Back to home

Security

Last updated: 2026-05-02

Overview

WealthNow is built with security as a core principle, not an afterthought. We are committed to protecting your data through strong encryption, strict access controls, and transparent security practices. This page describes the measures we take to keep your information safe.

Encryption

  • In transit: All connections between your device and WealthNow are encrypted using TLS 1.2 or higher. This applies to all web traffic, API calls, and authentication requests.
  • Passwords: User passwords are hashed using bcrypt (via BetterAuth) with a secure work factor. We never store passwords in plain text.
  • Database: The database is stored on a server with restricted access. Only the application process can read or write data.

Authentication & Access Control

  • Email and password authentication powered by BetterAuth, a well-audited authentication library.
  • Proof-of-Work challenge (ALTCHA) on login and signup forms to prevent automated attacks, credential stuffing, and bot registrations.
  • Rate limiting on authentication endpoints to mitigate brute-force attempts.
  • Sessions are managed via secure, HTTP-only cookies with the SameSite attribute set.
  • Automatic session expiry after a period of inactivity. Sessions are invalidated on password change.

Data Isolation

WealthNow enforces strict data isolation between users. Every database query is scoped to the authenticated user's ID. There is no administrative interface that allows cross-account data access.

  • Each user can only access their own data.
  • All data queries include a user ownership check at the database level.
  • Server-side authorization checks are performed on every request, including server actions and API routes.

Infrastructure

  • The application runs inside Docker containers with a non-root user.
  • Hosting: Hetzner Online GmbH, Helsinki, Finland (EU).
  • Dependencies are regularly audited and updated to address known vulnerabilities.
  • Security headers (Content-Security-Policy, Permissions-Policy, HSTS) are applied to all responses.

Data Deletion

You are in full control of your data. You can delete your account at any time from within the application.

  • Account deletion permanently removes your profile, all transactions, templates, and associated data.
  • Deletion is cascading and irreversible — no traces remain in the system.
  • Backup retention: 30 days. Encrypted backups are automatically rotated after this period.

Incident Response

In the event of a data breach, we will take the following steps:

  1. Immediately investigate and contain the incident.
  2. Notify affected users within 72 hours, in accordance with GDPR Article 33.
  3. Notify the relevant supervisory authority as required by applicable law.
  4. Provide details about the nature of the breach, the data affected, and the remediation steps taken.

Responsible Disclosure

If you discover a security vulnerability in WealthNow, we encourage you to report it responsibly. Please contact us at: .

What we ask:

  • Provide sufficient detail to reproduce the vulnerability (steps, URLs, parameters).
  • Give us a reasonable amount of time to investigate and fix the issue before any public disclosure.
  • Do not access, modify, or delete data belonging to other users during your research.

What we promise:

  • We will acknowledge receipt of your report within 5 business days.
  • We will keep you informed about the progress of the fix.
  • We will not pursue legal action against researchers who report vulnerabilities in good faith and comply with this policy.

Questions about our security practices? Contact us at .

WealthNow regularly reviews and updates its security measures to address evolving threats and best practices.