Your Budgeting App Is Watching You. Mine Can't.
Most budgeting apps run on bank-linking and ad revenue. YourDigits is built the opposite way: no bank logins, on-device voice, your data stays yours.
Your financial data is probably the most sensitive data you own. It's a list of every place you've been, every habit you have, every person you pay, every medical bill you've been afraid to open. If someone wanted to know almost anything about your life, your transaction history would tell them faster than your text messages would.
So it's worth asking: when you download a free budgeting app and link your bank account to it, where is all that actually going?
What "link your bank account" actually means
Most budgeting apps work the same way. You download the app, it asks you to log in to your bank, you enter your bank username and password, and a third party you've never heard of holds onto those credentials and pulls your transactions out of your bank on a schedule. The app you're using doesn't really do the connecting. A separate company, a bank-linking aggregator, does.
That aggregator is the thing that actually has your transaction history. Not the app. The aggregator sits in between. It reads your account every few hours, parses what's there, and passes it through to the app you downloaded.
This isn't inherently evil. It's how the industry works. Plenty of these aggregators are careful with data and take security seriously. But it means two things are happening that most people don't think about when they click "link account."
The first is that a third-party company, not just the app, has a continuous read-only window into your financial life. They know what you earn, what you owe, what you buy, where you live, who your landlord is, how often you use BNPL, whether you have a gambling habit.
The second is that your bank's terms of service almost certainly say you're not supposed to share your login details with anyone. When you enter your bank password into a budgeting app you're often breaking that agreement, which can weaken the fraud protections your bank otherwise gives you.
None of this is secret, by the way. It's in the terms of service of the app you downloaded. Those just aren't documents most of us read.
The other problem: how "free" apps stay free
The second layer is the business model. A lot of budgeting apps are free to download. Which is lovely until you ask how the company pays its engineers, its servers, its marketing. Three answers are common.
One: they sell aggregated, "anonymised" transaction data to researchers, hedge funds, advertisers, or retailers. The word "anonymised" is doing a lot of work here, because researchers have shown repeatedly that anonymised transaction data can be re-identified with very little extra information.
Two: they show you ads or affiliate recommendations for financial products. Credit cards, loans, insurance, investment accounts. The recommendations are influenced by what they know about your spending, which ends up being pretty much everything.
Three: they upsell you a paid tier and use the free tier as a funnel. This is the cleanest of the three but it's rarer than the first two.
If you download a free app that connects to your bank and shows you insights, it's reasonable to assume at least one of those three is how it stays alive. And all three depend on the app having your data in the first place.
I built this differently on purpose
The architecture choice is about trust. The Leak Ladder tells you what to fix first and that only works if you trust the system with the data that feeds it. No bank logins, no aggregators, no one else in the middle.
By the time I started building YourDigits in December 2025 I had 4,600+ personal transactions recorded across about five years. That's a lot of data about my life, and I don't want it sitting on a server I don't control, being read by a company whose name I've never heard of.
The real reason I took privacy seriously from day one though was something that happened before I even started building this app.
In June 2025 "vibecoding" became a thing. Builders were spinning up apps in a weekend using AI tools and shipping them. A lot of them shipped beautiful frontends with completely exposed databases behind them. I remember seeing posts where someone's entire user table was public. Email addresses, password hashes sometimes, personal information, just sitting there because the default configuration of the database had been left open. Not because the builders were reckless. Because they didn't know the defaults were unsafe.
I was building my first app at the time, a web puzzle thing, and I watched this happen and thought: if I ever build something that touches financial data, I can't be one of those builders.
I'm not a security engineer. I can't write the low-level code that locks down a database. What I can do is set the rules. I learned about row-level security, which is a database rule that says a user can only ever read their own rows. I learned about qualifying database objects, which is writing queries so they can't accidentally reach into the wrong table. I learned about pinning search paths, which is a way of making sure the database runs the code you wrote and not a sneaky version something else injected. I don't execute any of this myself. What I did was build a security checklist from the things I learned in that period and write it into the rules my AI tools follow whenever they touch the codebase. Every migration gets checked against the list. Every new table, every new query, every permission change.
When I started YourDigits in December I applied the checklist from the first commit, not after launch or after the first bug report came in.
What that looks like from the user's side
Here's what it actually means if you're using the app.
No bank logins, first of all. The app never asks for your bank username or password. There's no aggregator in the middle. You enter transactions yourself, either by voice, by typing, or by importing a CSV you exported from another app. The tradeoff is that the app doesn't automatically see your transactions the moment they happen, so you decide what enters the app. That's actually the point.
Voice stays on your phone too. When you voice-log a transaction ("spent fifteen at Woolies for lunch") your phone does the transcription itself. The audio doesn't get uploaded anywhere. It's processed locally by the speech recognition built into iOS. The only thing that leaves your phone is the text your phone produced from the audio, and that text goes to a parser that turns it into a structured transaction (amount, category, merchant). No audio file sits on any server because no audio file ever leaves the device in the first place. I wrote more about how that specifically works in Voice-Log Your Spending in 5 Seconds if you want the details.
The app itself has a biometric lock. You can turn on Face ID or Touch ID, and after five minutes of inactivity it locks itself automatically. So if you hand your phone to a friend to show them a photo and forget you had the app open they can't scroll through your spending.
Your data stays yours. CSV and PDF export are in settings, and you can pull everything out whenever you want. If you ever decide this app isn't for you, you're not stuck. Your history travels with you. No wait period, no "contact support to request an export" step.
No ads, no data selling either. The business model is a subscription. You pay for the app and that's how the app stays alive. I picked this on purpose because I wanted the incentives to point in the same direction as the user. If the only way the company makes money is if users like the product enough to pay for it, then the company's job is to make a product users like. Everything else falls out of that.
The one thing the app does phone home about is product analytics. Which screens people open, how long the app takes to load, whether a particular flow is getting abandoned. This goes to PostHog and it's not tied to your financial data in any way. It helps me figure out what's broken and what's confusing. It never touches your transactions, your balances, or your categories.
The tradeoff I'm asking you to make
There is a tradeoff here and I'd rather be honest about it. If you use an app that links to your bank automatically, your transactions appear without you doing anything. It's less work up front. If you use an app like this one you have to actually say or type the things you spent money on. Voice entry makes that take roughly five seconds per transaction but it's still five seconds instead of zero.
The thing you're getting in exchange is that nothing about your financial life leaves your phone except the text you choose to say. Your bank password isn't sitting with a third party. Your transaction history isn't being sold to a research database. Your voice recordings aren't being stored anywhere, because they're never recorded as files in the first place. The app can't read anything you didn't decide to tell it.
For the kind of data your transactions actually are, I think that's a tradeoff worth making. But it's your data, so it's your call.
Try it
If you want to see where you stand before installing anything, take the Know Your Digits quiz first. roughly 3 minutes, no signup, no bank linking. It tells you which of the 9 leaks in the Leak Ladder are currently draining your finances, and that's the same priority order the app uses once you install it.
YourDigits is on the App Store now. Voice entry, no bank logins, on-device transcription, full export, biometric lock. All of it is live from the first time you open the app. If you want to see how the full detect-task-adapt cycle sits on top of this privacy architecture, that's covered in Budget, Track, Adapt: The Full Cycle in Action.
Your financial data is the most sensitive data you have. It's worth checking how the app you trust with it is actually built.
Related reading:
- Voice-Log Your Spending in 5 Seconds
- Budget, Track, Adapt: The Full Cycle in Action
- The Leak Ladder: The Complete Guide
Sources:
- whisper.rn, React Native bindings for on-device Whisper transcription: https://github.com/mybigday/whisper.rn
- Apple, Speech framework (used for live preview): https://developer.apple.com/documentation/speech
Joy Casfhir
Accountant turned app builder. Tracked 4,600+ transactions by hand over 5 years. Had all the data but no system for knowing what to fix first. That experience became the Leak Ladder: your money has leaks you can't see, and there's an order to fixing them. Built YourDigits to find those leaks and tell you what to fix first.
@casfhirTake the Audit
11 questions. Your score from 0 to 100. A personalized task plan for your next pay cycle.
Download YourDigits Free on the App Store