← Back to blog

You're Trusting Us With Your Financial Data. Here's Exactly How We Protect It.

·UB

I'm building Acardai — an AI tool that tells you which credit card to use for any purchase.

To do that well, you need to tell us which cards you have. Maybe your loyalty account numbers. Your spending patterns.

That's sensitive data. And you have every right to ask: how exactly are you protecting it?

Most startups wave their hand at this question. "We take security seriously." "Your data is safe with us." No specifics. No receipts.

I'm going to give you the receipts.

Here's every security measure we built into Acardai — before a single real user signed up.

We never touch your actual card numbers

Let me start with what we don't store, because it matters.

Acardai never sees your credit card numbers, CVV codes, PINs, or bank account details. Ever.

When you add a card to Acardai, you're selecting it from our catalog — like choosing "Chase Sapphire Preferred" from a list. You're not entering a card number. There's nothing to steal because it was never there.

Actual payment processing goes through Stripe — a company that has spent hundreds of millions of dollars on payment security. We let them handle what they're great at.

Your passwords are protected even if we get hacked

This is the one that matters most if something goes wrong.

We store your password using bcrypt with a cost factor of 12. What that means in plain English: even if a hacker stole our entire database, your password would take years of computing time to crack. Not hours. Years.

We also never log passwords anywhere. They're not in error messages. They're not in our analytics. They exist only as an unreadable hash in the database.

Your loyalty account numbers are encrypted

If you connect a loyalty program (your United MileagePlus number, your Marriott Bonvoy number), that number is sensitive. Someone with it could potentially access your miles.

We encrypt every loyalty account number using AES-256-GCM before it's written to the database. That's the same encryption standard used by banks and governments. Each one uses a unique random key per write, so even if one were compromised, it wouldn't expose others.

The decrypted number only exists in memory, briefly, when you're actively using it. It's never logged.

We built brute-force protection on login

The most common attack on any web app is someone trying thousands of password combinations until one works.

We block this at two levels:

  • 5 failed attempts per email in 15 minutes → account temporarily locked
  • 20 failed attempts per IP address in 15 minutes → IP blocked

Both are tracked in Redis, which means they persist even across server restarts. You can't get around it by refreshing the page.

Your session tokens are XSS-proof

When you log in, we give you two tokens: a short-lived access token (expires in 15 minutes) and a longer-lived refresh token (expires in 30 days).

The refresh token — the valuable one — is stored in an httpOnly cookie. That's a technical flag that makes it completely invisible to JavaScript. Even if a malicious script somehow ran on your browser, it couldn't read your session token.

We also rotate the refresh token on every use. If your token was somehow intercepted, it becomes invalid the moment the real you uses it first.

Every API endpoint requires authentication by default

In most web apps, developers have to remember to add security to each new endpoint. Forget once, and you have an unauthenticated endpoint leaking data.

We flipped this. In Acardai, every endpoint requires a valid JWT by default. If an engineer wants to make something public, they have to explicitly mark it as such. Forgetting to secure something is now impossible — you can only forget to un-secure it.

We check ownership on every database query

This one is subtle but important.

When you request your wallet, recommendations, or benefits — we don't just check if you're logged in. We check that the specific resource you're requesting belongs to your account.

Every service method validates userId ownership before reading or writing data. You can't trick the API into showing you someone else's cards by guessing their ID.

We IP-track affiliate clicks without storing raw IPs

We track when users click "Apply Now" on a credit card (that's how affiliate revenue works). But we don't want a database full of raw IP addresses sitting around — that's unnecessary PII.

Instead, we hash IP addresses with SHA-256 before storing them. We can still detect duplicate clicks and fraud. We can't reconstruct your IP address from the hash.

You can export or delete all your data

You have the right to your data. We built this before being legally required to.

  • Export: Hit one endpoint and you get everything we have on you — your profile, your cards, your recommendations, your loyalty accounts (decrypted), your benefits. Everything. As JSON.
  • Delete: Request deletion and your account enters a 30-day grace period. Change your mind? Log back in and it restores. After 30 days, it's gone.

What we're still working on

Honesty matters here. There are things not done yet:

  • Database backups and volume encryption on our production server (Fly.io) — being configured at deployment time
  • CCPA deletion UI in the settings page — being built in our next frontend milestone
  • Sentry error monitoring with PII scrubbing enabled — coming in the same frontend milestone
  • Automated security dependency scanning (npm audit) in our CI pipeline — also coming soon

These aren't excuses. They're on the list, dated, and will be done before we accept real user data at scale.

Why we built all of this before launch

I want to be direct about something.

I'm a solo founder. I could have launched faster by skipping half of this. Nobody would have known — until something went wrong.

But Acardai is asking you to trust it with data connected to your financial life. That trust has to be earned before we ask for it, not after something breaks.

The people who sign up early — the ones reading posts like this — deserve to know exactly what they're signing up for.

Now you know.

Building Acardai in public. Questions about any of this? Reply on X (@acardai_dev) or email [email protected] — I read every message.

Want to stop leaving rewards on the table?

Join the waitlist for early access to Acardai.

Join the Waitlist