Security & Privacy

How Lunch Flow keeps your data safe and private

Written By Roaa from Lunch Flow

Last updated About 20 hours ago

The Short Version

  • ✅ We never see your bank password

  • ✅ We can’t make transfers or payments (read-only access)

  • ✅ Your data is encrypted (AES-256)

  • ✅ We use industry-standard open banking protocols

  • ✅ You can delete everything anytime

​How Bank Connections Work?

​1. You Log in Directly to Your Bank

When you connect a bank, you’re redirected to your bank’s official website. You enter your credentials there—not on Lunch Flow. We never see or store your password.

2. You Authorize Read-Only Access

Your bank asks: “Do you want to give Lunch Flow read-only access to your transactions? You click “Yes” and specify which accounts. We can only read. We cannot:

  • Make transfers

  • Make payments

  • Change account settings

  • Access your full account number (only last 4 digits)

3. Your Bank Sends Us Your Transaction Data

Using secure open banking APIs, your bank sends us:

  • Transaction dates and amounts

  • Merchant names

  • Account balances

  • Transaction categories (if available)

We don’t get:

  • Your login credentials

  • Your PIN

  • Security questions/answers

  • Full account numbers

​Open Banking Compliance

PSD2 (Europe)

For European banks, we use GoCardless, which is PSD2 compliant, which means:

  • Regulated by financial authorities

  • Regular security audits

  • Strict data protection standards

  • Consumer protection built-in

Other Regions

We use established, regulated open banking providers in each region:

  • North America: MX/Finicity (regulated financial services provider)

  • Pacific Asia: Finverse (licensed aggregator)

  • New Zealand: Akahu (certified open banking provider)

Your Control

You Can Always:

  • ✅ See exactly what data we have

  • ✅ Disconnect any bank anytime

  • ✅ Delete specific connections

  • ✅ Export all your data

  • ✅ Delete your entire account (and all data)

FAQs

Do you support Multi-Factor authentication for Lunch Flow?

No at the moment, but it’s on the roadmap. Feel free to upvote this feature request to be notified when it lands!

Does Lunch Flow store my transaction data?

No — LunchFlow operates in "live" mode by default, meaning no transaction data is stored. The only exception is short-term caching (a few hours) to avoid hitting rate limits with data providers.

This may change in the future. Storing data would allow LunchFlow to do more powerful things, like enriching transactions with additional context, which isn't possible when operating purely as a pass-through. If and when that changes, we'll be transparent about it.

Who is behind LunchFlow?

LunchFlow is operated by Zen Labs LTD, a UK-based company, Registration Number: 16061160.

Questions About Security?

If you have specific security questions or concerns:📧 Email: hello@lunchflow.app . We’re happy to provide more technical details or discuss your specific use case.