Akahu, New Zealand's regulated open banking platform. Akahu is registered with the Financial Markets Authority (FMA) as a prescribed intermediary service provider.

When you connect an account, you authenticate directly with Akahu using OAuth — Steady never sees or handles your bank password. Akahu then securely provides us with read-only access to the data described above.

We take multiple steps to protect your data:

• AES-256 encryption for stored tokens and sensitive data
• TLS 1.3 encryption for all data in transit
• Read-only access — we cannot move money, make payments, or modify your accounts
• No credential storage — your bank passwords are never shared with us
• Webhook verification — HMAC-SHA256 signature validation on all incoming data from Akahu
• Rate limiting on all API endpoints to prevent abuse
• Security headers — CSP, HSTS, and X-Frame-Options on all responses

Only you. Your financial data is private by default:

• No other Steady user can see your transactions, balances, or goals
• We do not sell, share, or license your data to third parties
• Social features (like friends and challenges) only share what you explicitly opt into
• Service providers (listed in our Privacy Policy) receive only the minimum data required to operate the service

Steady uses Anthropic's Claude API to power the "Ask Steady" chat feature and assist with transaction categorisation.

When you ask a question, we send financial context to generate a response. This includes aggregated data such as:

• Total account balance (aggregated, not per-account)
• Monthly spending totals and top categories
• Recent transactions (merchant, amount, category, date)
• Savings goals and progress
• Monthly income estimate

We do not send your name, email, bank account numbers, or other directly identifying information to Anthropic. Your prompts and responses are not stored by Anthropic after the request completes, and are not used to train their models.

We retain your data for as long as your account is active.

When you disconnect a bank account:

• The connection to your bank is immediately revoked via Akahu
• No new data is fetched from that account
• Historical transaction data is retained so your spending history and insights remain intact, unless you request deletion

When you delete your account:

• All bank connections are immediately revoked
• All personal data is permanently deleted within 30 days
• AI chat history is deleted
• Anonymised, aggregated data (e.g. average category spending across all users) may be retained for service improvement

You are in control of your data at all times:

• Disconnect any bank account instantly from Settings or directly via Akahu
• Export your data in a portable format via Settings
• Delete your account and all associated data
• Access the personal information we hold about you (Privacy Act 2020, IPP 6)
• Correct any inaccurate data (Privacy Act 2020, IPP 7)
• Complain to the Office of the Privacy Commissioner if you believe your privacy has been breached

Steady is built to comply with New Zealand privacy and financial regulations:

• Akahu is registered with the Financial Markets Authority (FMA) as a prescribed intermediary service provider
• We comply with the New Zealand Privacy Act 2020 and its Information Privacy Principles
• International data transfers (to US-based service providers) are handled in accordance with IPP 12
• We maintain a Privacy Policy and Terms of Service that detail our obligations and your rights