Your money stays yours
Your money stays yours
Quarter is built to read, never to move. When you connect a bank account, the connection is read-only: Quarter can see transactions to calculate your income and set aside taxes, but it can never move, send, or withdraw a single dollar.
Your bank login never touches our servers. Bank connections are handled by our bank-connection providers (Plaid and SimpleFIN). We receive only read-only transaction data, never your username or password.
Quarter is a financial technology product, not a bank. We do not hold your money. Taxes are set aside as a calculation, a number we track for you, not a transfer of funds out of your control.
What we collect, and what we never do
What we collect, and what we never do
What we collect: your account details (name and email), your tax profile (filing status and state, used to calculate estimates), and, if you connect them, read-only bank transactions and the invoices you create. Card payments are processed by Stripe; we store a Stripe customer reference, never your card number or security code.
What we never do: we never store your bank login, we never move your money, we never sell your data, and we never share it with advertisers.
We do not sell your data
We do not sell your data
Our business model is simple: you pay for Quarter, and that is how we make money. We are not funded by advertising, so we have no reason to profile you or sell your information. We never have and never will sell or rent your personal or financial data.
Because we are an independent studio with no outside investors, there is no pressure to monetize your data on the side. The relationship is straightforward: you pay us, we run the product, your data stays yours.
Hosting
Hosting
glinr.com runs on Vercel (SOC 2 Type II, global edge network, automatic DDoS mitigation). Database is Neon serverless Postgres (SOC 2 Type II, point-in-time recovery, automated backups).
Static assets are served over Vercel's CDN with automatic TLS certificate renewal and HTTP to HTTPS redirection. HSTS is enabled to prevent downgrade attacks.
Payment processing is handled by Stripe (PCI DSS Level 1). We store only a Stripe customer ID, never card numbers or CVVs.
Encryption
Encryption
In transit: TLS 1.3 enforced on all connections.
At rest: Neon encrypts all data at rest using AES-256. Vercel encrypts build artifacts and environment variables.
Passwords: bcrypt with cost factor 12. Plaintext passwords are never stored or logged.
Secrets: API keys and credentials are stored as encrypted environment variables. They are never committed to source control and not accessible from the browser.
Access Control
Access Control
Row-Level Security (RLS) is enabled on the Neon database. Each query runs with the minimum required permissions.
Authentication is handled by better-auth: secure HTTP-only session cookies with SameSite=Strict, rate-limited login to prevent brute force, and OAuth scopes limited to the minimum required.
Production database credentials are not accessible to the application build pipeline.
All code changes go through peer review before merging. Branch protection prevents direct pushes to main.
Dependency vulnerabilities are scanned automatically; critical patches are applied within 24 hours.
Vulnerability Disclosure
Vulnerability Disclosure
We welcome responsible disclosure from security researchers.
To report a vulnerability: email [email protected] with a description, reproduction steps, and potential impact. We acknowledge within 48 hours and aim to patch critical issues within 24 hours.
Please: do not access data beyond your own account, do not disrupt service, and coordinate disclosure timing with us (90-day window by default).
We will not pursue legal action against researchers who act in good faith under these guidelines.
Patch SLAs: critical within 24 hours, high within 7 days, medium within 30 days, low in next release.
Incident Response
Incident Response
Detection: Vercel observability and Neon metrics alert the engineering team to anomalies in real time.
Containment: the affected system is isolated within minutes of confirmation.
Notification: affected users are notified within 72 hours of confirmed breach (as required by GDPR Article 33). Relevant authorities are notified as required by law.
Post-incident: root cause analysis completed within 7 days. A public transparency report is published within 30 days for incidents affecting user data.
Compliance Roadmap
Compliance Roadmap
Current: GDPR (EU), CCPA (California), SOC 2 Type II via sub-processors (Vercel, Neon), PCI DSS Level 1 via Stripe.
Planned: SOC 2 Type II for GLINR Studios directly (target: when ARR supports the audit cost), ISO 27001 assessment.
We do not make compliance claims we cannot evidence. This list reflects what we have, not aspirations.
Questions: [email protected].
Questions about this policy?
Email [email protected] and we will respond within 30 days. For security reports use [email protected].