HunchDesigned to protect your data.
Every decision in Hunch's architecture starts with one question: what's the minimum we need to see?
No middlemen, ever
Hunch connects directly to your bank — there is no Plaid, Yodlee, or any third-party service handling your login. Your credentials never touch an aggregator's servers.
OS keychain protection
When you enable Keep signed in, credentials are stored in your operating system's secure credential store — macOS Keychain, Windows Credential Manager, or Linux Secret Service. Encrypted at rest by the OS, never uploaded to Hunch or any third party.
Fully local data storage
All financial data — transactions, balances, categories — is stored on your device only. Nothing leaves your machine. There is no server-side copy, no background sync.
Minimal permissions
The desktop app runs each bank session in a sandboxed, embedded web view — isolated from your other apps and browser activity. Hunch connects only to the bank domains you explicitly authorize. No data leaves these isolated sessions except the transaction data you import to your local device.
Optional AI, explicit consent
AI categorization sends only merchant names (never amounts, account numbers, or personal details) and only when you explicitly run it. It is off by default.
Content Security Policy
The Hunch web app and extension enforce a strict Content Security Policy to prevent cross-site scripting (XSS) and injection attacks.
How the desktop app syncs
The Hunch desktop app opens a secure, sandboxed session for each supported bank — the same experience as visiting your bank's website, but contained entirely within the app. When you run a sync, Hunch imports your latest transactions, balances and holdings directly and saves them to your device. No data passes through any external server during sync.
When Keep signed in is enabled, Hunch stores bank session material in your OS keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service) and revalidates silently on the next sync. This is the only persistent credential state the app maintains, and it never leaves your device.
Optional browser extension
Hunch also offers an optional browser extension for additional bank compatibility. It is published through the Chrome Web Store and Safari Extensions Gallery, which apply independent security review processes. The extension communicates with the Hunch desktop app only through a secure, local browser message channel — no data is relayed through external servers during sync.
Responsible disclosure
If you discover a security vulnerability in Hunch, please report it to security@hunch.app before disclosing it publicly. We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days.
We do not have a formal bug bounty program yet, but we will recognize and thank researchers who report valid security issues responsibly.
Questions
Security questions, concerns, or reports: security@hunch.app.
These measures significantly reduce risk, but no security system provides absolute protection against all threats. For the full warranty disclaimer and limitation of liability, see our Terms of Use.