Menu

Privacy In Practice

Twin Ledger is built around a simple idea: a household's financial life should not become someone else's data product.

We do not sell household data. We do not run ads. We do not use household financial records for behavioral advertising, third-party marketing, or unrelated profiling.

Our default design is privacy by architecture, not privacy by promise.

Encrypted Household Vaults

Twin Ledger stores household records in encrypted vaults. Vault data is encrypted before it leaves your device, which means Twin Ledger cannot read the contents of your household vault, and someone intercepting network traffic cannot read it either.

We use this architecture as a defense against strategic surveillance. It also limits us. Because vault data is encrypted before it leaves your device, Twin Ledger cannot later decide to inspect, monetize, or repurpose the contents of your household vault.

Like every end-to-end encrypted system, the device itself remains the most important trust boundary. If a device is compromised, unlocked, or controlled by someone else, the data available on that device may be exposed.

Passwords, Recovery Codes, And No Escrow

Twin Ledger does not keep an escrow copy of your vault keys. We cannot unlock your vault from our side.

Your password and recovery codes are part of the system that allows you to regain access to your encrypted household vault. Recovery codes should be saved somewhere safe and separate from your usual devices.

If you lose access to your password, authorized devices, and recovery codes, Twin Ledger cannot recover your vault data. This is an intentional consequence of the encrypted vault design: privacy does not depend on asking us not to look, because we do not have the keys required to look.

What Twin Ledger Cannot See

Twin Ledger cannot read the contents of your encrypted household vault, including your private ledger records, budgets, transaction history, travel budgets, project spending, files, notes, and other vault-stored household records.

We also cannot recover vault contents for you if the required passwords, devices, and recovery codes are lost. There is no key escrow system.

What Twin Ledger Can See

Some information exists outside the encrypted vault so the service can operate. This may include account registration details, billing records, authentication or session metadata, support messages you send us, operational logs, product diagnostics, feature usage needed to maintain the service, and data processed through optional integrations you choose to use.

We try to keep this data limited to what is needed to run, secure, support, and improve Twin Ledger.

Plaid Sync Is Optional

Plaid sync is optional. You can use Twin Ledger without Plaid by entering or importing transactions manually.

We offer Plaid sync for convenience because most households do not want to enter every transaction by hand. When you connect an account through Plaid, Plaid collects and provides account data according to Plaid's own service terms and privacy practices.

Twin Ledger receives Plaid-derived account, balance, transaction, counterparty, and investment data so we can stage it for review and import into your household vault.

Plaid Staging

Plaid-derived data is staged on Twin Ledger servers before vault ingestion. Staging allows us to normalize bank-feed data, detect duplicates, handle pending and posted transaction transitions, support reconnect and backfill flows, and prepare transaction data for import.

After staged Plaid data is successfully ingested into your encrypted household vault, Twin Ledger deletes the staged import data from active staging storage.

Normal Force

Twin Ledger uses its own normalization tool, Normal Force, to turn messy bank-feed descriptions into clearer counterparties, categories, and transaction context. Normal Force is operated by Twin Ledger, not a third-party data broker or external advertising service.

Normal Force is used to support import accuracy and household recordkeeping. It is not used for advertising, data sale, behavioral targeting, or unrelated profiling.

For normalization quality, Twin Ledger may retain transaction samples for up to 30 days when a transaction helps us identify or improve a counterparty match. These samples are used only to review and improve normalization accuracy.

Transaction data can be sensitive, so we treat normalization samples as limited-use data with a short retention period.

Shared Travel And Departure Day

Most household data is private to your household vault. Shared travel is a narrow exception, and it is handled by Departure Day rather than by the vault.

Departure Day is a standalone travel product built for collaboration across travelers, advisors, and traveling companions who may not share a household or a set of keys, so multiple parties can coordinate the same trip.

Departure Day does not use the end-to-end encrypted vault architecture that protects Twin Ledger household records. This is a deliberate decision, not an oversight. End-to-end encryption would break the recovery paths those users depend on, since there would be no way to restore access if a password or device were lost, and it would make ordinary support, troubleshooting, and account recovery impossible to provide.

Departure Day still protects travel data with encryption in transit and at rest, limits access to what is needed to operate the product, and follows the same commitments against advertising, tracking, and data sale. When a Twin Ledger family plans travel from inside the household vault, those private financial details, including budgets, payments, and spending records, stay in the vault; only the itinerary items they choose to share move into Departure Day's shared, server-readable model.

We Don't Sell Data

Twin Ledger does not sell data for any reason. That includes household vault data, Plaid-derived data, normalization samples, itinerary data, account data, support data, operational data, aggregated data, and anonymized data.

We do not use your household financial records to target ads.

Service Providers

Twin Ledger uses service providers to operate the product, such as hosting, payment processing, authentication, logging, customer support, and optional financial aggregation through Plaid.

Service providers may process limited data as needed to provide their services to Twin Ledger. They are not permitted to use Twin Ledger household data for their own advertising or unrelated commercial purposes.

Deletion And Retention

Encrypted vault data remains under the control of the household account and applicable product settings. If you delete your account or household, we delete associated service-side records according to our deletion process, subject to legal, security, fraud-prevention, billing, backup, and operational obligations.

Plaid staging data is deleted from active staging storage after successful vault ingestion.

Normal Force transaction samples used for counterparty normalization review are retained for up to 30 days.

Operational logs and backups may have separate retention periods for security, reliability, and abuse-prevention purposes.

Security Tradeoffs

Twin Ledger stores household data as encrypted vault files. Vault contents are encrypted on your device before upload, and each encrypted file is associated with key material from the household keychain.

The keychain uses scoped data keys for groups of records. A data key can be scoped to the household, to a narrower sharing group, or to a specific context such as a shared itinerary. Each data key is wrapped separately for each authorized recipient, so one household member can open the same vault file without sharing another member's private key.

Twin Ledger supports modular lattice and hybrid key agreement, but we still consider these modes experimental. For day-to-day use, we recommend elliptic-curve keys unless a family's long-term security posture needs to be unusually high. Signed key bundles help recipients verify which member generated or rewrapped a key before using it.

Twin Ledger also uses digital signatures for vault files and key bundles. Those signatures create an integrity trail around encrypted records and key changes. Until a desktop app supports verification controls and trusted signer settings, we do not want to overpromise protection against interception or substitution attacks.

Some service metadata and optional integration staging data still exist outside the vault so Twin Ledger can authenticate users, operate the service, and process features you choose.

No security model eliminates every risk. End-to-end encryption does not protect data from a device that is compromised, unlocked, infected, or controlled by someone else.

How We Decide What Leaves The Vault

Our default is simple: if a feature can work entirely inside the encrypted household vault, it should stay there.

When a feature needs server-side processing, we treat that as a boundary crossing. We keep the data limited to the task, use it only for the stated purpose, and remove staged data when the job is complete.

Plaid sync is the clearest example. It adds convenience for households that want bank-feed automation, but manual entry and import workflows remain available for households that prefer tighter control.