Your bank data deserves better than blind trust.
Calmnect.ai is built on TrueLayer — an FCA-authorised AISP. We operate as its agent under UK open banking regulations. Read-only access. No payments. Consent you own and can revoke any time.
[ REGULATORY FOUNDATION ]
Regulated access. Not a workaround.
We connect your bank accounts through TrueLayer, one of the UK's leading FCA-authorised Account Information Service Providers. Calmnect.ai operates as a registered agent of TrueLayer — which means your data access is covered by TrueLayer's FCA authorisation, not a grey-area API scrape.
Read-only We can see your data. We cannot move money, initiate payments, or modify accounts.
Scope-bound consent You explicitly authorise which accounts and data types we may access before any connection activates.
90-day PSD2 cycle Strong Customer Authentication renewal is enforced every 90 days by regulation — not optional.
Revoke any time Withdrawing consent immediately halts data refresh and removes stored tokens.

[ ENCRYPTION & DATA HANDLING ]
Tokens never touch a log file.
Every access and refresh token is wrapped in AES-256-GCM encryption before it reaches the database. One encrypt path, one decrypt path — no raw tokens in storage, queries, or error traces.
AES-256-GCM at rest
Provider tokens are encrypted with a platform-managed key before storage. Key rotation is procedurally documented.
Encrypted transport
All data in transit uses TLS. TrueLayer's API communicates over HTTPS with mutual certificate validation.
Zero plaintext policy
The encrypt and decrypt helpers are the single gateway. No code path writes or logs an unencrypted token.

[ AUDIT & TRANSPARENCY ]
A log that names every accessor.
Every time data leaves the platform — via an agent run, a REST call, an MCP tool, or a webhook — a signed entry is written to your audit log. You can see exactly what was accessed, when, and by which actor.
Actor-level detail Entries distinguish between agent type, API key ID, MCP client, and authenticated user.
Timestamp + records returned Every log entry includes the endpoint called and how many records were returned.
Filterable, searchable Filter by date range, accessor type, or specific key ID from the Technical Dashboard.
FCA & GDPR defensible The audit schema satisfies obligations under PSD2 and GDPR Article 30 accountability principles.
[ CONSENT ARCHITECTURE ]
Consent is shown at connection and stored every time it changes.
We don't bury consent in a checkbox. Scope, duration, and revocation rights appear prominently before you authorise any connection — and every change to consent status is written to an immutable event log.
- STEP 01 — CONNECT
Scope disclosed before authorisation
The connection screen names every data scope being requested — accounts, balances, transactions — and links directly to TrueLayer's terms.
- STEP 02 — STORE
Consent record written immediately
A consent record captures the granted scopes, timestamp, actor, IP, and user agent. No scope is ever assumed — only what was explicitly granted is used.
- STEP 03 — RENEW
90-day re-auth with reminders
The platform sends in-app and email reminders at T-14, T-7, and T-1 days. One-tap re-auth reuses the same consent UI against the same connection ID.
- STEP 04 — REVOKE
Revocation is immediate and complete
Clicking Revoke calls the TrueLayer or Calmony delete-consent endpoint, stops all data sync, and writes a revocation event. Nothing lingers.
[ YOUR GDPR RIGHTS ]
Rights that actually work.
GDPR rights are not a policy PDF — they're implemented features with real UI flows and verified workflows behind them.
Data export — Article 20
Download everything we hold: connections, accounts, balances, transactions, agent runs, and consent history. Delivered as JSON, Excel, and a human-readable PDF summary to your email.
Full erasure — Article 17
Deleting your account triggers a verified workflow: provider consents revoked, all transactions and balances wiped, agent run history removed. A tombstone receipt is the only thing that remains.
Manage consent & scopes
View every active scope granted to every connection. Withdraw individual scopes or revoke an entire connection from the Technical Dashboard — no support ticket required.
Audit log access
See a filterable record of every time your data was accessed, by which agent, API key, or MCP client, with timestamps and record counts. Yours to query, yours to export.
[ AGENT ACTIVITY ]
AI agents run on your data — you see every run.
Five built-in agents analyse your bank data — Income Verifier, Affordability Scorer, Multi-Account Aggregator, Recurring Payment Detector, Spend Categoriser. Every run is logged with its trigger, duration, input summary, and output. You control when they run and what they connect to.
Triggered by Logged whether a run was triggered by you, an API key, an MCP client, a webhook, or a nightly cron.
Output downloadable Agent run outputs (including PDF reports from Income Verifier) are stored and available to download.
Your data stays your data Agents operate on data already held in your account — they do not transmit raw transactions to third parties.

[ REGULATORY DISCLOSURES ]
What we're required to tell you — and do.
Calmnect.ai operates as an agent of TrueLayer Limited, which is authorised by the Financial Conduct Authority as an Account Information Service Provider (AISP) under the Payment Services Regulations 2017.
We are authorised only to read account information. Payment initiation is outside the scope of this service and is not implemented. No money can be moved through Calmnect.ai.
PSD2 Strong Customer Authentication requires you to re-authorise each connection every 90 days. We send reminders before expiry and the re-auth takes a single tap.
[ SECURITY FAQ ]
Common questions, straight answers.
Bank data you can connect, audit, and revoke.
FCA-regulated access. AES-256 encryption. Full GDPR rights. Built for the era when AI needs to know your finances — but you still call the shots.
Questions? Email sf-core-org-support-calmnect-ai@saas-factory.ai
Join the early access list
Be among the first to connect your bank accounts to your AI. We'll notify you when access opens.
Calmnect.ai operates as an agent of TrueLayer Limited, authorised by the Financial Conduct Authority as an AISP. Read-only access only. Payments not enabled. 90-day PSD2 SCA renewal required. Data stored and processed in accordance with UK GDPR.