Your financial data deserves
bank-grade protection
We built Mixxi with security as a foundation, not an afterthought. Here's exactly how we protect your data.
How we protect your data
Six layers of protection for every piece of financial data.
Encryption at Rest
Every piece of data stored is encrypted with AES-256 — the same standard used by banks and government agencies. OAuth tokens are additionally encrypted with AES-256-GCM using dedicated encryption keys.
Encryption in Transit
All connections use TLS 1.3 — the latest transport security standard. Every API call, every page load, every data transfer is encrypted end-to-end.
No Raw Data Storage
We never keep your original bank statements or emails. Raw statements are deleted immediately after parsing. Email content is never stored — we only keep structured data: provider name, amount, plan, and dates.
Read-Only Email Access
When you connect Gmail or Outlook, we request read-only access. We cannot send, modify, or delete your emails. We only read billing-related messages — filtered by keywords, not browsing your inbox.
Australian Hosting
Your data is stored in Australia and never leaves the country. We use Australian-region infrastructure because your financial data should stay under Australian jurisdiction.
One-Click Deletion
Delete all your data with one click in Settings. No retention periods, no hidden backups, no ‘we’ll get to it eventually.’ When you delete, we delete. Within 30 days, permanently.
What happens to your data
Full transparency on every step of the process.
When you upload a statement
You upload a PDF or CSV
Your file is encrypted in transit with TLS 1.3.
We parse transactions
Structured data is extracted from your statement.
Raw file deleted
Only structured data is kept, encrypted at rest with AES-256.
Savings analysis runs
Recommendations are generated from structured data only.
You see your report
Your data, your control. Delete anytime.
When you connect email
OAuth consent
You grant read-only access. We never see your password.
We scan for billing emails
Keyword-filtered, not browsing. Only invoices, bills, and receipts.
Structured data extracted
Provider, amount, plan, and dates. Nothing else.
Raw email content discarded
Email content is never stored. Not even temporarily.
Revoke access instantly
From your dashboard or directly from Google/Microsoft settings.
What we don't do
Trust is built on what you choose not to do.
We don’t sell your data
Not anonymised, not aggregated, not to anyone. Ever.
We don’t use advertising trackers
No Facebook pixels, no Google Ads tracking, no cross-site cookies.
We don’t store your passwords
Passwords are hashed with bcrypt. We can’t read them. Neither can anyone else.
We don’t read your personal emails
Keyword filtering means we only process billing-related messages.
We don’t keep raw files
Bank statements are deleted after parsing. Email content is never stored.
Compliance
We meet the standards your financial data requires.
Australian Privacy Act 1988
We comply with all Australian Privacy Principles (APPs) and the Notifiable Data Breaches (NDB) scheme.
Google API Compliance
Our Gmail integration follows Google’s API Services User Data Policy. CASA Tier 2 security assessment is in progress.
Payment Security
All payments are processed by Stripe. We never see or store your full card number.
Have security questions?
We take security seriously and are happy to answer any questions about how we protect your data.