How Portfellow protects your data
At Portfellow, we prioritize your privacy, implementing robust data protection measures to ensure your information remains secure and confidential.
Only you control access
Your portfolio data belongs to you. You can share view access to your portfolio with others, but you retain full control over who can access each portfolio.
Our customer support team will only access your portfolio when explicitly required to resolve a support issue that you have raised through one of our official support channels.
We maintain detailed logs of all access to your account. In accordance with our privacy policy, we do not share—and have no need to share—your personal or financial information without your written permission.
We do not use your personal or sensitive data to train prediction models shared across users. Your data is only used for personalized predictions specific to your account, processed securely in an isolated environment within our controlled systems.
When you connect your broker or bank account to sync transaction data, we have read-only access. You retain full control over which accounts are visible to us, and we cannot make any transactions on your behalf.
Service security
Our service is built according to industry best practices, with infrastructure that is consistently maintained and updated by our service provider. We ensure that all system components are regularly updated for optimal security and performance.
Traffic to our public-facing web servers is secured by Cloudflare’s automated attack detection and mitigation systems. Direct access to our databases is restricted to a private network and is limited to a single authorized individual.
The Portfellow portfolio management service is physically and virtually isolated from our other services. This ensures that any potential vulnerabilities or attacks in one service do not impact the security or integrity of others.
Secure authentication
You can access your account securely using either password authentication or Google login via the Google Identity platform. Passwords stored in our database are hashed using bcrypt, a widely trusted cryptographic hashing algorithm designed for security. Bcrypt automatically salts passwords and applies multiple hashing rounds (at least 2^X where X >= 10 iterations), making it computationally expensive to crack. This ensures strong protection against brute-force attacks and unauthorized access.
For higher security you can enable two-factor authentication.
Secure data storage & delivery
All data sent between you and our servers is encrypted using modern, industry standard Transport Layer Security (TLS). Additionally all data on our database servers is encrypted at rest. Data is NOT end-to-end encrypted, because it will not allow us to deliver several fundamental features of the service.
Our servers are located in data centers that employ numerous physical security measures. Our service provider is following ISO/IEC 27001:2014 and ISO/IEC 27005:2014 standards.
When you delete a single transaction, investment, account or portfolio, we mark the data deleted in the database. After 30 days we will delete the marked data from the database.
When you delete your Portfellow user account, we delete all your data from our database immediately and notify our aggregators to stop connecting your account and delete everything from their end. We keep rotating backups for 30 days. Your data will be removed from the backup in the next backup purge cycle.