Legal Notice

Purpose

The assumed audience of this document is legal and compliance teams at financial institutions. This notice attempts to anticipate and address their questions and concerns about Surebeans and Beanscrape.

This notice is provided for informational purposes and does not constitute legal advice or an admission of any legal obligation.

Our Position

Individuals have a right to access their own financial data. At the same time, financial institutions have legitimate interests in security and quality of service. We are a small fish in a big pond and would like to be seen as a beneficial rather than parasitic player.

What Surebeans Is

Surebeans is personal finance management software. It's a budgeting app sold by EnduraByte LLC that helps individuals and families plan and track their spending.

At a user's request, Surebeans can run a separate program called Beanscrape to fetch transaction data from their bank.

What Beanscrape Is

Beanscrape is a companion tool to Surebeans. It automates retrieval of financial transaction data from users' own accounts using their own credentials. It uses the well-known technique of web scraping, i.e. extracting the rendered content of a web page.

To facilitate scraping, Beanscrape runs automation scripts, each adapted to a specific financial institution. Each script is generated by the user for their bank website.

Some websites, such as Discover, deploy technical means to nonconsensually fingerprint the browser and block ones commonly associated with automation. In cases like this, Beanscrape's behavior is comparable to the fingerprinting resistance or ad blocking used by privacy-conscious web browsers such as Firefox and Brave.

Beanscrape does not enable access to data that users could not otherwise obtain. It merely reduces the manual effort required.

Technical Architecture

How Beanscrape operates is relevant to evaluating security and service quality concerns.

Local Only

Beanscrape runs on the user's local machine. No credentials, session tokens, or financial data are transmitted to EnduraByte LLC or any third party. We do not operate servers that receive or process banking credentials. This distinguishes Beanscrape from data aggregation services like Plaid or Yodlee, which receive and store credentials centrally.

Web Browser

Beanscrape automates a web browser. The user's bank sees a connection from a web browser running on the user's computer from the user's IP address. Access patterns are indistinguishable from manual browsing.

Standard Login

Users of Beanscrape authenticate using their existing credentials through standard login flows. Beanscrape does not bypass authentication, exploit vulnerabilities, or circumvent login security.

Legal Framework

EnduraByte LLC is subject to the laws and statues of the State of Tennessee and the United States, where legislation and judicial precedent have consistently ruled in favor of private web scraping.

United States

Legislation

Consumer Financial Protection Bureau (CFPB) Section 1033 "Personal Financial Data Rights"

The Consumer Financial Protection Bureau's final rule establishes that consumers have a right to access their financial data. The rule "provides the general obligation of data providers to make covered data available upon the request of a consumer". Additionally, providers "must make available covered data in a standardized and machine-readable format."

Screen scraping emerged as a workaround in an era when such interfaces were unavailable or inadequate. To a large extent, they still are. Beanscrape's architecture supports API-based access methods. As institutions provide compliant APIs, it can be updated to use them instead of web scraping.

Part 1033

Judicial Precedents

Van Buren v. United States, 593 U.S. 374 (2021)

This case was about the definition of authorized access. Officer Van Buren used his valid GCIC login credentials to access license plate data with the intent to use that information for private gain.

The Supreme Court ruled in favor of Van Buren. The Court held that that an individual "exceeds authorized access" only when accessing areas of a computer system to which their authorization does not extend, not when they misuse access they are otherwise authorized to have. The ruling narrows the applicability of the Computer Fraud and Abuse Act (CFAA) for prosecuting unauthorized access.

What this means for Beanscrape is users who access their own bank accounts with valid credentials are authorized to access that data. The manner of access, whether manual or automated, does not transform authorized access into unauthorized access.

Van Buren v. United States

hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022)

This case was about web scraping. The Ninth Circuit ruled that automated data collection does not constitute unauthorized access when the party already has access to the data. This affirmed the Van Buren interpretation of the CFAA.

However, despite the victory for hiQ, a California court later ruled that hiQ breached LinkedIn's User Agreement when it created fake user accounts for the purpose of web scraping. Beanscrape is not like hiQ. It does not create or use fake accounts. It only makes use of users' own legitimate accounts. Therefore, the ruling against hiQ does not form a legal precedent against software like Beanscrape.

hiQ vs LinkedIn

The California Ruling

European Union

Legislation

General Data Protection Regulation (GDPR) Article 20

Article 20 of the GDPR is titled "Right to data portability". It grants EU citizens and residents the right to obtain and reuse their personal data across different services. This includes financial transaction history.

GDPR Article 20

Anticipated Legal Objections

We have considered the legal theories that might be asserted against this software.

Computer Fraud and Abuse Act (18 U.S.C. § 1030)

Some banks explicitly restrict automated access. Schwab is one such institution: "With the exception of...Web Browser software...you agree not to...automate the process of obtaining, downloading, transferring or transmitting...any other content"

Our EULA requires that users abide by the agreements they have made with their financial institutions. In this case, Beanscrape operates in an authorized manner through the web browser exemption. However, without the exemption, judicial precedent likely renders the terms unenforceable. Beanscrape does not facilitate "unauthorized access" or "exceeding authorized access" under the CFAA as interpreted by Van Buren. Users access their own accounts using their own credentials to retrieve data they are authorized to view.

The argument that browser automation constitutes an "unauthorized method" would apply equally to accessibility tools such as screen readers, voice control software, and switch access devices.

Breach of Contract / Terms of Service

We restate that our EULA requires users to abide by their banks' terms. Regardless of whether a bank's ToS prohibits automation, we note:

1. Privity. EnduraByte LLC is not party to any agreement between financial institutions and their customers. ToS disputes are between the institution and its customer.
2. Remedy. The appropriate remedy for ToS violations is action against the user, not a third party.
3. Precedent. As of 2026, most recent cases against web scraping have ruled in favor of it. In the case of X Corp. v. Bright Data (2024), where X (formerly Twitter) claimed scraping was against its ToS, the ToS were held unenforceable under conflict preemption with copyright law. That said, these cases tend to involve commercial entities scraping platform data at scale, accessing data belonging to other users for commercial exploitation. Beanscrape is completely different. Users access only their own account data for personal financial management.

X Corp v Bright Data

Allocation of Risk

A cursory review of many banks' online service agreement documents shows that among banks which acknowledge the use of financial data tools, most allocate risk of using those tools to users. They use language like "you are responsible" or "at your own risk" without explicitly prohibiting it.

Beanscrape takes every reasonable and responsible measure to mitigate any risk associated with using it. Risks include:

• Exfiltration of authentication credentials. Mitigated by:
  • Not requiring credentials. Auto-login is optional. If disabled, users fill username and password fields manually.
  • Keep credentials in secure local storage when the user does provide them.
• Interception of authentication credentials.
  • Mitigated by never transmitting them over a network. Only the web browser does that, the same way manual use would.
• Reduced quality of service i.e. one noisy customer making service slow for all.
  • Mitigated by rate limiting: Beanscrape intentionally delays the speed of its web interactions to imitate the same load manual use would.

Tortious Interference

A claim for tortious interference requires (1) knowledge of a contract, (2) intentional interference, (3) improper conduct, and (4) damages.

Knowledge of Contract We are aware that financial institutions have customer agreements, but awareness alone does not establish tortious interference. Otherwise every VPN provider, browser extension developer, and privacy tool vendor would face liability for knowing that some users might violate some website's ToS.

Intentional Interference Beanscrape and tools like Plaid enhance the relationship with customers, not harm it, by making it easy for them to use their data in a manner they prefer.

Improper Conduct Under Restatement (Second) of Torts § 767, courts evaluate the nature of the conduct, the defendant's motive, and social utility. For Beanscrape, providing general-purpose software that enables users to access their own financial data serves a legitimate purpose aligned with recognized consumer data rights (CFPB Section 1033, GDPR Article 20). Moreover, our software does not target specific institutions, and it requires adherence to institutions' ToS.

Damages Spoon and fork manufacturers aren't liable for heart attacks. We provide a tool, and users decide how to use it. This differs from conduct designed to harm business relationships. If an adversary can use Beanscrape to cause damages, they can do so with any software tool.

Trespass to Chattels

This theory requires demonstrable impairment of computer systems. Beanscrape is designed for periodic personal use, with access patterns indistinguishable from manual browsing. We do not facilitate bulk data harvesting or high-frequency automated access.

Financial Privacy Regulations (GLBA)

The Gramm-Leach-Bliley Act governs how financial institutions safeguard and share customer information. Surebeans and Beanscrape operate on the user's local machine. No customer data is received, processed, or stored by EnduraByte LLC.

Contact

We prefer collaboration over confrontation. For legal inquiries, please contact:

EnduraByte LLC
4015 Travis Drive, Ste 211 #777
Nashville, TN 37211
USA

[email protected]