Security at Vorthly

All data is encrypted in transit using TLS 1.3+. Sensitive data is encrypted at rest:

• Broker credentials: AES-256-GCM, industry-standard symmetric encryption.
• Passwords: bcrypt hashing with salt.
• Database: encrypted at rest by Supabase.
• Backups: encrypted.

We use the same encryption standards as major financial institutions.

When you connect a broker account through MetaApi, your credentials are encrypted on our server before being passed to MetaApi. They are never stored unencrypted, anywhere.

We strongly recommend using your broker's investor password, which provides read-only access. With investor access:

• Vorthly can read your trade history and account balance.
• Vorthly cannot place trades on your behalf.
• Vorthly cannot withdraw funds.
• Vorthly cannot modify your account.

If your broker supports investor-password, use it. If not, we recommend creating a dedicated read-only API key where possible.

Vorthly is built on EU infrastructure:

• Database: Supabase EU-North-1, Stockholm, Sweden.
• File storage: same region.
• Authentication: Supabase Auth, EU-hosted.

We are fully GDPR-compliant. You have the right to:

• Access your data, downloadable anytime via Settings -> Data.
• Correct your data by editing it anytime.
• Delete your data through Settings -> Account -> Delete account.
• Export your data in JSON format, including complete history.
• Object to processing.
• Lodge a complaint with Datatilsynet in Norway or your local data protection authority.

Some services we use, including Google AI and Vercel for hosting, may transfer data outside the EU under Standard Contractual Clauses.

Vorthly uses Google Gemini for AI analysis, including insights and per-trade feedback. Important details:

• Your trade data is sent to Google's API for analysis only.
• Per Google's API terms, this data is not retained by Google.
• Your data is not used to train Google's AI models.
• We do not store AI prompts or responses outside your own account.

We may switch AI providers in the future. We will notify you and update this page if that happens.

Your Vorthly account is protected by:

• Password hashing with bcrypt.
• Optional Google OAuth for password-free sign in.
• Session tokens with short expiry.
• Database Row Level Security, so every query is scoped to your user.
• Automatic logout after extended inactivity.

Coming soon:

• Two-factor authentication.
• Login alerts for new devices.

In the unlikely event of a security incident:

• We will notify affected users within 72 hours via email.
• We will publish a detailed post-mortem.
• We will work with relevant authorities, including Datatilsynet for EU users.

We follow GDPR Article 33 and 34 requirements for breach notification.

Found a security issue? We appreciate your help.

Email: security@vorthly.com. We'll set this up before launch. For now, use support@vorthly.com.

We will:

• Acknowledge within 48 hours.
• Investigate and fix promptly.
• Credit you in our security acknowledgments if you wish.
• Not take legal action against good-faith security research.

Please:

• Do not access or modify other users' data.
• Do not perform DoS attacks.
• Give us reasonable time to fix issues before publishing.

Security questions, concerns, or reports:

support@vorthly.com. security@vorthly.com is coming soon.

We aim to respond within 1 business day.