Start the 3 minute money quiz

Security at XitPlan

Last updated: November 21, 2025

We experiment with money, systems, and AI, but when it comes to your data and security, we do not experiment. This page explains how we protect your information across XitPlan websites and products.

For legal details on how we collect and use data, see our Privacy Policy and Terms of Use.

Access to your data

How our team accesses data

XitPlan team members do not routinely access your personal or financial data as part of normal operations.

We may access limited data only in these situations:

  • You contact support and explicitly ask us to investigate an issue
  • We are required to comply with law or a valid legal request
  • We need to protect our systems or other users from abuse, fraud, or security threats

When access is required:

  • Access is restricted to specific team members
  • Access is logged and time bound
  • We only access what is necessary to solve the problem or comply with the request

We use aggregated and anonymized data for product analytics and improvement when possible. See the Privacy Policy for details.

Account security and passwords

Where XitPlan products use accounts and passwords, we follow industry best practices.

  • Passwords are stored using salted, one way hashing with a secure password hashing algorithm
  • We never store passwords in plain text
  • We use controls to reduce brute force attacks and automated password guessing
  • We encourage long, unique passwords and recommend using a password manager

You are responsible for keeping your login details confidential and for securing access to your devices.

If you believe your account has been compromised, contact us immediately at contact@xitplan.ca.

Data retention and deletion

We keep your data only as long as it is needed for:

  • Operating the product or service you are using
  • Providing support that you requested
  • Meeting legal, tax, and accounting obligations

When you request deletion of an account or specific data, we:

  • Remove or anonymize data from active systems within a reasonable timeframe
  • May retain limited records where required by law or for legitimate business reasons, such as fraud prevention or accounting

Details on retention, including product specific rules, are outlined in the relevant Privacy Policy for that product.

Infrastructure and hosting

XitPlan uses modern cloud infrastructure and reputable third party providers to host our websites, apps, and databases.

Examples include:

  • Cloud hosting platforms and managed database services
  • Email and messaging providers
  • Storage and logging services

These providers typically hold widely recognized security certifications such as ISO 27001 and SOC reports. We select vendors that:

  • Have strong security track records
  • Provide encryption in transit and at rest
  • Offer robust access controls and monitoring

XitPlan itself does not claim these certifications. They are held by the underlying infrastructure providers.

Payments and billing

When you pay for XitPlan products or services:

  • Payments are processed by PCI DSS compliant payment providers such as Stripe or similar providers
  • Your full payment card details are sent directly to those providers and never stored on XitPlan servers
  • We receive limited billing information that is necessary for records, such as the last digits of the card, billing country, and transaction details

This design reduces the amount of sensitive payment data that flows through our systems.

Connections to other services

Some XitPlan products may integrate with third party services, for example:

  • Calendar providers
  • Email and communication tools
  • Other financial or productivity apps

When we build these integrations, we favor connection methods that:

  • Let you authenticate directly with the third party service
  • Use secure tokens instead of sharing your password with XitPlan
  • Limit access to only the data needed for the feature to work

If a product uses direct connections to financial institutions or other sensitive accounts, that product will provide more specific technical details in its own documentation or in app notices.

Traffic and encryption

We protect data in transit and at rest using strong encryption.

  • All traffic between your browser or app and XitPlan servers uses HTTPS with TLS encryption
  • We enforce secure connections and do not allow unencrypted access to our production APIs
  • Data stored in our databases and backups is encrypted at rest using industry standard algorithms, provided by our cloud vendors

You can check for “https” and the lock icon in your browser when visiting XitPlan pages that collect or show personal information.

Device and operational security

On our side, we apply security practices to how our team works:

  • Company accounts use strong passwords and multi factor authentication where available
  • Access to production systems is limited to team members who need it for their role
  • We review access on a regular basis and remove accounts that no longer need access
  • We keep our core software and dependencies reasonably up to date to reduce known vulnerabilities

We continuously refine internal processes as XitPlan grows.

Social engineering and phishing

Technical security does not help if someone tricks you into sharing your login.

To protect yourself:

  • XitPlan will never ask for your password in email, chat, or social media
  • Do not share one time codes or authentication codes with anyone claiming to be from XitPlan
  • Always check the domain name before logging in, and type it manually or use a trusted bookmark
  • Be cautious with links in unsolicited emails or messages that ask you to log in or provide personal information

If you receive a suspicious message that appears to be from XitPlan, forward it to contact@xitplan.ca so we can investigate.

Reporting a security issue

If you believe you have found a security vulnerability or weakness in any XitPlan product, website, or system, we want to hear from you.

Please contact us at: contact@xitplan.ca

Subject line: Security issue report

Include as much detail as possible so we can reproduce and investigate:

  • The product or page where you found the issue
  • Step by step description of what you did
  • Any relevant screenshots or error messages

We ask that you:

  • Do not exploit the issue or access data that does not belong to you
  • Do not publicly disclose details until we have had a chance to review and address it

At this time we do not run a public bug bounty program, but we value and appreciate responsible disclosure.

Always improving

Security is an ongoing process, not a one time setup. As XitPlan evolves:

  • We review our infrastructure and practices
  • We adjust our controls based on new threats and technologies
  • We update this page to reflect meaningful changes

For details on how we collect, use, and store your data, please also review our Privacy Policy and Terms of Use.