Can third-party apps see my bank password?

With Plaid-based apps, no. You enter your credentials directly into Plaid's interface — the app you're connecting never sees your username or password. Plaid is SOC 2 Type II certified and handles credentials under strict security standards.

What data does Plaid share with apps like SheetLink?

Plaid shares transaction data (date, merchant, amount, category), account balances, and account names. It does not share your bank login credentials, SSN, or full account numbers.

Can I revoke an app's access to my bank?

Yes — you can disconnect any Plaid-linked app from within the app itself, or from your Plaid privacy dashboard at my.plaid.com. Some banks also let you revoke third-party access from their own settings.

Does SheetLink store my transaction data?

No. SheetLink fetches transactions from Plaid and writes them directly to your Google Sheet. Transaction data is not stored on SheetLink's servers.

What's the difference between Plaid and screen scraping?

Screen scraping means an app logs into your bank as you and copies what it sees. Plaid uses official bank APIs where available — your credentials go to Plaid, not the app, and access is explicitly authorized.

Is It Safe to Connect Your Bank Account to a Third-Party App?

Connecting your bank account to a third-party app feels risky. You're giving something that has access to real money to a company you may have just discovered.

The risk is real — but it's often misunderstood. This guide breaks down exactly what happens when you connect a bank account, what data is actually shared, and how to evaluate whether an app is trustworthy.

How Bank Connections Work

Most modern fintech apps connect to your bank through a service like Plaid, MX, or Finicity. These are bank connectivity providers — they sit between the app and your bank.

Here's what actually happens when you click "Connect Bank":

The app opens a Plaid modal (or similar)
You enter your bank credentials directly into Plaid's interface — the app never sees them
Plaid authenticates with your bank and stores an encrypted access token
Plaid returns transaction and account data to the app via API
The app uses that data — it never touches your credentials again

Your bank password is never transmitted to, stored by, or visible to the third-party app. It goes to Plaid and stays there.

What Plaid Is

Plaid is the infrastructure layer that powers most consumer fintech in the US. Venmo, Coinbase, Robinhood, Acorns, and thousands of other apps use Plaid to connect to bank accounts.

Plaid is:

SOC 2 Type II certified — independently audited security controls
ISO 27001 certified — international information security standard
Regulated and monitored by financial industry standards

When an app says "powered by Plaid," that's a meaningful trust signal — Plaid has more to lose from a security incident than any individual app built on top of it.

What Data Is Actually Shared

Plaid shares a limited, defined set of data with connected apps:

What IS shared:

Transaction date, merchant name, amount, category
Account name (e.g. "Chase Checking ••4821")
Account balance
Account type (checking, savings, credit card)

What is NOT shared:

Your bank username or password
Your full account number
Your Social Security Number
Wire transfer capability
The ability to move money

An app connected via Plaid can read your transaction data. It cannot initiate transfers, make payments, or do anything that involves moving money.

💡 Tip

When evaluating any fintech app, ask: does this app need to move money, or just read transactions? Read-only access is significantly lower risk.

The Screen Scraping Problem

Before Plaid and similar services, many apps connected to banks by logging in as you and scraping your account pages. This approach:

Required giving the app your actual bank credentials
Violated most banks' terms of service
Gave the app full account access, not just read access
Created liability if the app was breached

Some budget apps still do this. If an app asks for your actual bank username and password — not through a Plaid modal — that's a significant red flag.

What to Look for in a Trustworthy App

Green flags:

Uses Plaid, MX, or Finicity (not raw credential entry)
Clear privacy policy that explains what data is stored and for how long
Can disconnect bank access from within the app
Open source or transparent about its data handling
Doesn't store transaction data on its own servers

Red flags:

Asks for your bank username and password directly
Vague privacy policy ("we may share data with partners")
No way to delete your data or revoke access
Auto-syncs in the background without your awareness

How SheetLink Approaches This

SheetLink is built around the idea that you should control when your data moves:

Plaid-based connection — your credentials never touch SheetLink
Manual sync only — your data only moves when you click Sync Now
No transaction storage — data goes from Plaid directly to your Google Sheet; SheetLink doesn't keep a copy
Open source — the Chrome extension code is publicly auditable on GitHub
Disconnect anytime — remove your bank from the Bank tab; access is revoked immediately

The answer to "is it safe?" depends on the specific app. The infrastructure (Plaid) is solid. What matters is what the app does with the data it receives.

Revoking Access

If you ever want to disconnect an app:

From within the app — most Plaid-based apps have a "Disconnect" or "Remove bank" option
From Plaid's dashboard — go to my.plaid.com to see all apps with Plaid access and revoke any of them
From your bank — some banks let you manage third-party app access in their security settings

You're never permanently locked in.