Open appGet Hunch
SECURITY

Designed to protect your data.

Every decision in Hunch's architecture starts with one question: what's the minimum we need to see?

No bank passwords stored

Hunch reads from bank pages you have already signed into yourself. We never ask for, intercept, or store your banking username, password, or MFA codes. Optional saved sessions store supported cookies/tokens locally in your browser only.

No aggregator middleman

No third-party service handles your logins. Transactions are read directly from your browser session — there is no Plaid, Yodlee, or similar between you and your bank.

Local data storage

All financial data is stored in your browser using standard browser storage APIs. It never leaves your device unless you explicitly enable cloud sync.

Minimal permissions

The extension only requests access to the specific bank domains it supports, plus cookies and alarms for optional Keep signed in. It does not read your other tabs, your browsing history, or any other websites.

Optional AI, explicit consent

AI categorization sends only merchant names (never amounts, account numbers, or personal details) and only when you explicitly run it. It is off by default.

Content Security Policy

The Hunch web app and extension enforce a strict Content Security Policy to prevent cross-site scripting (XSS) and injection attacks.

How the extension reads data

The Hunch browser extension is a content script that reads transaction data from the DOM of supported bank websites — the same data displayed to you on screen. It does not intercept network requests, does not modify bank pages, and does not run when you are on any other website. If you enable Keep signed in, the extension stores supported bank session material locally so it can validate the session later.

The extension communicates with the Hunch web app only through a secure, local browser message channel. No data is relayed through external servers during sync.

Extension review

The Hunch extension is published through the Chrome Web Store, which applies its own security review process. The extension source is available for inspection on request — we have nothing to hide.

Responsible disclosure

If you discover a security vulnerability in Hunch, please report it to security@hunch.app before disclosing it publicly. We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days.

We do not have a formal bug bounty program yet, but we will recognize and thank researchers who report valid security issues responsibly.

Questions

Security questions, concerns, or reports: security@hunch.app.