Frequently Asked Questions

Yes. Moneytree is a read-only service — it cannot initiate transfers or transactions on your behalf. All communication is encrypted with TLS, data is stored encrypted at rest using AES-256 in AWS Japan, and access uses certificate pinning and biometric authentication. Moneytree holds ISO/IEC 27001 certification and is registered with Japan's FSA as an electronic payment intermediary.

No. Moneytree is a view-only aggregation service. Even though it connects to your financial accounts, it has no capability to initiate payments, transfers, or any transactions. It can only read balance and transaction data.

Credentials for linked financial institutions are encrypted and stored securely. Moneytree supports biometric authentication (Touch ID / Face ID), and where institutions offer OAuth-based API connections, those are used in preference to credential storage. Certificate pinning prevents man-in-the-middle attacks on mobile.

Yes. Moneytree runs an ongoing public bug bounty programme on Bugcrowd, conducts annual third-party penetration tests, and performs continuous automated vulnerability scanning. The security programme is certified to ISO/IEC 27001.

Moneytree operates a managed bug bounty programme on Bugcrowd where researchers can submit findings confidentially. You can also contact the security team directly at security@moneytree.jp. All valid reports are triaged within two business days.

If you've forgotten your password, use the password reset link on the login screen and enter your registered email address. If you're locked out after multiple failed attempts, the reset flow will also unlock your account. Check your spam folder if the reset email doesn't arrive.

No. Moneytree does not sell personal data, run ad campaigns, or share data with third parties without explicit consent. Data is only shared in three cases: with your prior consent, when it cannot identify individuals, or when legally required.

Only an email address and password are required to create a Moneytree account. Moneytree does not collect personally identifiable attributes such as age, gender, residential address, or occupation.

No. Customer support staff cannot view your transaction details or balances. Engineers only access non-identifiable data when strictly necessary for maintenance. This is enforced technically, not just by policy.

All user data is stored in AWS data centres located in Japan. Data residency is maintained within Japan in compliance with APPI requirements.

When you delete your Moneytree account, all linked financial institution data, transaction history, and personal information are fully erased within 24 hours. The deletion can be initiated from the app (iOS / Android) or the web app at app.getmoneytree.com. Deleted data cannot be recovered.

Moneytree generates revenue through paid product features (expense management, corporate accounts) and through MT LINK — an API platform for financial institutions. It does not monetise customer data through advertising or data sales.

Moneytree holds ISO/IEC 27001 certification (IS 732576), TRUSTe Privacy Accreditation across iOS, Android, and Web (renewed annually), and is registered with Japan's Financial Services Agency as an electronic payment intermediary (電子決済等代行業者).

Moneytree provides at least 30 days' advance notice before any changes to its Terms of Service or Privacy Policy take effect. Changes are clearly highlighted so you can see what has been modified.