How Portfellow protects your data

You control access

Your portfolio data belongs to you. You can share access to your portfolio with other people, but you retain sole control over who each portfolio is shared. 

Our customer support staff will only access your portfolio as expressly required to resolve a support matter that has been directly raised by you through one of our official support channels. 

We retain detailed logs of all access to your account. Subject to our privacy policy, we don’t share your personal or financial information without your permission.

Service security

Our service is designed by following industry best practices. Public facing web server traffic is protected by Cloudflare and their automated attack detections. Direct access to our databases is only available from a private network.

Secure authentication

We allow you to access your account using secure password authentication, or login with a Google account via the Google Identity platform. Passwords in the database are hashed using bcrypt – this means that passwords are salted and hashed several rounds.

For higher security you can enable two-factor authentication.

Secure data storage & delivery

All data sent between you and our servers is encrypted using modern, industry standard Transport Layer Security (TLS). Additionally all data on our database servers is encrypted at rest. Data is NOT end-to-end encrypted, because it will not allow us to deliver several fundamental features of the service.

Our servers are located in data centers that employ numerous physical security measures. Our service provider is following ISO/IEC 27001:2014 and ISO/IEC 27005:2014 standards.

When you delete a single transaction, investment, account or portfolio, we mark the data deleted in the database. After 30 days we will delete marked data from the database.

When you delete your account, we delete all your data from our database immediately and notify our aggregators to stop connecting your account and delete everything from their end. We keep rotating backups for 30 days. Your data will be removed from the backup in the next backup purge cycle.