How Portfellow protects your data
You control access
Your portfolio data belongs to you. You can share view access to your portfolio with other people, but you retain sole control over who each portfolio is shared.
Our customer support staff will only access your portfolio as expressly required to resolve a support matter that has been directly raised by you through one of our official support channels.
We retain detailed logs of all access to your account. Subject to our privacy policy, we don’t share and we have no need to share your personal or financial information without your written permission.
We do not use your personal or sensitive data to train prediction models shared across users. Your data is only used for personalized predictions specific to your account, in a secure and isolated environment within our controlled systems.
When you connect your broker or bank account to sync transaction data, we only have read-only access. You have full control over which accounts are visible to us. We cannot make any transactions on your behalf.
Service security
Our service is built following industry best practices, with infrastructure consistently maintained and updated by our service provider. We ensure all components of our system are regularly updated for optimal security and performance.
Traffic to our public-facing web servers is secured by Cloudflare’s automated attack detection and mitigation systems. Direct access to our databases is restricted to a private network and is limited to a single authorized individual.
Secure authentication
We allow you to access your account using secure password authentication, or login with a Google account via the Google Identity platform. Passwords in the database are hashed using bcrypt – this means that passwords are salted and hashed several rounds.
For higher security you can enable two-factor authentication.
Secure data storage & delivery
All data sent between you and our servers is encrypted using modern, industry standard Transport Layer Security (TLS). Additionally all data on our database servers is encrypted at rest. Data is NOT end-to-end encrypted, because it will not allow us to deliver several fundamental features of the service.
Our servers are located in data centers that employ numerous physical security measures. Our service provider is following ISO/IEC 27001:2014 and ISO/IEC 27005:2014 standards.
When you delete a single transaction, investment, account or portfolio, we mark the data deleted in the database. After 30 days we will delete marked data from the database.
When you delete your account, we delete all your data from our database immediately and notify our aggregators to stop connecting your account and delete everything from their end. We keep rotating backups for 30 days. Your data will be removed from the backup in the next backup purge cycle.