Security
It can see. It can never move.
The trust page, claim by claim. What the connection can do, what Lefover stores, what stays on your device, and how you leave.
Read-only, all the way down.
It watches. It cannot act.
The bank connection is read-only. It can see transactions, and it can never move money or pay anyone.
Your credentials never reach us
You enter them in your bank's own connection flow, on your device. They never touch Lefover's servers.
What Lefover keeps is a token
Lefover stores only an access token for the connection, encrypted at rest with AES-256-GCM.
Encrypted on the way, pinned at the door.
Everything travels encrypted
Every request between the app and Lefover is encrypted in transit.
The app pins Lefover's certificates
In production, the app accepts Lefover's certificates and no others, so it will only speak to Lefover.
The phone is part of the security model.
Sign-in without passwords
You sign in with the account already on your phone, through its platform sign-in. There is no Lefover password to steal.
Sensitive actions ask again
Disconnecting a bank or deleting your account asks for your device biometric or passcode again.
Covered in the app switcher
The screen is covered in the app switcher, so your numbers are not left in plain view.
A warning on rooted devices
The app warns you when it is running on a jailbroken or rooted device.
Kept in your region, gone when you say.
Your region keeps your data
Separate databases for the United States, Canada, and the United Kingdom. Your data lives in yours and is never shared across regions.
Diagnostics are scrubbed
Diagnostics are scrubbed of personal data before they leave the device.
Deletion is yours to run
You can delete your account yourself, in the app.
A lapsed subscription is not kept forever
If your subscription lapses, your data is deleted after 90 days, with a reminder before it happens.
The specifics are the point.
Everything above is specific on purpose. When we can promise more, this page will say so.