Security & privacy

Your financial details are safeguarded.

Perqt is built around a simple promise: you keep full control of what we know, what we store, and who can access it.

01 · The pillars

How we protect you

Read-only issuer access via Plaid

When you connect a card, Perqt receives a read-only token through Plaid. We can see transaction descriptions, amounts, and dates so we can match them against your card's benefits — but we cannot move money, make purchases, or change anything on your account. You can revoke access anytime by disconnecting the card.

We never see your banking password

Authentication with your card institution happens inside Plaid's secure flow — your online banking password is never sent to, seen by, or stored on Perqt servers. We only ever receive a tokenized, scoped credential.

Encryption in transit and at rest

Every connection uses HTTPS with TLS 1.2 or higher. All data stored — your wallet, transactions, analytics, preferences — is encrypted at rest using AES-256. Plaid tokens are encrypted with separate keys, Stripe payment data stays in Stripe's PCI-compliant environment, and backups use the same standard.

Row-level security on every table

Our database enforces row-level security policies that make it impossible for one user's queries to return another user's data. Your wallet, transactions, and analytics are only ever returned to a request authenticated as you.

Modern authentication

Sign in with email + password or Google. Passwords are hashed with industry-standard algorithms and checked against the Have I Been Pwned breach database to block compromised credentials. Session tokens are short-lived and rotated automatically.

We don't sell your data — ever

Perqt has no advertising business and no data-broker relationships. We do not sell, rent, or share your personal information, wallet contents, transaction history, or spending patterns with third parties for marketing. Period.

Minimal data, by design

We pull only the transaction fields needed to match purchases to card benefits and generate recommendations: merchant, amount, date, and category via Plaid. We do not store full card numbers, CVVs, PINs, account balances unrelated to a transaction, or Social Security numbers.

You own your data

Disconnect any card to immediately revoke our Plaid access. Export everything in a machine-readable format or permanently delete your account at any time. Deletion removes your data from active systems within 30 days and from backups within 90 days.

Hardened infrastructure

Perqt runs on enterprise cloud providers with SOC 2 Type II certified data centers, automated patching, network isolation, and 24/7 monitoring. Plaid tokens, Stripe payment credentials, and other secrets are stored in an encrypted vault and rotated regularly.

Coinbase One Card: same read-only rules

For Coinbase One Card holders, Perqt connects to Coinbase through Plaid — the same read-only bank connection used for every other card in your wallet. We can read card transactions and Bitcoin rewards balances so we can value them against your other cards — we cannot trade, transfer, or move any funds in your Coinbase account. You can revoke access at any time by disconnecting the card in Perqt.

Ask Perqt AI: private by default

Ask Perqt uses large language models to answer questions about your wallet. When you ask something, we send only the wallet, benefit, and transaction context needed to answer — never your login credentials, full card numbers, or payment data. Our AI provider does not use your prompts to train their models. The assistant can suggest and explain, but it can never move money, apply for cards on your behalf, or take any action outside the conversation.

Responsible disclosure

Security researchers are welcome. If you discover a vulnerability, email contact@perqt.ai. We commit to acknowledging reports within 2 business days, investigating in good faith, and never pursuing legal action for good-faith research.

02 · Data ledger

What data we actually store

  • Email addressYes

    Account login, reminders

  • Cards in your walletYes

    Identify which benefits apply

  • Plaid connection token (read-only)Yes

    Pull purchases from your card institution via Plaid

  • Transactions (merchant, amount, date, category)Yes

    Match purchases to benefits & build analytics

  • Spending patterns & ROI metricsYes

    Power recommendations and insights

  • Subscription billing details via StripeYes

    Process your subscription payment securely

  • Reminder & UI preferencesYes

    Personalize the app

  • Online banking passwordNever

    Plaid handles auth — we never see it

  • Full credit card numbers / CVV / PINNever

    Not needed

  • Ability to move money or make purchasesNever

    Read-only access only

  • Social Security numberNever

    Not needed

03 · Your side

Rights & hygiene

Your rights

  • Access — download a full copy of your data anytime
  • Correction — update or fix any information in your profile
  • Deletion — remove your account and all associated data
  • Portability — export in standard JSON or CSV format
  • Objection — opt out of analytics and non-essential cookies

Account hygiene tips

  • Use a unique password manager–generated password for Perqt
  • Enable 2-factor authentication on the email tied to your account
  • Sign out on shared or public devices
  • Review your wallet periodically and remove cards you've closed

Talk to us

Questions about security, privacy, or how your data is handled? Our team responds personally — usually within one business day.

contact@perqt.ai

Last reviewed: July 5, 2026