Security Policy

Last Updated: May 8, 2026

Our Commitment to Security

At Trackli, we understand that you're entrusting us with your sensitive financial information, including bank statements, expense data, spending plans, planned spending categories, savings goals, bank balance projections, recurring transaction configurations, categorization rules, merchant mappings, import history, maaser records, and for Premium tier users, direct connections to your financial institutions via Plaid. We take this responsibility seriously and have implemented comprehensive security measures to protect your data across both our Standard and Premium subscription tiers.

This Security Policy outlines the technical and organizational measures we use to keep your information safe.

1. Data Encryption

In Transit

All data transmitted between your device and our servers is encrypted using industry-standard TLS 1.3 (Transport Layer Security) protocol. This ensures that your financial data cannot be intercepted or read by unauthorized parties during transmission.

At Rest

Your data is stored in Supabase's secure PostgreSQL database with encryption at rest. Sensitive credentials retrieved from the Plaid API — including Plaid access tokens — are encrypted at the application level using AES-256-GCM before being written to the database, ensuring they remain protected even in the event of direct database access.

Password Protection

User passwords are never stored in plain text. We use bcrypt hashing with salt to securely store password hashes, making it computationally infeasible for attackers to recover your password even if they gain access to our database.

2. Access Controls

Row Level Security (RLS)

We implement Supabase Row Level Security policies to ensure that users can only access their own financial data. No user can view, modify, or delete another user's expenses, spending plans, planned spending categories, savings goals, projections, recurring transactions, categorization rules, merchant mappings, import history, bank balances, or maaser records.

Authentication

User authentication is handled by Supabase Auth, which provides secure session management, email verification, and protection against common attacks like session hijacking and CSRF (Cross-Site Request Forgery).

Principle of Least Privilege

Our application code operates with minimal database permissions necessary to function. Service accounts have restricted access scopes and can only perform operations required for their specific tasks.

3. Infrastructure Security

Trusted Third-Party Providers

Vercel: Hosts our application infrastructure with enterprise-grade security, DDoS protection, and automatic HTTPS certificates.
Supabase: Provides our PostgreSQL database with built-in security features, regular backups, and SOC 2 Type II compliance.
Stripe: Handles all payment processing and is PCI-DSS Level 1 certified, the highest level of payment security certification. We never store your credit card information.
Plaid (Premium Tier Only): Provides secure bank account connections for automatic transaction synchronization. Plaid uses bank-level 256-bit encryption and is trusted by thousands of financial applications. We store encrypted Plaid access tokens to maintain your bank connections, but we never see or store your actual banking credentials. You can revoke Plaid access at any time from your account settings.

Regular Security Updates

We keep all dependencies and packages up to date with the latest security patches. Our infrastructure providers automatically apply critical security updates to their systems.

4. Data Protection Practices

Financial Data Handling

Your imported bank statements, expense data, spending plans, planned spending categories, savings goals, projection data, categorization rules, merchant mappings, and import history are treated with the highest level of security:

Standard Tier: CSV/PDF files are processed in memory and immediately deleted after import
We never store the original bank statement files
Expense data is validated and sanitized to prevent injection attacks
Merchant mapping uses fuzzy matching without exposing raw transaction descriptions
Spending plan, planned spending category, and savings goal data is encrypted at rest alongside your other financial data
Categorization rules and merchant mappings are stored securely and applied server-side; they are never exposed to third parties
Import history records are stored securely with only metadata retained (original files are discarded immediately after processing)
Projection calculations are performed server-side with your data never exposed to third parties
Recurring transaction patterns are stored securely and used only for generating your personalized projections

Premium Tier (Plaid Integration):

Bank connections are established through Plaid's secure OAuth flow - we never see your banking credentials
Plaid access tokens are encrypted at rest in our database using AES-256 encryption
Transaction data is synced using bank-level security protocols (TLS 1.3)
You can disconnect bank accounts at any time from Settings. Disconnecting immediately revokes Plaid access tokens at the Plaid API level, removes them from our database, and terminates our access to your financial institution data
Plaid uses tokenization so your actual account numbers are never transmitted to our servers

Backup and Disaster Recovery

Supabase maintains automated daily backups of your data with point-in-time recovery capabilities. Backups are encrypted and stored in geographically distributed locations to ensure data availability even in the event of a regional outage.

5. Security Monitoring

We actively monitor our systems for suspicious activity and potential security threats:

Automated alerts for unusual database access patterns
Failed login attempt monitoring to detect brute force attacks
Regular security audits of our codebase and infrastructure
Webhook signature verification for all Stripe payment events

6. Responsible Disclosure Program

We welcome reports from security researchers who discover vulnerabilities in our system. If you believe you've found a security issue, please report it responsibly:

Email: getontrackli@gmail.com

Please provide detailed information about the vulnerability, including steps to reproduce, potential impact, and any proof-of-concept code. We ask that you do not publicly disclose the issue until we've had a chance to address it.

What to Include:

Description of the vulnerability
Steps to reproduce
Potential security impact
Any suggested fixes (optional)

We will acknowledge receipt of your report within 48 hours and provide regular updates on our progress. We aim to resolve critical vulnerabilities within 7 days and lower-severity issues within 30 days.

7. Incident Response

In the unlikely event of a data breach or security incident:

We will immediately investigate and contain the incident
Affected users will be notified within 72 hours
We will provide clear information about what data was affected and what actions you should take
We will implement additional security measures to prevent similar incidents
If required by law, we will notify relevant authorities and regulatory bodies

Our incident response plan is regularly tested and updated to ensure we can respond quickly and effectively.

8. User Security Best Practices

While we implement strong security measures, your account security also depends on your practices:

Use a Strong Password: Choose a password that is at least 12 characters long with a mix of uppercase, lowercase, numbers, and special characters.
Don't Reuse Passwords: Use a unique password for Trackli that you don't use on other websites.
Keep Your Email Secure: Your email is the recovery method for your account. Enable two-factor authentication on your email if available.
Log Out on Shared Devices: Always sign out when using Trackli on public or shared computers.
Be Cautious with Bank Statements: Only upload bank statements from secure, trusted sources. Never share your Trackli login credentials.
Review Account Activity: Regularly check your expenses and transactions for any unauthorized activity.
Premium Tier - Bank Connections: Only connect bank accounts you own and trust. Regularly review connected accounts in your settings and disconnect any you no longer use. Your banking credentials are never stored by Trackli - they go directly to Plaid and your bank.

9. Compliance and Certifications

Trackli and our infrastructure providers maintain compliance with industry standards:

SOC 2 Type II: Our database provider (Supabase) is SOC 2 Type II compliant, demonstrating strong security controls.
PCI-DSS Level 1: All payment processing through Stripe meets the highest level of payment card industry security standards.
GDPR Ready: We implement data protection by design and by default, supporting user rights under GDPR.
CCPA Compliant: California users have enhanced privacy rights as outlined in our Privacy Policy.

10. Security Limitations

While we implement industry-standard security measures, no system is 100% secure. Users should be aware:

We cannot protect against threats we are unaware of (zero-day vulnerabilities)
User device security is outside our control (malware, keyloggers)
Phishing attacks targeting users directly cannot be prevented by our systems
Social engineering attacks that trick users into revealing credentials

11. Questions and Contact

If you have questions about our security practices or concerns about your account security:

Security Team: getontrackli@gmail.com

General Support: getontrackli@gmail.com

We aim to respond to all security inquiries within 48 hours.

12. Changes to This Policy

We may update this Security Policy periodically to reflect changes in our security practices or in response to new threats. We will notify users of material changes via email and update the "Last Updated" date at the top of this page. Continued use of Trackli after changes constitutes acceptance of the updated policy.