Security & Privacy
Your financial data, protected by design
JoinFunds is built from the ground up with privacy and security at every layer. No Open Banking, no third-party data sharing, no compromises.
Privacy-First Architecture
Your bank files never leave your device.
CSV files are parsed entirely in your browser using an isolated web worker. Raw bank data is never uploaded to our servers. Only the structured transaction data you choose to import is sent to our database.
Client-Side CSV Parsing
Bank CSV files are processed in your browser using Papa Parse in a dedicated web worker. The raw file is never transmitted over the network.
No Open Banking Required
We never ask for your bank login credentials. You export a CSV from your bank, and you control exactly what data gets imported.
You Choose What to Share
Review every transaction before import. Skip individual rows, exclude entire date ranges, or redact descriptions. You are always in control.
GDPR Compliance
Full UK GDPR compliance, built into the product.
Your data rights are not buried in a support ticket queue. We built them directly into JoinFunds so you can exercise them yourself, instantly.
Data Export (Art. 15 & 20)
Download a complete copy of all your personal data as structured JSON from Settings at any time. No waiting, no email required.
Account Deletion (Art. 17)
Request permanent deletion from Settings. A 30-day grace period lets you change your mind. After that, all data is irreversibly erased.
Automated Retention Cleanup
Expired invitations, old audit logs, and import metadata are automatically purged on schedule. No stale personal data lingers.
Encryption & Auth
Encrypted in transit, encrypted at rest, no passwords stored.
Modern authentication with zero password risk, backed by industry-standard encryption at every layer.
TLS Encryption Everywhere
All data in transit is encrypted with TLS. HTTPS is enforced via strict transport security headers (HSTS) with no fallback to plain HTTP.
Encrypted at Rest
Your data is stored in Supabase (EU-West-2, London) with AES-256 encryption at rest. Auth tokens use httpOnly cookies to prevent XSS token theft.
Passwordless Authentication
Sign in with Google OAuth or magic link email. No passwords are ever stored, so there is nothing to steal, leak, or brute-force.
Authentication Security
Defence in depth for every sign-in and session.
Rate limiting, CSRF protection, and automatic session management keep your account secure even if your email is compromised.
Rate Limiting
Magic link requests are limited to 3 per email per hour, enforced server-side. Brute-force attempts are blocked before they reach your inbox.
CSRF & Session Protection
Auth uses PKCE flow with automatic refresh token rotation. All mutations are protected by CSRF validation and session cookies are refreshed transparently.
Partner Invitation Security
Partner invitations use cryptographic tokens that expire after 7 days. Invitations can be revoked at any time and are single-use.
Infrastructure
EU-hosted, isolated by design, secured at the database level.
Every architectural decision prioritises data isolation and security, from the database policies to the edge network.
Supabase (EU-West-2)
All data is hosted in the London region (eu-west-2) via Supabase. Your financial data stays within UK/EU jurisdiction.
Vercel Edge Network
Application code is deployed to Vercel's global edge network with automatic DDoS protection and SSL certificate management.
Row Level Security (RLS)
Every tenant table has RLS policies enforced at the PostgreSQL level. Even if an application bug exists, the database itself prevents cross-household data access.
Application Security
Content Security Policy, input validation, and strict type safety.
Multiple layers of defence protect against injection attacks, cross-site scripting, and malformed input.
Content Security Policy
Strict CSP headers block inline scripts, prevent framing (frame-ancestors: none), and restrict resource loading to trusted origins only.
Zod Input Validation
Every API endpoint validates input with strict Zod schemas. Malformed or unexpected data is rejected before it reaches the database.
TypeScript Strict Mode
The entire codebase runs in TypeScript strict mode with no "any" types. Type safety catches classes of bugs at compile time that other apps discover in production.
Self-Hosted Monitoring
Error tracking and analytics without third-party data sharing.
We use self-hosted, privacy-respecting tools for monitoring. No data is sent to Google Analytics, Sentry, or any third-party analytics platform.
Umami Analytics
Privacy-first, self-hosted analytics that collects no personal data. No cookies, no fingerprinting, no cross-site tracking. Fully GDPR compliant.
GlitchTip Error Tracking
Self-hosted error monitoring. Stack traces and error reports stay on our infrastructure, not in a third-party SaaS dashboard.
No Third-Party Data Sharing
We never share your usage data with Google, Facebook, or any advertising network. Your browsing and spending patterns are not for sale.
Questions about our security?
Read our Privacy Policy for the full legal detail, or contact us at security@joinfunds.app for security-specific inquiries.
JoinFunds is registered with the Information Commissioner's Office (ICO). Registration number: C1891815.
Ready to manage your finances securely?
Your bank files never leave your browser. Start for free, no credit card required.