Legal

Security Policy

Effective Date: April 25, 2026  ·  Last Updated: April 28, 2026

ZhanPlan LLC · Tampa, Florida · support@zhanplan.com

ZhanPlan LLC takes the security of your financial data seriously. Because you trust us with sensitive personal finance information — budgets, income, spending, debts, and net worth — we have built our platform on enterprise-grade infrastructure with multiple layers of security. This Security Policy describes the technical and organizational measures we use to protect your information, how we respond to security incidents, and how you can help keep your account secure.

Security is a shared responsibility. ZhanPlan secures the platform and infrastructure. You secure your account credentials and your devices.

Encryption in Transit

TLS 1.3

Encryption at Rest

AES-256

Payment Security

PCI DSS Level 1

Database

Row-Level Security

Auth

Bcrypt password hashing

Analytics

Cookieless, no PII

1. Infrastructure and Hosting Security

Vercel (Hosting Platform). ZhanPlan is hosted on Vercel, which operates on SOC 2 Type II certified infrastructure with 99.99% uptime SLA, DDoS protection, global CDN, and automated HTTPS enforcement. All web traffic to ZhanPlan is served over HTTPS only — we enforce HTTP Strict Transport Security (HSTS) so browsers will never connect to us without encryption.

Supabase (Database and Authentication). All user data — accounts, financial entries, goals, budgets, and activity logs — is stored in Supabase, which holds SOC 2 Type II and ISO 27001 certifications. Supabase encrypts all data at rest using AES-256 and provides point-in-time recovery, automated backups, and network isolation. Supabase operates on AWS infrastructure and maintains independent security audits. Their full security documentation is available at supabase.com/security.

Cloudflare (Network Security and DDoS Protection). All traffic to zhanplan.com is routed through Cloudflare's global network before reaching our servers. Cloudflare provides: enterprise-grade DDoS mitigation, bot detection and blocking (including AI crawler blocking), Web Application Firewall (WAF), Full Strict SSL/TLS encryption enforcement, and origin server IP masking. This means that even if an attacker identifies our hosting provider, they cannot reach our servers directly — all traffic must pass through Cloudflare's security layer. Cloudflare processes data under SOC 2 Type II certification and does not store your financial data.

Geographic Isolation. All primary data storage occurs in United States data centers. We do not store personal financial data outside the United States in primary storage.

2. Data Encryption

  • In Transit: All data transmitted between your device (browser or app) and ZhanPlan servers is encrypted using TLS 1.3. Older, insecure TLS versions (1.0, 1.1) are rejected.
  • At Rest: All data stored in our Supabase database is encrypted at rest using AES-256 bit encryption. This includes every budget entry, transaction, goal, and preference you store.
  • Passwords: Your password is never stored in plain text. Supabase Auth uses bcrypt with an appropriate cost factor to hash passwords. Even ZhanPlan employees cannot read your password.
  • Session Tokens: Authentication session tokens are encrypted, signed, and stored in secure HTTP-only cookies with SameSite protection where applicable.
  • Backups: Database backups are encrypted with the same AES-256 standard as live data.

3. Payment Security

ZhanPlan never stores, sees, or has access to your full payment card number, card verification value (CVV), or full bank account number. Ever.

  • All payment processing is handled exclusively by Stripe, Inc., a PCI DSS Level 1 Service Provider — the highest certification level in the payment card industry.
  • When you enter card details on a checkout page, that information goes directly to Stripe's servers over an encrypted connection. It never touches ZhanPlan's servers.
  • ZhanPlan receives only: a tokenized card reference (Stripe customer/payment method ID), the last four digits of your card, the card brand (Visa, Mastercard, etc.), and the expiration month/year.
  • Stripe webhook events used to update your subscription status are verified using Stripe's cryptographic signature before processing.
  • Stripe complies with GDPR, CCPA, and global financial regulations. Their security practices are described at stripe.com/docs/security.

4. Access Controls and Data Isolation

Row-Level Security (RLS). Our Supabase database enforces Row-Level Security policies on every table containing user data. This means every database query is automatically filtered to return only records belonging to your authenticated account. It is not possible for one user’s authenticated session to read another user’s financial data — even if a bug existed at the application layer, the database would reject the query.

Group Accounts. ZhanPlan supports family/partner shared accounts through an explicit invite system. Data sharing only occurs when a user actively invites another user and that invitation is accepted. Invitations are tied to specific email addresses and expire after a set period.

Staff Access. ZhanPlan personnel access to production data is: (a) limited to the minimum necessary for support or maintenance tasks; (b) logged and auditable; (c) subject to internal access control policies; and (d) conducted only with legitimate business justification. We do not browse user financial data as a routine practice.

API Authentication. All API routes in ZhanPlan require valid authenticated sessions. Unauthenticated requests to protected endpoints are rejected with a 401 response. Session tokens have defined expiry and are automatically rotated.

5. AI Feature Security

Encrypted API Calls. When you use AI features (chat coach, receipt scanner, transaction categorization, PDF import), data is transmitted to OpenAI’s API over encrypted HTTPS connections (TLS 1.3).

No AI Training on Your Data. Per OpenAI’s API data usage policy, data submitted through the API is not used to train or improve OpenAI’s models. Your financial data processed by OpenAI is used only to generate a response to your specific request and is not retained by OpenAI for training.

Minimal Data Transmission. We transmit the minimum data necessary for each AI request. For the chat coach, we send financial summaries — not raw database exports. For categorization, we send merchant names only — not amounts, dates, or account identifiers. For receipts and PDFs, we process the image/document in real-time and do not permanently store the originals.

Fully Optional. All AI features are opt-in. If you choose not to use AI features, no data is ever sent to OpenAI.

6. Application Security

  • HTTPS Only: All Services are served exclusively over HTTPS. HTTP requests are redirected to HTTPS automatically.
  • HSTS: HTTP Strict Transport Security headers are set to prevent downgrade attacks.
  • Content Security Policy: CSP headers restrict which external resources can be loaded, reducing XSS attack surface.
  • No Sensitive Data in Client Code: No API keys, database credentials, or secrets are included in client-side JavaScript bundles.
  • No Sensitive Data in Local Storage: Financial data is fetched from the server on demand. We do not store sensitive financial information in localStorage or sessionStorage.
  • Input Validation: User inputs are validated and sanitized both client-side and server-side.
  • Dependency Monitoring: We monitor third-party dependencies for known vulnerabilities and apply security patches promptly.
  • Server-Side Authentication: All protected operations are authenticated on the server — client-side authentication state is never trusted without server verification.

7. Data Breach Response Plan

Despite our security measures, no system is completely immune to security incidents. In the event of a confirmed or suspected data breach, ZhanPlan will:

7.1 Detection and Containment. Upon discovering or being notified of a potential security incident, we will immediately: (a) assess the scope and nature of the incident; (b) isolate affected systems to prevent further unauthorized access; (c) engage security professionals to investigate the root cause; and (d) preserve evidence for forensic analysis.

7.2 User Notification Timeline. We will notify affected users: (a) within 30 days of discovering the breach for California residents (as required by the California Consumer Privacy Act) and Florida residents (as required by the Florida Digital Bill of Rights); (b) within 72 hours of becoming aware for users in the European Economic Area (as required by GDPR); and (c) within timeframes required by other applicable laws for users in other jurisdictions.

7.3 Notification Content. Our breach notification will include: (a) a description of the type of personal information involved; (b) the approximate date(s) the breach occurred or was discovered; (c) the steps ZhanPlan is taking to investigate, contain, and remediate the breach; (d) steps you can take to protect yourself (such as changing your password or monitoring for suspicious activity); and (e) contact information for questions.

7.4 Regulatory Notification. Where required by law, we will also notify the appropriate regulatory authorities (such as the California Attorney General for breaches affecting 500+ California residents, or the relevant EU/UK Data Protection Authority under GDPR/UK GDPR).

7.5 Remediation. After containing a breach, we will conduct a thorough post-incident review, remediate the root cause, update our security practices as needed, and communicate the outcome to affected users.

8. What ZhanPlan Does NOT Store

For complete clarity, ZhanPlan’s servers do not store:

  • Full payment card numbers, CVV/CVC codes, or PINs
  • Bank account numbers or routing numbers
  • Bank login credentials or passwords for any financial institution
  • Social Security numbers or government-issued identification numbers
  • Receipt images or bank statement PDF files after AI processing is complete
  • Your ZhanPlan password in any readable format (only a bcrypt hash)

9. Responsible Disclosure

We welcome reports from security researchers and users who discover potential vulnerabilities in our platform. If you believe you have found a security vulnerability in ZhanPlan, please:

  • Email us at support@zhanplan.com with the subject line "Security Vulnerability"
  • Describe the vulnerability in detail, including the steps to reproduce it
  • Include information about the potential impact and any proof-of-concept (without exploiting real user data)
  • Allow us reasonable time to investigate and remediate before public disclosure

We will acknowledge your report within 48 hours. We will work to address critical vulnerabilities within 30 days and will keep you updated on our progress. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate it. We appreciate responsible disclosure and will not take legal action against researchers who follow these guidelines in good faith.

10. How You Can Protect Your Account

Your account security also depends on actions you take:

  • Use a strong, unique password for ZhanPlan that you do not use on any other website or service
  • Never share your ZhanPlan login credentials with anyone
  • Log out of ZhanPlan when using shared, public, or untrusted devices
  • Keep your registered email address up to date so we can reach you for security notifications
  • Monitor your account for any financial data you did not enter
  • Contact us immediately at support@zhanplan.com if you notice suspicious activity, believe your password was compromised, or did not initiate a password reset
  • Keep your device operating system, browser, and apps updated to receive security patches

11. Security Updates and Maintenance

We actively monitor our dependencies and infrastructure for known security vulnerabilities. Critical security patches are applied as soon as practicable, typically within 24–72 hours of a verified vulnerability being confirmed. We conduct periodic reviews of our security architecture, access controls, and data handling practices. When we make significant security improvements, we may update this Security Policy and notify users of material changes.

12. Third-Party Security

ZhanPlan relies on the following certified and audited third-party services. Their security posture directly affects yours:

Supabase·SOC 2 Type II, ISO 27001·supabase.com/security
Cloudflare·SOC 2 Type II, ISO 27001, PCI DSS·cloudflare.com/trust-hub
Stripe·PCI DSS Level 1, SOC 2 Type II·stripe.com/docs/security
OpenAI·SOC 2 Type II (API services)·openai.com/security
Vercel·SOC 2 Type II, ISO 27001·vercel.com/security
Resend·SOC 2 Type II·resend.com/security

13. Limitations, Platform Responsibility, and No Guarantee

Despite our extensive security measures, no system connected to the internet can be guaranteed to be 100% secure. ZhanPlan cannot guarantee that unauthorized parties will never defeat our security measures or improperly access your information. By using the Services, you acknowledge and accept this inherent risk of using internet-based services.

Infrastructure Security Is Provided and Certified by Our Platform Partners

ZhanPlan stores and processes your data on enterprise-grade, independently certified third-party infrastructure. The security of that infrastructure — including servers, databases, networking, and physical data center security — is the responsibility of those certified platforms, not ZhanPlan LLC directly:

  • Supabase (SOC 2 Type II, ISO 27001)Responsible for database security, encryption at rest, backup integrity, and authentication security.
  • Cloudflare (SOC 2 Type II, ISO 27001, PCI DSS)Responsible for network-layer security, DDoS protection, traffic filtering, and SSL/TLS termination.
  • Vercel (SOC 2 Type II, ISO 27001)Responsible for application hosting infrastructure, server security, and CDN security.
  • Stripe (PCI DSS Level 1, SOC 2 Type II)Responsible for all payment card data security. ZhanPlan never receives or stores full card numbers.

Each of these providers holds independent third-party security certifications and carries its own contractual and legal responsibility for the security of its infrastructure. In the event of a security breach originating from within the infrastructure of Supabase, Cloudflare, Vercel, or Stripe, the primary security responsibility lies with that certified provider under the terms of their own certifications and service agreements.

Limitation of Liability. To the maximum extent permitted by applicable law, ZhanPlan LLC’s liability for any security incident or data breach is limited as described in our Terms of Service. ZhanPlan LLC is not liable for security incidents that originate from the infrastructure of our certified third-party platform providers (Supabase, Cloudflare, Vercel, Stripe, Resend) — events that are outside our direct control and governed by those providers’ own security certifications, contracts, and liability frameworks.

By using the Services, you acknowledge that: (a) your data is secured by a stack of enterprise-certified platforms; (b) no internet-connected system can be guaranteed 100% secure; and (c) ZhanPlan’s responsibility is limited to the application-layer security controls described in this Policy, while infrastructure-layer security is maintained by our certified platform partners.

14. Security Contact

ZhanPlan LLC — Security Team

Tampa, Florida, United States

Security Reports: support@zhanplan.com (subject: “Security Vulnerability”)

General Support: support@zhanplan.com

We take all security reports seriously. For critical vulnerabilities, we will respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had an opportunity to address them.