Plaid is generally safe to use. The company connects more than 12,000 financial institutions to thousands of apps, and it uses bank-level security measures to protect your data. That said, Plaid has faced legitimate criticism over how it handled user data in the past, and understanding both the safeguards and the history will help you decide how comfortable you are using it.
What Plaid Actually Does With Your Data
When you link a bank account to an app like Venmo, Coinbase, or a budgeting tool, Plaid acts as the middleman. It verifies your account, confirms your identity, and passes the necessary financial data to the app you’re using. Plaid itself is not a payment processor or a bank. It’s a data pipeline.
The range of data Plaid can access is broad. Depending on which app you’re connecting and what it needs, Plaid may collect your account and routing numbers, transaction history, balances, credit account details (including interest rates and repayment status), loan information, investment holdings, and even payroll and tax data if you connect an employer account. It also collects personal identifiers like your name, email, phone number, date of birth, and address.
That’s a lot of sensitive information in one place, which is why Plaid’s security practices matter.
How Plaid Protects Your Information
Plaid encrypts data both in transit and at rest, meaning your financial details are scrambled whether they’re moving between servers or sitting in storage. The company uses token-based authentication through OAuth, a protocol that lets you grant an app access to your bank data without handing over your actual bank username and password. Instead of storing your login credentials, Plaid exchanges them for a temporary access token. These tokens expire, can be refreshed, and can be revoked at any time, which limits the damage if anything goes wrong.
Major banks have also moved toward formal data-sharing agreements with Plaid. JPMorgan Chase, for example, has a dedicated data access agreement that lets Plaid pull customer data through a secure, direct connection rather than the older method of “screen scraping,” where Plaid would essentially log into your bank account and read the screen like a human would. These agreements give the bank more control over what data is shared and how, which benefits you as the customer.
The Privacy Lawsuit and What Changed
Plaid’s safety record isn’t spotless. In 2020, a class action lawsuit accused the company of collecting more financial data than users realized and designing its login screens to look like they belonged to the user’s bank, which allegedly misled people into thinking they were entering credentials directly with their bank rather than with Plaid.
A federal court approved a settlement in July 2022 that required Plaid to make several concrete changes. The company had to delete transaction data it had collected from users who never connected to an app that actually requested that data. It had to minimize the data it stores from financial accounts going forward. Plaid was also required to add clear disclosures to its login screens so users understand they’re sharing data with Plaid, not their bank. The company now maintains a “Plaid Portal” linked prominently from its homepage where you can see which apps have access to your data and disconnect them.
These changes addressed the core complaints, but the lawsuit is worth knowing about because it reveals that Plaid once operated with less transparency than it does today. The current version of Plaid is meaningfully more upfront about what it collects and why.
Who Plaid Shares Your Data With
According to Plaid’s privacy policy, the company only shares your personal financial data with third parties to power the services you requested, when you consent, or to protect against fraud and other security concerns. Plaid states it does not sell your financial data to outside marketers.
There is one caveat: Plaid collects cookie data when you visit its website and may share that data with third parties or allow third parties to collect it directly. This is standard practice for most websites, but it’s separate from the financial data you share when linking a bank account.
What Happens if Something Goes Wrong
If an unauthorized transaction hits your bank account after you’ve connected it through Plaid, your protection comes from federal law, not from Plaid itself. Regulation E, enforced by the Consumer Financial Protection Bureau, caps your liability for unauthorized electronic fund transfers based on how quickly you report the problem.
If you notify your bank within two business days of learning about an unauthorized transfer, your maximum liability is $50. Wait longer than two days but report within 60 days of your bank statement, and your liability can rise to $500. Miss the 60-day window entirely, and you could be on the hook for the full amount of any transfers that happen after that deadline. Banks are also required to extend these time limits if you had a legitimate reason for the delay, such as a hospital stay or extended travel.
The key takeaway: monitor your bank statements regularly. Your legal protections are strong, but only if you act quickly when something looks wrong.
How to Control Your Plaid Connections
You can manage which apps have access to your financial data through Plaid’s consumer portal at my.plaid.com. From there, you can see every app you’ve connected, review what data each one can access, and disconnect any app you no longer use. Disconnecting an app through the portal revokes Plaid’s ability to pull new data on your behalf, though the app itself may retain data it already received (you’d need to check that app’s own privacy settings).
If you want to go further, you can request that Plaid delete your data entirely. The portal provides a way to submit deletion requests, and the company is required under its settlement terms to honor them. Regularly pruning old connections is one of the simplest things you can do to reduce your exposure. Many people link a bank account to an app once, stop using the app months later, and never think to revoke access.
Is Plaid Safer Than the Alternatives?
The alternative to using Plaid is often entering your bank account and routing number directly into an app, which offers no encryption layer at all and gives the app permanent access to those numbers. Plaid’s token-based system is more secure than that approach because tokens can expire and be revoked, while an account number cannot.
The other alternative is simply not linking your bank account to third-party apps. That’s the most secure option, but it also means giving up services like automatic budgeting tools, instant payment apps, and streamlined loan applications. For most people, the convenience is worth the trade-off, especially now that Plaid operates under stricter transparency requirements and major banks have direct data-sharing agreements in place. Just make sure you review your connected apps periodically and disconnect anything you’re no longer using.