What 'private' actually means in a finance app.

The day Mint shut down — March 23, 2024 — I got an email with a CSV attached. Three years of transactions, no budget history, no goal history, no category metadata. The legal minimum, dressed up as a migration plan. The email pointed me at Credit Karma, an app I had not asked for, owned by the same company that had just decided my budgeting habit was not the part of me they wanted anymore.

I'd given that product more detail about my financial life than I'd given my doctor. The goodbye was a credit-card marketplace and a flat file.

That's the moment I started caring, specifically, about what “private” means when a finance app uses the word. Because every app I looked at after that said they were “private.” They all meant different things.

The privacy spectrum

There are at least four levels of “private,” and they are not interchangeable.

Most popular finance apps sit at level 1 or 2 and use level-3 language. A few — Lunch Money, YNAB, Copilot — genuinely sit at level 3. Almost nobody is at level 4, because level 4 means saying no to the easy revenue paths the rest of the industry has been compounding on for a decade.

I built Arden because I wanted level 4 to exist as a real consumer product, not just a power-user spreadsheet.

What ‘free’ actually pays for

Let me name names, because vague critiques are how this conversation usually goes wrong.

Mint, when it was alive, was a level-1 product. Intuit's own global privacy statement describes sharing personal information across the Intuit family of products — TurboTax, Credit Karma, QuickBooks, Mailchimp — for “everyday business purposes including for marketing purposes.” A 2021 Axios profile described Mint as a product that could “scrape” transactions to find out “what bills you have and when they're due,” then use that profile to surface “personalized recommendations” — credit cards, loans, high-yield savings accounts whose providers paid Intuit a fee per signup. The product was free. The revenue model was building a behavioral profile of your finances dense enough to match you to a financial-product offer with high conversion probability.

When that model stopped optimizing — when Credit Karma's version of it earned more per user than Mint's — Intuit shut Mint down. They announced it October 31, 2023; the app went dark in March 2024. Mint users who migrated to Credit Karma migrated into a product where the lead-gen engine is the product. Credit Karma generated $1.6 billion in revenue in fiscal 2023, almost entirely from affiliate commissions on credit-card and loan signups. The free dashboard is the bait; the loan marketplace is the hook. Not a hidden truth — the explicit business model, just laundered through enough product polish that users stopped seeing it.

Empower is a different shape of the same idea. The free Personal Capital dashboard (rebranded Empower Personal Wealth in 2023) is genuinely useful — the net worth view, the account aggregation, the retirement-fee analyzer all work. But the dashboard is the front of a wealth-management funnel. Cross the $100,000 in linked assets threshold and you become eligible for the Personal Strategy advisory service, which charges 0.89% AUM on the first $1 million and includes outbound phone calls from a Certified Financial Planner. The dashboard isn't lying. It just isn't the business. The business is AUM. Your transaction stream, your liability mix, your held-away accounts — that's prospecting data for the advisor calls.

That's a legitimate business, and arguably a more honest one than Mint's, because the trade is nameable: you get a free aggregator, they get a qualified lead. But it is not, by any definition I'd accept, private. The dashboard is reading your data into a sales motion, and the sales motion is the point of the dashboard existing.

For ad-funded aggregators, the answer is “still builds a profile worth less but still nonzero.” For advisor-funnel aggregators, “still scores you for advisor outreach.” For an honest paid app, “uses it to render your screens, and that's it.”

The Plaid question

Here is the place I want to slow down and not pretend things are simpler than they are.

The realistic, modern, level-3 paid finance apps — Monarch, Copilot, Lunch Money, YNAB — all use Plaid (or a Plaid competitor like Finicity / MX) as the layer between your bank login and the app. Plaid authenticates you to Chase, retrieves the transactions, hands them over. The app never sees your bank password. That part is a real security upgrade over the screen-scraping era.

But Plaid is also collecting your data. Plaid's End User Privacy Policy lists the categories: “account data, including financial institution name, account name, account type, account ownership, branch number, IBAN, BIC, account number, routing number, and sort code”; “data about an account balance, including current and available balance”; “data about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate”; “data about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description”; and “data from your payroll and tax documents, including data about your income and employer.” Not a thin slice of metadata. The substrate of your financial life.

I'm not painting Plaid as a villain. By financial-data-aggregator standards, they're one of the more rigorous players — they publish their data-handling page, they run a consumer portal at my.plaid.com where you can view connections and submit deletion requests, and they participated in the open-banking work that produced the CFPB's Section 1033 final rule on October 22, 2024 — which, if it survives the current reconsideration process, will require banks to make consumer data portable on consumer demand, free of charge, to third parties the consumer authorizes.

But the architectural fact remains: when an app's “private” claim is built on top of Plaid, the claim has a third party in it. The promises are only as strong as Plaid's promises.

And to be candid: Plaid is convenient. Significantly more convenient than manual CSV import. For most people, most of the time, the convenience wins. I built Arden to support Plaid for exactly this reason — there's an Arden Plus plan at $12/month that uses it. Pretending the convenience isn't real would be the dishonest version of this argument.

What I wanted, and what didn't exist, was a third option: an app where Plaid was optional. Where every feature — budgeting, investments, net worth, goals, monthly review — worked without it. Where if you valued privacy more than convenience, the product didn't punish you for that choice by being half-functional.

What architectural privacy looks like

Arden Privacy is $5/month and has no Plaid integration. None. The bank-credentials flow is not present in the product. You import transactions via CSV (the import flowhandles every major US bank's export format) or you enter them by hand. Every feature — envelope budgeting, share-precision investment tracking, the 19-class balance sheet, savings goals, the Sankey cash flow diagram, the monthly review email — runs without ever sending a credential to a third party.

The trade is real. You move data manually. For some people that's a dealbreaker, and Arden Plus exists because of it — same product with Plaid added, $12/month, the convenience layer for people who want it. The point isn't that Privacy is right for everyone; the point is that the third option should exist, and until I built it, it didn't.

The other architectural commitment is the exit. The privacy policy commits to full CSV and JSON export from Settings — transactions, budgets, categories, accounts, holdings, goals — available before you cancel, not after. If Arden ever winds down, the terms of servicecommit to 90 days of advance notice and continued export access through the shutdown window. Mint's three-year-CSV-at-shutdown was the legal minimum. The reason I wrote a stronger commitment into the docs is because the legal minimum gives you a credit-card marketplace as your goodbye gift.

How to test any finance app's privacy claim

Four questions I'd run on any finance app — Arden included — before trusting it with your money data.

Run those on Arden too. The answers — every feature works without Plaid, the privacy policy bans data sales and affiliate sharing, the revenue is a $5 or $12 monthly subscription, CSV + JSON export is one click in Settings — are written down on purpose. Hold me to them.

Closing

The next decade of personal finance software is going to split. Half of it will continue down the road Mint built — free or near-free aggregators monetizing your data through some downstream funnel, whether that's credit cards or advisor calls or AI-driven cross-sells we haven't named yet. Half will be paid products where the user is the customer, and that half will fragment further between “we don't sell your data” and “we never had the data.”

I'm not arguing the architectural version is right for everyone. It isn't. Plaid is real convenience, and convenience is real value. But I am interested in the third option existing — a finance app where the privacy claim is in the shape of the software, not the wording of the policy. That's the version of “private” the word should mean when a finance app uses it.

The security page walks the controls one by one. The pricing page has both plans side by side. /why is the longer founder essay if you want it.

— Tyler