Security

Last updated: 2026-03-26

We take the security of your personal and financial data seriously. This page explains the technical and organisational measures we use to protect your information. For details on what data we collect and how we use it, please see our Privacy Policy.

1. Infrastructure & Hosting

My Finance Tools runs on trusted, enterprise-grade infrastructure:

  • Application hostingVercel, a SOC 2 Type II certified platform with a global edge network and automatic DDoS protection.
  • DatabaseSupabase (PostgreSQL), a SOC 2 Type II certified provider. Your data is stored in a managed, dedicated database instance.
  • Payment processingStripe, a PCI-DSS Level 1 certified payment processor — the highest level of payment security certification. We never store credit card numbers or full payment details on our servers.

2. Encryption

  • In transit — All communication between your browser and our servers is encrypted using TLS/HTTPS. No data is ever sent in plain text.
  • At rest — The database is encrypted at rest by the hosting provider (Supabase) using AES-256 encryption.
  • Passwords — We never store passwords in plain text. Authentication is handled by Supabase Auth, which uses industry-standard bcrypt hashing.

3. Data Isolation & Access Control

Your data is strictly isolated from other users through multiple layers of protection:

  • Row-Level Security (RLS) — Every database table is protected by PostgreSQL Row-Level Security policies. These are enforced at the database level, meaning every query is scoped to your authenticated user ID. Even in the event of an application-level vulnerability, the database itself prevents access to another user's data.
  • Authentication required — All personal and financial data endpoints require a valid, authenticated session. Unauthenticated users cannot access any stored data.
  • Minimal privilege — The application uses a restricted API key (anon key) for browser-side operations. Administrative keys are used only on the server side and are never exposed to the browser.

4. Authentication

We support secure sign-in methods:

  • Email & password — with a minimum password length requirement. Passwords are hashed using bcrypt before storage.
  • Google OAuth — delegates authentication to Google's secure infrastructure. We only receive your name and email address — never your Google password.
  • Session management — sessions are token-based with automatic refresh. Session validity is re-checked when you return to the application.

5. Calculator Security

If you use our calculators without being logged in, no data is sent to our servers. All calculations happen entirely in your browser. Nothing is stored, tracked, or transmitted.

6. Third-Party Data Sharing

We do not sell, rent, or share your personal or financial data with any third party for marketing or advertising purposes. The third-party services we use are limited to what is strictly necessary:

  • Supabase — database and authentication only
  • Vercel — application hosting and cookieless, anonymised analytics
  • Stripe — payment processing only
  • Google Analytics — anonymised usage statistics only (can be blocked with any ad blocker)

None of these services receive your financial portfolio data. Stock and ETF price lookups are made without any user-identifying information.

7. Data Breach Response

In the unlikely event of a data breach affecting your personal information, we commit to:

  • Notifying affected users within 72 hours of becoming aware of the breach, in accordance with GDPR and applicable data protection regulations.
  • Providing clear information about what data was affected and what steps we are taking.
  • Taking immediate action to contain the breach and prevent further unauthorised access.

8. Account Deletion

You have the right to delete your account at any time. When you do, all your data is permanently and irrevocably deleted — including your profile, all financial accounts, portfolio snapshots, goals, and achievements. This is enforced by cascading database deletes. There is no retention period and no way to recover deleted data.

9. Your Rights

Under GDPR and Swiss data protection law, you have the right to:

  • Access your data through your account dashboard
  • Export your data by contacting us
  • Correct your data through your profile settings
  • Delete your account and all associated data at any time

10. Governing Law

My Finance Tools is operated from Switzerland. Your data is handled in accordance with Swiss data protection law (nDSG) and the EU General Data Protection Regulation (GDPR). For full legal terms, see our Disclaimer & Terms of Service.

Questions?

If you have questions or concerns about our security practices, please contact us. We are happy to provide additional information.