Security & Data Protection

Last Updated: November 10, 2025

Our Security Commitment

At FinanceHero, we take the security of your data seriously. We implement industry-standard security measures to protect your personal information and ensure the integrity of our services. This page outlines our security practices and your role in keeping your information safe.

Key Security Features

  • SSL/TLS Encryption: All data transmitted between your browser and our servers is encrypted
  • Secure Infrastructure: Hosted on enterprise-grade cloud infrastructure (Supabase)
  • Regular Security Audits: Continuous monitoring and vulnerability assessments
  • Data Minimization: We only collect data necessary for service functionality
  • Automatic Backups: Regular backups to prevent data loss

Security Measures by Category

Encryption & Transport Security

  • HTTPS Everywhere: All pages served over secure HTTPS connections
  • TLS 1.3: Using the latest transport layer security protocol
  • HSTS Headers: Enforcing secure connections at the browser level
  • Certificate Validation: Valid SSL certificates from trusted authorities
  • Data at Rest: Database encryption for stored information

Database Security

  • Row Level Security (RLS): Fine-grained access control at the database level
  • Prepared Statements: Protection against SQL injection attacks
  • Access Controls: Strict authentication and authorization policies
  • Database Encryption: All data encrypted at rest using AES-256
  • Regular Backups: Automated daily backups with point-in-time recovery

Infrastructure Security

  • Cloud Infrastructure: Hosted on Supabase (built on AWS infrastructure)
  • DDoS Protection: Built-in protection against distributed denial of service attacks
  • Firewall Protection: Network-level security filtering malicious traffic
  • Intrusion Detection: Monitoring for suspicious activity and attacks
  • Security Patches: Regular updates and patches applied promptly

Application Security

  • Input Validation: All user inputs are validated and sanitized
  • XSS Protection: Cross-site scripting prevention mechanisms
  • CSRF Protection: Cross-site request forgery tokens and validation
  • Content Security Policy: Restricting resources the browser can load
  • Rate Limiting: Protection against abuse and brute force attacks

Data Protection Practices

What We Collect

  • Calculator Inputs: Processed locally in your browser, not stored on servers
  • Contact Forms: Name, email, subject, and message (stored securely)
  • Analytics Data: Anonymous usage statistics via Google Analytics
  • Cookies: Session management and preferences (see our Cookie Policy)

How We Protect It

  • All data transmission encrypted with TLS
  • Database access restricted to authorized personnel only
  • Regular security audits and vulnerability scanning
  • Employee training on data protection and security
  • Incident response plan for security breaches

Data Retention

We retain your data only as long as necessary for the purposes outlined in our Privacy Policy:

  • Contact form submissions: 2 years
  • Analytics data: 26 months (Google Analytics standard)
  • Cookie data: Varies by type (see Cookie Policy)

Third-Party Security

We carefully select third-party services that maintain high security standards:

Supabase (Database & Backend)

Enterprise-grade PostgreSQL database with built-in security features, hosted on AWS.

View Supabase Security β†’

Google Analytics

Anonymized analytics data processed according to Google's privacy standards.

View Google Analytics Security β†’

Your Role in Security

While we implement robust security measures, you also play an important role:

Best Practices for Users

  • Use secure, up-to-date browsers
  • Keep your operating system and software updated
  • Be cautious of phishing attempts pretending to be FinanceHero
  • Do not share sensitive financial information beyond what's necessary
  • Use antivirus and anti-malware software
  • Review your privacy settings regularly

Security Incident Response

In the unlikely event of a security breach affecting your data, we will:

  1. Immediately investigate and contain the incident
  2. Notify affected users within 72 hours
  3. Provide detailed information about the breach and affected data
  4. Offer guidance on protective measures you can take
  5. Report to relevant authorities as required by law
  6. Implement additional safeguards to prevent future incidents

Compliance & Certifications

We strive to comply with applicable data protection regulations, including:

  • GDPR: General Data Protection Regulation (EU)
  • CCPA: California Consumer Privacy Act
  • COPPA: Children's Online Privacy Protection Act
  • Industry Best Practices: Following OWASP guidelines and security standards

Security Monitoring

We continuously monitor our systems for security threats:

  • 24/7 automated monitoring and alerting
  • Regular penetration testing and vulnerability scans
  • Log analysis for suspicious activity
  • Security updates applied within 24-48 hours of release
  • Annual third-party security audits (planned)

Vulnerability Disclosure

If you discover a security vulnerability, we encourage responsible disclosure:

  1. Email security details to support@yourfinancehero.com
  2. Include detailed steps to reproduce the vulnerability
  3. Allow us reasonable time to address the issue before public disclosure
  4. We will acknowledge your report within 48 hours
  5. We will keep you informed of our remediation progress

We appreciate responsible disclosure and may recognize contributors in our security acknowledgments.

Security Questions?

If you have questions about our security practices or concerns about your data:

Related Policies

Privacy Policy

How we collect and use your data

Cookie Policy

Information about cookies we use

Terms of Service

Rules for using our website

Legal Notice

Legal information and disclaimers