What we do with your data. And what we never do.

We never see your bank login. When you connect your bank, you authenticate directly with Plaid, the regulated infrastructure provider trusted by Venmo, Robinhood, and every major US neo-bank.

Plaid hands us read-only transaction data and we cannot initiate any transfer on your behalf, ever. We can read what came in and went out of your accounts so we can compute your cashflow. We cannot move a dollar.

Revoke Plaid access in your bank's dashboard or Plaid's consumer portal and our access stops immediately.

• TLS 1.3 in transit on every connection to our servers.
• AES-256 at rest in our database.
• Secrets are stored as Vercel environment variables, never checked into git.
• Our database runs on Supabase with row-level security policies that prevent any user from reading another user's data, enforced at the database engine layer rather than only in application code.

Account data is deleted within 30 days of an account closure request submitted to info@newmatrix.capital. The 30-day window exists so we can reverse the deletion if the request was fraudulent or in error.

Lead packets aggregated for underwriting analytics retain only de-identified fields - state, industry, monthly revenue bucket, FICO bucket - after 90 days. Names, EINs, and account-level data are stripped at the 90-day mark unless an active deal references them.

In the event of a confirmed data breach affecting borrower or lender accounts, affected users are notified within 72 hours via the email on file. A public incident report is published at /security/incidents on the date of remediation, covering scope, root cause, mitigation, and remaining risk.