Architecture · Privacy

What HELM has on you. The complete list.

May 4, 2026 · ~12 min read · Vantage Digital studio

Here's a thought experiment. If our database is breached tomorrow morning at 3 a.m. — every row of every table copied to an attacker's laptop — what does that attacker walk away with? Pull up your favorite finance app and ask the same question about it. The honest answer for most consumer finance apps is "we'd have to ask the engineers, and the answer is bad." The honest answer for HELM, which we'll spend the rest of this post making concrete, is "a list of things you typed in, plus the analyses you ran on them, and that's it."

That gap isn't a marketing flourish. It is the consequence of an architectural choice we made on day one and have refused to walk back even when it costs us features prospects expect. This post is the audit. We'll publish the full inventory of what HELM stores about you, the inventory of what HELM does not store, the architectural decision that produced both lists, and the price we pay for that decision. By the end of it you'll have a template you can use to interrogate any other finance app you're considering — and a sharp sense of why most of them won't be able to answer.

Why the question is worth asking out loud

Most finance apps cannot publish this kind of inventory. Not because they're hiding something malicious, but because the answer is genuinely sprawling: a primary database, a few read replicas, an analytics warehouse, an event-streaming layer, three observability vendors, two CRM platforms, an attribution stack, a customer-support tool that mirrors transcripts, an email service provider that retains delivery metadata, and a half-dozen ad and growth pixels firing through the user's browser. Each of those holds a different slice of you. Each has its own retention window, its own breach history, its own subprocessor list.

If you ran a fire drill at any large consumer finance company and demanded a complete data inventory by end of week, the engineering, security, legal, and ops teams would all need to be in the same room for several days, and the resulting document would still ship with a footnote about "best-effort scope." This is not a moral failing — it is a structural property of how modern SaaS gets built. Vendors stack until the architecture becomes opaque to its own operators.

HELM is built so that the inventory fits on a page. The reason it fits on a page is the reason we wrote a separate post about why we refused to use Plaid or Yodlee — once you accept aggregator integration, the inventory immediately doubles, and it doesn't fit anymore. So we accepted a different tradeoff, and we'll cover the cost of that tradeoff before the post is over.

The complete list of what HELM stores about you

This is every data class HELM persists. Not "the important ones." Not "the consumer-facing ones." All of them. If we add a new one, this list updates and the changelog reflects it.

HELM data inventory · v1.3.0

Identity
Email address. Display name (optional). Subscription tier. Account creation timestamp. That's it. No phone number, no mailing address, no government identifier, no date of birth, no employer, no income tier.
Holdings
A row for each asset you typed in: name, asset class, current value, optional account label, optional cost basis. No account numbers. No routing numbers. No login credentials. No OAuth tokens. No transaction-level history.
Scenarios
Saved what-if scenarios you build in the scenario builder: title, your projected starting values and contributions, your assumed return rate, your time horizon, and the model output. Inputs you typed; outputs we computed deterministically from those inputs.
Monte Carlo
Run history for the FI probability simulator: starting net worth, annual contribution, withdrawal rate, sequence-of-returns assumptions, and the resulting probability surface. All values are inputs you provided. No external data sources are involved.
Tax Brain
Sale events you've manually logged for wash-sale and harvesting analysis: ticker, date, quantity, proceeds, basis. Plus the analytical output (lots, holding period, realized gain). No brokerage statements ingested. No 1099 PDFs scraped. You type, we analyze.
Document Vault
Files you explicitly upload — typically estate planning, tax letters, insurance riders, account opening confirmations. Encrypted at rest, scoped to your account, never indexed for any purpose other than your retrieval. Optional. Most operators upload nothing.
Ask HELM threads
Saved chat sessions with the in-app advisor. Stored so you can pick up a thread in a week. The model only sees the data you've explicitly entered into HELM plus the message you just typed. Never sees external accounts (because there are no external accounts).
Settings
Email digest frequency. Display preferences. Leading-indicator goal targets you set yourself. Onboarding completion flag. Nothing about you, only how you want HELM to behave.
Audit log
Login timestamps and IP addresses, kept for 90 days for security alerting. Never sold, never used for analytics, purged on rolling window.

Read that list one more time. Notice what's there: things you typed in, and computations we ran on them. Notice the granularity at which the list terminates — we don't even keep your name unless you opt to set a display name. Notice that nothing on this list could be used by an attacker to log in to a brokerage as you, withdraw funds, run an ACH transfer, or impersonate you to a third party. The reason is in the next section.

The complete list of what HELM does not store about you

Just as important as what's there is what isn't. The following classes of data are absent from HELM by design — not by oversight, not pending a future migration. They will never be in HELM as long as the product is built the way it's built today.

Not in HELM · ever

Brokerage credentials
No usernames, passwords, or session cookies for any external financial institution. We never ask, so we never receive, so we cannot lose them.
OAuth tokens
No long-lived access tokens that an aggregator could use to log back in to your accounts on a recurring basis. Plaid, Yodlee, MX, and Finicity are not in our infrastructure.
Account numbers
Brokerage account numbers, bank account numbers, routing numbers, and credit card numbers are absent from every table in our database. The optional account label field is a free-text nickname ("Vanguard taxable") meant to help you organize entries — it should never contain actual account numbers, and the UI text is explicit about that.
Transaction-level data
Individual transactions from your bank or brokerage are not stored. The Tax Brain inputs you can manually log are sale events — discrete records you choose to enter for harvesting and wash-sale analysis. We do not maintain a continuous transaction stream.
Real-time balances
HELM does not poll external systems for current balances. The values in the dashboard are values you entered, plus an optional public-API price refresh for liquid securities (which only requires the ticker symbol and never your account).
Browser fingerprint
No third-party tracking pixels, no fingerprinting libraries, no session-replay recordings. The site you're reading this on does not load a single third-party origin — visitor-verifiable at vantagedigital.dev/network-audit.
Cross-site identity
No data brokers in the loop. We do not buy or sell user lists. We do not enrich your record with information you didn't give us. Foreground-only — what you typed is the only signal we have.
Government identifiers
No SSN, no driver's license, no passport, no national ID. HELM is not a custodian; it has no KYC obligation; it never has reason to ask.
Device location
No GPS, no geolocation API calls, no IP-to-coarse-location mapping for any purpose other than the security audit log mentioned above.

Take that list to the finance app you currently use and ask its support team — or its public privacy policy, or its security white paper if it has one — to confirm or deny each item. The answers will be illuminating, in both directions. A lot of consumer finance products store more than this. A few specialized tools store less. The exercise itself is the point.

The architecture decision that made this list short

HELM is manual-first. You enter your holdings yourself, in a structured form. You re-enter them when they materially change — on rollovers, large contributions, or quarterly check-ins for operators who run a tighter cadence. We optimize the entry experience to make this as fast as possible: bulk paste from a brokerage statement, smart defaults for asset classes, a one-click "duplicate last quarter" that brings forward your structure and lets you update only the values that moved.

That choice is what kept the inventory small. Manual entry means we don't need to maintain credentialed integrations, which means we don't need an aggregator vendor, which means we don't have a long-lived access token vault, which means we don't have transaction streams, which means we don't have the "real-time balance" feature most consumer apps lead with — and we don't have its corresponding attack surface.

An honest counter-question: doesn't this make the product worse? It makes the product different. The kind of operator HELM serves — fatFIRE, equity-comp households, multi-account allocators — is not optimizing to refresh a dashboard hourly. They're checking quarterly. They're running scenarios when something material happens. They're producing a document for an estate attorney or accountant. For that workflow, the manual cadence is a feature: you re-engage with the numbers instead of letting them auto-update into the background of your attention. The friction is therapeutic. (We made the same argument in net worth is a lagging indicator — the trailing-twelve-months number you didn't have to enter is the one you didn't have to think about, which is exactly the problem.)

The architectural tradeoff, stated plainly Aggregator-based tools optimize for the dashboard you check daily. HELM optimizes for the decisions you make quarterly. Different cadence, different surface area, different breach footprint.

The cost of choosing this architecture

To be fair to the alternatives: aggregator-based tools have real strengths. Here's what we give up by being manual-first, written without varnish:

What aggregator tools do well

  • Real-time balances after market close, no input required.
  • Auto-categorized transactions for budget tracking.
  • Single dashboard merging banking + brokerage + credit cards.
  • Frictionless onboarding — link three accounts and your net worth populates in two minutes.
  • Useful for daily spend visibility and short-horizon cash-flow management.

What manual-first tools do well

  • Inventory you can publish on a single page.
  • No breach surface for credentials you didn't share.
  • No third-party dependency that can break access (Plaid outages, institution disconnections, MFA changes).
  • Workflow built around quarterly decision points, not daily glances.
  • Useful for retirement modeling, equity-comp planning, estate prep, and any analysis where the right cadence is "deliberate."

If your dominant need is daily cash-flow visibility, an aggregator tool may serve you better than HELM, and we'll say that on a sales call without hesitation. If your dominant need is multi-decade modeling on a quarterly cadence with a clean handoff to your CPA or attorney, HELM is in its element. Operators in the latter group are who we built the product for.

Case study: the monthly digest

Here's a small concrete consequence of the architecture, and the thing that originally pulled this post out of an internal architecture memo and onto the public blog. HELM ships a Monday-morning email digest — a brief summary of the prior week's activity, your leading indicators, and any flags from Tax Brain or the scenario engine. It lands in your inbox; it does not require you to log in to read.

That last property surprises some operators when they think about it. Most finance dashboards can't send you a usable email summary, because the moment they pre-render numeric values into an email, they've made copies of those values outside the app's auth perimeter. So the typical digest you get from a finance app is a vague nudge ("you have new insights — open the app to view"), which exists to drive engagement metrics rather than to tell you anything. HELM's digest contains actual numbers, because the actual numbers are your numbers, that you entered, summarized and computed and sent back to you. There is no aggregator-side privacy concern about pre-rendering them, because there is no aggregator side. There is no risk of them being out of date relative to your "real" balances at the brokerage, because we never claimed to be polling those.

The digest is a small feature. But the property it has — useful without requiring a re-auth — is downstream of the architectural decision. Once you stop chasing real-time aggregation, a long list of small features become quietly cheaper and more useful, because the data is yours, the computations are deterministic, and the surface area to defend is narrow.

What every finance app should be willing to publish

If we accomplished only one thing with this post, we'd want it to be this: a template every reader can take to any other finance app they use, and ask the same questions of it.

  1. The complete inventory of data classes you hold about me. Not "the important ones." All of them, including analytics warehouse and CRM and email service provider and customer-support transcripts. If the company can't produce this in 24 hours, that is itself information.
  2. The list of subprocessors who receive any of those classes. Aggregator, hosting, observability, email, support, analytics, ads. Each subprocessor has its own retention, breach history, and contractual posture.
  3. The retention windows, by class. Login records for 90 days; identity for the lifetime of the account; transactions for seven years; et cetera. Vague answers ("we keep things as long as needed") are non-answers.
  4. The path to deletion. Clicking "delete account" should produce, within a defined window, removal across all listed classes and all listed subprocessors. The right number to expect is days, not "best-effort indefinite."
  5. The export equivalent. Anything you've entered should be exportable in a structured format — CSV at minimum, JSON ideally. If the data is yours, you should be able to leave with it.

If the company can answer (1) through (5) in plain language without reaching for a privacy lawyer first, you have a serious operator. If they can't, you have information about the kind of operator you have. Neither outcome is a moral verdict on the company; it's a description of the tools they've chosen and the tradeoffs they've made. But the difference will matter on the day a breach lands in the news.

Closing the loop on the thought experiment

Back to the prompt at the top of the post. If HELM is breached tomorrow morning at 3 a.m., the attacker walks away with: a list of email addresses, a list of values that you typed and called "holdings," some saved scenarios you ran, some tax events you logged for harvesting analysis, some chat threads you exchanged with an in-app advisor, and any documents you explicitly chose to upload to the vault (which are encrypted at rest with a per-account key, so the practical attack against vault contents would also require the encryption infrastructure, not just database read).

The attacker does not walk away with brokerage credentials, OAuth tokens, account numbers, real-time balances, transaction streams, or anything that lets them pretend to be you to a financial institution. None of that is in HELM, because we never collected it.

That property of "you cannot lose what you never collected" is older than software. It's the reason ATMs don't store the cash they dispense; the reason airline ticket counters don't hold passenger luggage in the lobby; the reason a good safe-deposit-box facility doesn't make a master copy of every deposit. The boring discipline of not collecting is a security control, possibly the strongest one a software product can adopt, and it's one of the few that actually scales linearly with the number of users — the more people you serve, the more carefully you have to defend what you have, but if you have less, you have less to defend.

It costs us features. We are clear-eyed about that. But it lets us write a post like this one — and back it up with a live audit page that proves zero third-party origins, an enforced Content Security Policy, scanner badges from independent third parties, and an architecture you can hold a finger on the structure of in fewer than fifteen minutes. We think that's a fair trade for the operator we built for.

The kind of finance app that publishes its data inventory.

HELM is the wealth OS we built for operators who would rather know exactly what's at risk than not know. Manual-first, non-custodial, exportable, and short on dependencies by design.

See HELM →

Related reading

The aggregator problem: why we refuse to ask for your brokerage password.
The architecture decision that made this inventory short, explained from the other direction.
Why a finance app should have zero third-party trackers.
The browser-side companion to the database-side argument in this post.
Why HELM has zero trackers — and what we use instead.
The 30-second self-audit you can run on any site, plus what we substituted for analytics.
Net worth is a lagging indicator. Here's the leading one.
Why a quarterly cadence outperforms a real-time dashboard for the decisions that actually move the curve.
This post describes the architecture of HELM as of v1.3.0 (May 2026). Inventory will evolve with the product; any new data classes will be added to the list above and surfaced in the changelog. None of the above is legal, security, or financial advice. We are not your lawyers and not your CISO. The post is a description of one product's choices and the reasoning behind them, written so that you can compare it apples-to-apples against any alternative you're evaluating.