Security & privacy

Calm, bank-grade protection for both of you.

TwoPennies is built so sharing finances never means losing control. From encryption to consent flows, every part of the experience keeps trust front and centre.

Powered by TrueLayer Open Banking (read-only connections)
Supabase Postgres with encryption at rest
GDPR-ready export and deletion pathways

Privacy ledger

Calm mode

Shared balance£7,720

Monzo · PersonalPrivate

Awaiting partner approval to share. Because consent is everything.

A safety net designed for couples

TrueLayer Open Banking

We partner with TrueLayer, an FCA-regulated provider trusted by banks across the UK. Connections are read-only — TwoPennies cannot move or hold your money.

Bank-grade encryption

Account data is encrypted using AES-256-GCM. Tokens are stored separately with unique IVs so even in transit your data stays sealed.

Privacy controls by default

Every visibility change requires both partners to agree. Requests expire, actions are logged, and you can always see what’s shared.

Calm audit trail

A human-readable timeline keeps track of invites, visibility decisions, and major events without feeling corporate or heavy.

TrueLayer

Open Banking partner for secure, read-only connections.

Supabase

Row Level Security + EU-hosted Postgres infrastructure.

Stripe

Billing handled via PCI-DSS Level 1 infrastructure.

Security FAQs

Do you ever move or hold our money?

Never. TwoPennies is read-only. We connect to your bank with your permission via TrueLayer and fetch balances, transactions, and pot data. You authorise the connection from your bank’s secure interface and can revoke it at any time.

Who can see our information?

Only you and your partner. Accounts stay private until you both agree to share them. Even if one partner invites the other, visibility requests still need approval. Support staff can’t view couple data without explicit written permission.

Where is our data stored?

TwoPennies runs on Supabase Postgres in EU-West data centres with encryption at rest. We follow GDPR guidelines for data portability and deletion. Request a full export or complete deletion any time after launch day.

How do you keep services online?

We monitor uptime with automated health checks and error tracking through Sentry. Rate limiting protects against abuse, and our infrastructure scales automatically on Vercel.

Need to reach us?

Email hello@twopennies.app for security questions or responsible disclosure. We reply within 2 business days.

Loading TwoPennies…