Bank APIs and Portfolio Trackers: Why Connecting Your Broker Is Riskier Than You Think
Key Takeaways
▸Portfolio trackers using bank APIs hold persistent credentials (OAuth tokens or API keys) that can pull your full financial history at any time.
▸Read-only access still means your entire transaction history — every buy, sell, dividend — is stored on a third-party server indefinitely.
▸Free apps frequently monetise through data sharing with aggregators, advertisers, or financial data companies.
▸Most investors have forgotten API connections still active at their broker — audit and revoke them regularly.
▸A no-API architecture (CSV import only) is the only way to achieve privacy by design, not just privacy by policy.
Every week, thousands of investors connect their brokerage accounts to portfolio tracking apps using bank APIs or Open Banking tokens. The promise is convenient: your positions sync automatically, you never have to enter a trade manually. But behind that convenience lies a set of data access permissions that most investors have never read — and that can expose far more than just your portfolio balance.
This guide explains exactly what bank APIs are, how portfolio trackers use them, what data they can access when you connect your broker, and why a no-API approach is the only architecture that gives you genuine privacy by design.
What Are Bank APIs and How Do Portfolio Trackers Use Them?
An API (Application Programming Interface) is a standardised channel through which one software system requests data from another. In the context of portfolio tracking, a bank or broker API lets an external app — the tracker — read your account data directly from the broker's servers, without you having to export or upload anything manually.
Most portfolio trackers that offer broker connectivity use one of three methods:
1. Open Banking (PSD2 in Europe): A regulatory framework that forces banks and brokers to expose read-access APIs to authorised third parties. You authenticate once via OAuth, and the third party receives a long-lived access token that lets it pull your account data on a schedule — typically every 24 hours, sometimes more frequently.
2. Screen scraping via aggregators: Services like Plaid, Salt Edge, Finicity, or Yapily act as intermediaries. You hand them your broker credentials (or an OAuth token), and they scrape or pull data on your behalf, storing that connection in their own infrastructure. The portfolio tracker then calls the aggregator's API, not your broker directly.
3. Direct API keys: Some brokers (Interactive Brokers, Degiro, Alpaca) expose developer APIs. A portfolio tracker may ask you to generate an API key in your broker account and paste it into the tracker. The tracker then calls your broker directly using that key.
In all three cases, the result is the same: a third party holds a persistent credential — a token or key — that it can use to pull your financial data at any time, for as long as the connection remains active.
What Data Can a Portfolio Tracker Actually Access Through a Bank API?
This is where most investors are surprised. They assume the tracker sees only what it displays — positions and balances. The reality depends on the scope of the OAuth token or API key granted, and many apps request broader permissions than strictly necessary.
Common data fields accessible through broker APIs include:
— All current positions (name, ISIN, quantity, current value)
— Full transaction history (every buy, sell, dividend, fee since account opening)
— Cash balances across all sub-accounts
— Pending orders
— Personal identification data (name, address, date of birth, tax ID in some cases)
— Linked bank account details (IBAN for withdrawals)
— KYC documents in some integrations
Transaction history is the most sensitive element. A complete transaction log reveals not just what you own today, but every financial decision you've made over years: when you panicked and sold, when you bought a dip, how much you invested after receiving a salary, bonus, or inheritance. This is behavioural financial data — worth far more to advertisers, data brokers, and underwriters than a simple balance snapshot.
Read-only tokens sound safe. But "read-only" means read-only to your positions — it does not mean the app cannot store, process, sell, or share that data indefinitely.
What Are the Real Privacy Risks of Granting API Access to a Portfolio App?
The risks fall into four distinct categories, each with a different threat model:
1. Data brokerage and third-party sharing
Many free portfolio tracking apps monetise through data. Your transaction history, position data, and behavioural patterns are sold to or shared with advertising networks, financial data aggregators, or insurers. Even apps with privacy-friendly marketing may share anonymised or pseudonymised data — which, for financial data, is often trivially re-identifiable because the combination of assets, amounts, and timing is unique to each investor.
2. Breach exposure at the aggregator layer
If you connected your broker through an aggregator (Plaid, Salt Edge, etc.), your credential or token is stored in that aggregator's infrastructure. A breach at the aggregator exposes every connection across every app that uses it — not just yours. Aggregator breaches have occurred: Plaid settled a $58 million class-action in 2022 over unauthorised credential storage and data sharing.
3. Token persistence and forgotten connections
OAuth tokens granted to portfolio apps typically remain valid until explicitly revoked. Investors who stop using an app rarely think to revoke the token. That means a defunct app — or one that has been acquired, rebranded, or changed its privacy policy — may still hold a valid credential to pull your data months or years after you stopped using the service.
4. Scope creep and permission re-requests
Some apps periodically ask users to re-authenticate or upgrade permissions. A tracker that started with read-only position data may later request transaction history, linked accounts, or other expanded scopes. Each upgrade is presented as a convenience improvement — rarely as a privacy trade-off.
How Do You Check and Revoke Active API Connections to Your Broker?
Most investors have no idea how many active API connections they have. Here is how to audit and clean up:
For PSD2/Open Banking connections:
— Log into your broker or bank's account settings
— Look for "Connected apps", "Third-party access", "Open Banking permissions", or "API access"
— Revoke any connection you do not actively use
— Set a calendar reminder to review connections every 6 months
For direct API keys (Interactive Brokers, Degiro, etc.):
— Access the API management section of your broker account
— List all active keys and their creation dates
— Delete keys for apps you no longer use
— Rotate keys for apps you still use at least once per year
For aggregator-based connections (Plaid, Salt Edge, etc.):
— These are harder to audit because the connection may not be visible in your broker settings
— Check the privacy settings of each portfolio app you use
— Use the aggregator's own portal (e.g., my.plaid.com) to view and disconnect stored connections
— Submit a GDPR data deletion request to apps you no longer use
The uncomfortable truth: most investors have between 3 and 8 active third-party connections to their financial accounts, most of which they have forgotten about. A full audit typically uncovers connections from apps tried years ago that were never revoked.
Why Does DonkyCapital Use No API Connections — and Why It Matters
DonkyCapital was designed from day one without any broker API connectivity. This is not a limitation — it is a deliberate architectural choice that gives users genuine privacy by design rather than privacy by policy.
The difference matters. "Privacy by policy" means a company promises not to misuse your data — but to fulfil that promise they must first collect it. "Privacy by design" means the data never reaches the company's servers in the first place, because the architecture does not require it.
How DonkyCapital works:
— You import your portfolio via CSV file (most brokers export one in seconds) or manual entry
— The data lives in your account on DonkyCapital's servers, but we never connect to your broker
— We never hold API keys, OAuth tokens, or credentials to your brokerage accounts
— We cannot pull new data from your broker without your explicit action
— A breach of DonkyCapital's infrastructure cannot expose your broker credentials, because we never have them
What this means in practice:
— Your broker account is never exposed to a third-party credential store
— There is no persistent token that outlasts your use of the service
— If you stop using DonkyCapital, there is nothing to revoke at your broker
— Your transaction history does not flow through an aggregator network
The trade-off is real: you need to manually re-import when you make new trades. For most long-term investors who trade infrequently, this is a 2-minute operation every few weeks — a small price for a fundamentally more private architecture.
Frequently Asked Questions About Bank APIs and Portfolio Tracker Privacy
Is Open Banking safe for portfolio tracking?
Open Banking under PSD2 is a regulated framework with strong technical standards — the risk is not in the regulation itself, but in what authorised third parties do with the data once they receive it. An app can be PSD2-compliant and still sell your transaction data to advertisers or store your credentials insecurely. Regulatory compliance describes the connection, not the destination of your data.
What is the difference between read-only API access and full access?
Read-only API access lets the app pull your account data (positions, transactions, balances) but cannot place orders or move money. Full access can include trading and withdrawal permissions. For portfolio trackers, read-only is the norm — but read-only still means your entire financial history is pulled and stored on a third-party server, indefinitely, until you revoke access.
Can a portfolio app sell my financial data?
Yes, unless explicitly prohibited by their privacy policy and terms of service. Many free apps monetise through anonymised or aggregated data sharing with financial data companies, insurers, or advertising networks. Even aggregated data derived from your transactions can be used to build profiles that affect credit scoring, insurance premiums, or targeted advertising. Always read the data sharing section of the privacy policy before connecting your broker.
What happens to my data if a portfolio app shuts down or gets acquired?
When a company is acquired, its data assets — including user financial data — typically transfer to the acquirer. If the app shuts down, data is usually deleted per the privacy policy, but enforcement depends on the company following through. Any active OAuth tokens remain valid at your broker until you revoke them manually — the app shutting down does not automatically revoke your connection.
How do I know if a portfolio tracker uses my data for advertising?
Read the "Data Sharing", "Third Parties", and "How We Use Your Data" sections of the privacy policy — not the marketing summary. Look for language like "partners", "advertisers", "analytics providers", or "affiliated companies". If the app is free, ask yourself how it makes money: the answer is often your data.
Is CSV import actually more private than API connection?
Yes. A CSV import means you send a snapshot of your data at a specific point in time — the tracker does not hold ongoing credentials to your broker. If you stop using the service, there is nothing to revoke and no live connection to your account. The tracker cannot pull updated data without your explicit action. This architectural difference is the foundation of privacy by design.
What is the GDPR right to erasure and does it apply to portfolio apps?
Under GDPR Article 17, EU residents have the right to request deletion of their personal data from any company processing it, subject to some legal exceptions. This applies to portfolio tracking apps operating in or targeting the EU. A valid erasure request should result in deletion of your financial data and revocation of any stored credentials. The company must respond within 30 days.
Track Your Portfolio Without Connecting Your Broker
DonkyCapital gives you professional-grade portfolio analytics through CSV import — no API keys, no OAuth tokens, no broker credentials on our servers. Your data stays yours.
