Security & Data Protection

Encryption & Data Protection

BalanceOne uses industry-standard encryption to protect your financial data:

• In transit: TLS 1.3 encryption for all communications between your device and our servers
• At rest: AES-256 encryption for all data stored in our database
• Passwords: bcrypt hashing with salt (never stored in plaintext)
• Sessions: Secure JWT tokens with automatic expiration

Who Can Access Your Data?

Your data is private by default. We implement strict access controls at every level.

You Control Access

• Portfolio data (transactions, accounts, balances) is only visible to people you explicitly invite as portfolio members
• Your profile is private unless you choose to share it
• Portfolio invitations require your explicit approval—we never add members without your permission

BalanceOne Team Access

Currently, BalanceOne is operated by Christian (founder). Administrative database access is:

• Support requests only: Access occurs only when you contact us at support@balanceone.app requesting help with your account
• Production debugging: In rare cases, access may be needed to investigate critical system errors. Access is logged with reason and timestamp.
• No routine access: To date, no production user data has been accessed by BalanceOne staff. All development and testing uses isolated test accounts.
• Future access logging: When access occurs, it will be logged in our audit system (coming soon: view your access log in Settings)

We will NEVER:

• Browse your financial data out of curiosity
• Share your data with third parties for marketing purposes
• Sell your data to advertisers or data brokers
• Access your data without a legitimate operational reason (support or critical debugging)
• Use your data to train AI models or for any purpose beyond providing you service

Automated Systems

These systems process your data automatically as part of normal operations:

• Supabase Auth: Manages login sessions, password resets, and email verification
• Database system: Automated backups (encrypted, Sydney region only)
• Resend: Sends transactional emails (welcome emails, password resets). Hosted in Tokyo, Japan.
• Vercel Analytics: Collects anonymized usage data (page views, user flows) to improve the app. No personal information, transaction data, or cookies. GDPR-compliant.
• Vercel Speed Insights: Monitors performance (page load times) to ensure fast experience. No personal information or cookies. GDPR-compliant.

Privacy-First Analytics

BalanceOne uses Vercel Analytics and Speed Insights to understand how the app is used and improve performance. These tools are privacy-first:

• No personal information collected: We see aggregated page views, not individual users
• No transaction data: Financial data never leaves our secure database
• Cookieless: No tracking cookies or persistent identifiers
• GDPR-compliant: Designed for privacy regulations
• Anonymized: Cannot identify individual users

What we see: "50 people viewed the Portfolio page today, average load time 1.2 seconds"

What we don't see: "User john@example.com viewed their $50,000 portfolio"

We may evaluate alternative analytics platforms (PostHog, Plausible) in the future. If we change analytics providers, we will update this page.

No advertising or tracking: BalanceOne does not use advertising platforms, tracking pixels, or third-party marketing analytics. The analytics we collect are solely to improve your experience.

AI-Powered Features (Future)

We're planning to offer AI-powered insights to help you understand your finances (e.g., spending patterns, smart categorization).

Privacy-first approach:

• Opt-in only: AI features are disabled by default
• Zero-retention: Your data is processed temporarily and immediately deleted
• Not for training: Your data will never be used to train AI models
• Your control: You can disable AI features anytime from Settings

How it works:

When you enable AI features, we'll send your transaction data to trusted AI providers (OpenAI, Anthropic) for analysis. They process your data and return insights only to you. Your data is not stored, logged, or used for any other purpose.

Not yet available

Learn more in our Privacy Policy

Infrastructure Security

Hosting & Data Residency

• Database: Supabase PostgreSQL hosted in Sydney, Australia
• Application: Vercel edge network with Sydney, Australia region
• Email delivery: Resend (transactional emails only)
• Data residency: All your financial data stays in Australian data centers

Technical Safeguards

• Row Level Security (RLS): Database automatically enforces access rules—even BalanceOne staff cannot bypass these without explicit audit logging
• Multi-layer enforcement: Access restrictions enforced at database, API, and UI levels
• DDoS protection: Vercel provides automatic protection against denial-of-service attacks
• Secure authentication: Industry-standard OAuth 2.0 / JWT token authentication
• Session management: Automatic logout after inactivity, secure cookie handling

Your Privacy Controls

You have full control over your data and who sees it:

• Manage portfolio members in Portfolio Settings (invite or remove members anytime)
• Download your data anytime from Settings → Data & Privacy (coming soon)
• Delete your account and all associated data from Settings → Data & Privacy (coming soon)
• Review access history to see when BalanceOne staff accessed your data (coming soon)

Incident Response

In the unlikely event of a security incident:

1. We will investigate immediately and contain the issue
2. Affected users will be notified within 72 hours via email
3. We will provide clear information about what data was affected
4. We will implement additional safeguards to prevent recurrence

Report security issues: If you discover a security vulnerability, please email support@balanceone.app with subject line "Security Issue". We take all reports seriously.

Questions?

For security or privacy questions, contact us at: support@balanceone.app

View full privacy policy