Can I revoke Plaid access to my bank account?

Yes. You can disconnect your bank from any app that uses Plaid at any time. You can do this directly within the app, through Plaid's own portal at my.plaid.com, or by contacting your bank. Once access is revoked, Plaid can no longer retrieve new data from your account.

What happens if Plaid gets hacked?

Plaid encrypts all data at rest using AES-256 encryption and in transit using TLS 1.2+. Even in a breach scenario, attackers would encounter encrypted data rather than plain-text credentials. Plaid also does not store your bank login password after the initial connection is established. Its infrastructure undergoes regular penetration testing and independent security audits.

Is Plaid Safe? What You Need to Know

Q: Can Plaid steal my money?

No. Plaid uses read-only access to your financial data. It can view transaction history and account balances, but it cannot initiate transfers, move funds, or make payments on your behalf. Plaid has no ability to withdraw or redirect your money.

Q: Does Plaid sell my data?

Plaid states in its privacy policy that it does not sell personal information. Data shared through Plaid is used to provide the services you have authorized, such as connecting your bank to a financial app. Plaid is also subject to financial data regulations that restrict how consumer data can be used and shared.

What Is Plaid?

If you have ever connected a bank account to a budgeting app, investment platform, or payment service, there is a good chance you have used Plaid. Plaid is a financial technology company that acts as a secure intermediary between your bank and the apps you choose to use. Rather than giving an app your bank login credentials directly, Plaid handles the connection so that the app receives only the specific financial data it needs.

Plaid connects with over 12,000 financial institutions across North America and Europe. Companies like Venmo, Robinhood, Coinbase, and Pancake rely on Plaid to give users a fast, secure way to link their bank accounts. As of 2025, Plaid has facilitated connections for hundreds of millions of accounts, making it the most widely used bank-linking service in the fintech industry.

The core idea behind Plaid is straightforward: you should be able to share your financial data with the apps you trust without handing over the keys to your entire bank account. Plaid makes that possible through a set of secure APIs that retrieve data on your behalf while keeping your credentials out of third-party hands.

How Plaid Works Technically

Understanding how Plaid works under the hood helps explain why it is considered safe. When you connect your bank account through an app like Pancake, here is what actually happens behind the scenes:

You authenticate directly with your bank. When you tap "Connect Bank" in Pancake, Plaid opens its own secure interface called Plaid Link. You enter your bank credentials into this Plaid-controlled window, not into Pancake's app. In many cases, your bank's own OAuth flow handles the login, meaning your credentials never leave your bank's servers at all.
Plaid creates a secure access token. After you authenticate, Plaid generates a unique, encrypted access token. This token is what Pancake stores, not your username or password. The token allows Pancake to request specific data (like transactions and balances) through Plaid's API without ever knowing your bank login.
Data flows through encrypted channels. Every request between Pancake, Plaid, and your bank is encrypted using TLS 1.2 or higher. This is the same encryption standard used by banks themselves for online banking.
Your credentials are not stored long-term. For banks that support OAuth (which includes most major institutions), Plaid never handles your password at all. For banks that use non-OAuth connections, Plaid encrypts credentials with AES-256 encryption and stores them in isolated, access-controlled environments. These credentials are used only to maintain the connection and are never shared with the apps you connect.

This tokenized approach is a significant security advantage. Even if someone gained unauthorized access to Pancake's database, they would find only encrypted tokens, not bank passwords. Those tokens are useless without Plaid's infrastructure to interpret them.

Plaid's Security Measures

Plaid treats security as a foundational requirement, not an afterthought. Here are the specific measures Plaid has in place to protect your data:

AES-256 encryption at rest. All stored data is encrypted using AES-256, the same encryption standard used by the U.S. government to protect classified information. This means that even if physical storage media were compromised, the data would be unreadable without the corresponding decryption keys.
TLS 1.2+ encryption in transit. Every data transfer between your device, Plaid's servers, and your bank is protected by Transport Layer Security. This prevents interception of data as it moves across networks.
SOC 2 Type II compliance. Plaid undergoes regular independent audits to maintain SOC 2 Type II certification. This means a third-party auditor has verified that Plaid's security controls operate effectively over an extended period, not just at a single point in time.
Regular penetration testing. Plaid employs both internal security teams and external firms to conduct regular penetration tests, proactively identifying and addressing vulnerabilities before they can be exploited.
Strict internal access controls. Plaid limits employee access to customer data through role-based permissions, multi-factor authentication, and detailed audit logging. Not every Plaid employee can see your data, and access is granted only on a need-to-know basis.
Bug bounty program. Plaid operates a bug bounty program that incentivizes independent security researchers to identify and responsibly disclose potential vulnerabilities.

These are not theoretical safeguards. They are industry-standard practices that Plaid is contractually and regulatorily obligated to maintain.

What Data Plaid Can and Cannot Access

One of the most common concerns about Plaid is the scope of data it can see. Here is a clear breakdown:

What Plaid can access

Account balances (checking, savings, credit cards)
Transaction history (merchant name, amount, date, category)
Account and routing numbers (only when explicitly authorized for payment setup)
Basic account holder information (name on the account)

What Plaid cannot do

Move, withdraw, or transfer your money
Make purchases or payments on your behalf
Change your bank account settings or passwords
Access accounts you have not explicitly connected
Share your data with apps or services you have not authorized

The data Plaid accesses is determined by the permissions each app requests. Pancake, for example, requests only read-only access to transactions and balances. We never request the ability to move money or access routing numbers. You always see what permissions are being requested before you authorize a connection.

How Pancake Uses Plaid

At Pancake, we use Plaid for one purpose: to securely read your transactions and account balances so we can help you build and track your monthly budget. Here is exactly how we handle your data:

Pancake never sees your bank credentials. When you connect your bank in Pancake, you authenticate through Plaid's secure interface. Your username and password are handled entirely by Plaid (or by your bank directly through OAuth). Our servers never receive, process, or store your bank login information.
AES-256 encryption at rest. Sensitive credentials, including Plaid access tokens, are encrypted using AES-256-GCM with per-user keys. This means your connection to your bank is protected even in a worst-case scenario.
TLS 1.2+ encryption in transit. Every API call between Pancake and Plaid, and between your device and our servers, is encrypted using TLS 1.2 or higher.
Read-only access only. Pancake requests the minimum permissions needed to function. We can see your transactions and balances, and that is it. We cannot move your money, change your account settings, or access anything beyond what is needed to build your budget.
No credential storage, period. We store only encrypted Plaid access tokens. If Pancake's database were compromised, attackers would find encrypted tokens that are meaningless without Plaid's infrastructure. Your bank password exists nowhere in our system.

We designed Pancake this way intentionally. A budgeting app does not need to hold the keys to your bank account. It only needs to read your financial activity, and that is precisely the level of access we request.

Common Concerns About Plaid

Can Plaid steal my money?

No. Plaid's access to your bank account is read-only. It retrieves data like transactions and balances, but it has no mechanism to initiate transfers, withdrawals, or payments. This is a fundamental architectural limitation, not just a policy. The API connections Plaid establishes for apps like Pancake simply do not include write access to your accounts. Your money stays exactly where it is.

Does Plaid sell my data?

Plaid's privacy policy states that it does not sell consumers' personal information. The data you share through Plaid is used to provide the services you have explicitly authorized, like connecting your bank to Pancake. Plaid is also subject to financial data protection regulations that place strict limits on how consumer data can be used and shared.

That said, it is worth noting that Plaid settled a class-action lawsuit in 2022 related to data collection practices, which led to improved transparency and user controls. Since then, Plaid has introduced a consumer portal at my.plaid.com where you can view and manage all your connected apps. We believe in giving you the full picture, and this history is part of it.

Can I revoke Plaid access?

Yes, and you can do it in multiple ways:

Through Pancake. You can disconnect your bank account directly in the app settings. This immediately revokes the access token.
Through Plaid's portal. Visit my.plaid.com to see every app connected to your bank through Plaid. You can revoke access to any or all of them from this dashboard.
Through your bank. Most banks allow you to manage third-party access from their online banking portal or by contacting customer service.

Once you revoke access, Plaid can no longer retrieve new data from your account. You are always in control of which apps have access and for how long.

What if Plaid gets hacked?

No company is immune to cyberattacks, but Plaid's security architecture is designed to minimize the impact of a breach. Here is what would protect you:

Plaid encrypts stored data with AES-256, so a breach of Plaid's systems would expose encrypted data, not readable information.
For OAuth-connected banks (the majority of major institutions), Plaid does not store your bank password at all. There would be no credentials to steal.
Access tokens are institution-specific and app-specific. Compromising one token does not grant access to your other accounts or other apps.
Plaid's SOC 2 Type II certification and regular penetration testing mean that its infrastructure is continuously evaluated for vulnerabilities.

It is also worth remembering that Plaid connects over 12,000 financial institutions. Banks trust Plaid with their customers' data precisely because of these security standards. If Plaid's security practices were inadequate, banks would not integrate with them.

Tips for Staying Safe with Any Financial App

Even with strong security infrastructure like Plaid's, there are steps you should take to protect yourself when using any financial app:

Use strong, unique passwords. Never reuse your bank password for other accounts. A password manager makes this easy to manage.
Enable two-factor authentication. Turn on 2FA for your bank account and for any financial apps you use. This adds a second layer of protection even if a password is compromised.
Review connected apps regularly. Visit my.plaid.com periodically to see which apps have access to your bank data. Revoke access for any apps you no longer use.
Keep your devices updated. Security patches in iOS, Android, and browser updates close vulnerabilities that attackers could exploit. Install updates promptly.
Monitor your accounts. Review your bank statements and transaction history regularly. If you spot unauthorized activity, contact your bank immediately. Using a budgeting app like Pancake actually makes this easier since all your transactions are organized in one place.
Be cautious with public Wi-Fi. Avoid logging into banking apps or connecting financial accounts on unsecured public networks. If you must, use a VPN.
Only connect to apps you trust. Before linking your bank to any app, research the company behind it. Look for clear privacy policies, established security practices, and transparent communication about how your data is handled.

The Bottom Line

Is Plaid safe? Yes. Plaid is a well-established, independently audited financial infrastructure company that uses industry-leading encryption, tokenized access, and strict data controls to protect your information. It is trusted by thousands of financial institutions and used by hundreds of millions of consumers.

That does not mean you should blindly trust every app that uses Plaid. The app itself matters, too. At Pancake, we take our responsibility seriously. We request only read-only access, encrypt sensitive credentials with AES-256 at rest and all traffic with TLS 1.2+ in transit, and never store your bank login credentials. Your financial data is used for exactly one thing: helping you build a budget that works.

If you have been hesitating to connect your bank account because of security concerns, we hope this article gives you the clarity you need. You deserve a budgeting app that respects your data as much as it respects your financial goals.