WriteOff

Security

Security
Last updated: April 12, 2026

Our Security Commitment

Protecting your financial data is our top priority. We implement multiple layers of security to ensure your information remains safe and private.

Data Encryption

All data is encrypted in transit using TLS 1.2+ (HTTPS) and encrypted at rest using AES-256 through Google Cloud/Firebase infrastructure. Your financial data is never stored in plain text.

Bank Connection Security

  • We use Plaid, a SOC 2 Type II certified provider, to connect your bank accounts
  • WriteOff never sees or stores your bank login credentials
  • We receive read-only access to transaction data -- we cannot move money or modify your accounts
  • Plaid uses bank-level 256-bit encryption for all data transfers

Payment Security

All subscription payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. WriteOff never stores, processes, or has access to your full credit card numbers.

What We Store

We store the following data to provide our services:

  • Your name, email, profession, state, and filing status
  • Transaction metadata (merchant, amount, date, category)
  • Tax calculations and form data
  • Receipt images you upload

We do NOT store:

  • Bank login credentials
  • Full Social Security Numbers (SSN is entered transiently for IRS form generation and never persisted to our database)
  • Full credit card numbers
  • Bank account passwords

Authentication and Access

  • User authentication is handled by Firebase Authentication with secure token management
  • All API endpoints require authenticated sessions
  • Firestore security rules enforce per-user data isolation -- users can only access their own data

AI Data Processing

  • Transaction data sent to OpenAI for AI categorization is transmitted over encrypted channels
  • Your data is not used to train AI models
  • AI processing is stateless -- no conversation history is retained on AI provider servers

Infrastructure

WriteOff runs on Google Cloud Platform (Firebase) infrastructure, which maintains SOC 1, SOC 2, SOC 3, ISO 27001, and other compliance certifications. Our application is deployed via Firebase Hosting with automatic SSL certificates.

Data Portability and Deletion

  • You can export all your data at any time through the Reports section
  • You can delete your account through Settings, which permanently removes all associated data within 30 days

Responsible Disclosure

If you discover a security vulnerability, please contact us at writeoffapp@gmail.com. We take all reports seriously and will respond promptly.