Privacy by design
What we collect, what stays private, what's public only if you opt in. No third-party trackers, no data sales, no Plaid.
Privacy by design
The product is built so that your financial data is never publicly reachable — and we go further than that: it isn't even reachable to *us* in plaintext. The encryption layer that enforces that is documented in zero-knowledge encryption. This page covers the policy side: what we collect, what we expose, and what controls you have.
What's private
- Every asset value
- Every liability principal + APR + payment
- Every snapshot (net-worth history)
- Your email + country + default currency
- Your discipline score number
Only you see this. The admin can't read other users' financial data through the app — it's enforced at the database level via row-level security policies, not just at the application layer. Sensitive columns are also encrypted at rest (see linked doc).
What's public (only if you turn it on)
If you toggle is_public on /dashboard/profile:
- Your slug (the handle in /u/<slug>)
- Your display name
- Your discipline level (just the number)
- Your bio (if you wrote one)
- Your avatar (if you uploaded one)
- Your OG / L11 / L12 badges (if claimed)
- Your member-since date
Nothing else. Ever. The public /u/<slug> page is served from a database view that physically cannot return financial columns.
What we do *not* do
- No Plaid, no bank passwords. Broker imports are CSV-driven. Your bank credentials never touch our servers because we never ask for them.
- No third-party analytics SDKs. No Segment, no GA, no Mixpanel. Errors land in PostHog EU with PII stripped at the source.
- No data sales, no ad partners. The product is the workbench. There is no second business model.
Sessions + cookies
One cookie set by Supabase to keep you signed in. One lc.theme cookie so dark/light mode survives reloads. Nothing else.
Where the data physically sits
- Database: Supabase EU (Frankfurt region). Sensitive columns encrypted at rest — see zero-knowledge encryption.
- Web tier: Cloudflare Workers (global edge). No origin server holds plaintext copies.
- Email: Brevo (EU). Used only for magic-link auth and opt-in newsletter.
No US-resident processor touches your financial data.
Want it gone?
/dashboard/settings → download_json() for a full export, or the DangerZone panel to delete everything. Newsletter unsubscribe lives in every email.
Read more
- Zero-knowledge encryption — the technical side: how data is encrypted, key model, subpoena math.
- Full privacy policy — the legal version with controller info + your GDPR rights.