How budget apps quietly resell your transaction data

2026-05-19 · 12-minute read · Investigation

The summary: Most "free" budget apps make money by selling aggregated, anonymized transaction-level data to third parties — financial institutions, data brokers, research firms. The aggregators in the middle (Plaid, Yodlee, MX) have built multi-billion-dollar businesses on this flow. Reading the privacy policies of major budget apps confirms it; reading them carefully reveals just how broad "anonymized" can be.

The supply chain

When a budget app advertises bank-account linking, three companies usually sit between you and the app:

The aggregator that talks to your bank (Plaid is the dominant one in the US; MX, Yodlee, Finicity compete)
The budget app itself
Downstream data buyers — financial institutions, hedge funds doing alternative-data research, fintech startups training models, credit-product affiliates

The data flow is straightforward: your bank → aggregator → app → downstream buyers. Each hop is described in a privacy policy you didn't read. The aggregator's policy says they may share anonymized data with the app. The app's policy says they may share anonymized data with partners. Downstream is where it gets harder to track.

What "anonymized" means in practice

Privacy policies routinely promise that shared data is "anonymized" — your name and account number stripped. But transaction-level data with timestamps, amounts, and merchant names is famously hard to truly anonymize. A 2015 MIT study showed that four arbitrary credit-card transactions are enough to uniquely identify 90% of people in a dataset of millions, even after removing names.

The data doesn't need to be tied to you specifically to be valuable. Aggregated transaction data shows that spending at restaurants is up 12% in Austin this quarter; that subscription churn is rising for Disney+; that a particular type of consumer is more likely to default on a loan. None of those insights require your name — but all of them require your transactions.

How "free" budget apps stayed free

Mint, in its prime, served ads alongside this data-sale revenue stream. Both were upfront in the privacy policy. The implicit deal: you get a free budget tracker, the app gets your transaction data and an ad surface to sell. For 14 years that deal worked for both sides — until Intuit consolidated and the cost-benefit shifted.

The post-Mint successors split the model. Some kept the data flow but added a subscription on top (Monarch, Copilot, Empower). Others rejected the data flow and charged a clean subscription (YNAB). A few rejected the entire architecture and charged a one-time fee (Penno, Buddy, Actual Budget).

The aggregator is the load-bearing piece

The single most consequential decision a budget app makes is whether to integrate with Plaid (or equivalent). Once integrated, your transaction data flows through Plaid's infrastructure on every refresh. Plaid's privacy policy is broad: they may use the data they process to "improve their services," which the policy elaborates can include developing financial products and research.

Plaid is now a $13B company, last valued in 2021. That valuation isn't justified by the fees aggregator services charge — it's justified by the data flow. Plaid is, by some measures, the largest custodian of US consumer transaction data outside the major banks themselves.

What you can actually verify

If a budget app's marketing claims "we don't sell your data," verify three things:

The privacy policy. Look for language about "service providers," "aggregated insights," "partner research." These are not lies — they're disclosures of the actual flow.
The aggregator's policy. If the app uses Plaid, your data flows through Plaid's terms regardless of what the app's policy says.
Apple's App Store privacy listing. Apple requires apps to disclose what data they collect and link to user identity. The listing for a typical bank-linked budget app shows transaction data is collected and may be linked to identity.

The architectural alternative

The only way to be certain none of this is happening is to use an app that has no aggregator integration at all. That's the design choice behind Penno: the binary contains no Plaid SDK, no MX, no Yodlee, no Finicity. There is no infrastructure that could transmit transaction data, even if we wanted to. The data path doesn't exist.

The trade-off is real: you enter every transaction yourself. The convenience is gone. What you get back is the certainty that the architecture matches the marketing.

What to actually do

If you want to keep using a bank-linked budget app, fine — millions of people do, and the data-sale risk is real but not catastrophic for individuals. You can mitigate:

Read the privacy policies of both the app and the aggregator
Limit which accounts you link (don't link investment accounts if you only budget on checking)
Revoke access at the bank level (most banks let you see and revoke aggregator connections in their security settings)
Delete the budget app account when you stop using it — and verify in the app's data-deletion settings, not just by uninstalling

If you've decided the trade-off isn't worth it, the manual-entry options exist. They're slower per transaction but eliminate the data flow entirely.

A note on this post

I (the developer of Penno) have an obvious stake in this argument. I tried to keep the post factual — every claim above is verifiable against the privacy policies of the named companies. If anything reads as overstated or unfair, email me and I'll correct it.

Subscribe to The Quiet Finance Letter

One essay every 3–4 weeks. Privacy, indie software, and the budget-app industry. No tracking pixels. Unsubscribe with one reply.

Subscribe via email →

Opens your mail app. We add your address by hand — no tracking, no double-opt-in spam.