Prop PNL

Security & Privacy Policy

Last updated: January 8, 2026

Prop Firm PNL Tracker is designed with security and privacy as core principles. This document outlines our security practices, data handling procedures, and compliance measures.

1. Data Protection

1.1 Encryption

All data is protected using industry-standard encryption:

  • At Rest: AES-256 encryption for all stored data
  • In Transit: TLS 1.3 for all connections
  • API Communication: mTLS (mutual TLS) for bank data provider connections

1.2 Data Minimization

We limit data collection and storage to what is strictly necessary:

  • Account Numbers: Only the last 4 digits are stored (masked)
  • Bank Credentials: Never stored — we use tokenized, read-only connections
  • Access Tokens: Deleted immediately after data fetch
  • Connection Persistence: Bank connections are disconnected immediately after use

2. Bank Connectivity

2.1 How It Works

Bank account access is facilitated through Teller, a third-party financial data provider:

  1. You authenticate directly with your bank via Teller Connect
  2. A temporary, read-only access token is generated
  3. We fetch up to 12 months of transaction data
  4. The bank connection is immediately deleted after data retrieval
  5. No ongoing access to your bank account is retained

2.2 Access Limitations

Our access to bank data is strictly limited:

What We Can Access:

  • Transaction history (read-only)
  • Account balances (read-only)
  • Account names and last 4 digits

What We Cannot Do:

  • Move money or initiate transactions
  • See full account numbers
  • Access bank login credentials
  • Maintain persistent access to accounts

3. Authentication & Authorization

3.1 User Authentication

  • Email/password authentication via Supabase Auth
  • Secure session management with HTTP-only cookies
  • Password requirements enforced at sign-up

3.2 Row Level Security (RLS)

All database tables use Postgres Row Level Security. This ensures that even if there is a bug in our application code, the database itself prevents unauthorized access to data belonging to other users.

3.3 Access Control

  • User: Can access only their own PNL reports and connected accounts
  • Public Reports: Can be accessed via unique shareable token (if enabled)
  • Admin: Server-side operations only; no direct UI access to user data

4. Data Retention

4.1 Automatic Deletion

  • PNL Report Data: Retained until user deletion
  • Audit Logs: Retained for compliance purposes; deletions are logged
  • Session Data: Cleared on logout

4.2 Manual Deletion

Users may request deletion of all their data at any time by contacting support or using account deletion features.

5. GDPR Compliance

5.1 Data Subject Rights

We support the following data subject rights under GDPR and similar regulations:

  • Right to Access: Export all data via account settings
  • Right to Portability: JSON export includes all user data
  • Right to Erasure: One-click deletion of all data
  • Right to Rectification: Edit profile and account settings at any time

5.2 Data Export

Exported data includes user profile information, PNL report metadata, and activity/audit logs. Raw financial transaction data is excluded from standard exports for security reasons. Users requiring transaction-level data should contact support.

6. Audit Logging

All significant actions are logged for security and compliance purposes:

  • Report views (user ID, report ID, timestamp, IP address)
  • Data exports (user ID, timestamp)
  • Data deletions (user ID, what was deleted, timestamp)
  • PNL report creation (user ID, account info, timestamp)
  • Login and logout events (user ID, timestamp, IP address)

Audit logs are immutable, retained for 7 years for compliance, and included in user data exports.

7. Infrastructure Security

7.1 Hosting

  • Database: Supabase (AWS infrastructure)
  • Application: Edge-deployed Next.js
  • Region: Data stored in US-East

7.2 Network Security

  • All endpoints are HTTPS-only
  • API rate limiting is enabled
  • CORS is restricted to the application domain
  • Content Security Policy (CSP) headers are configured

8. Compliance & Certifications

8.1 Standards We Follow

  • GDPR: General Data Protection Regulation (EU)
  • CCPA: California Consumer Privacy Act
  • SOC 2: Via Supabase infrastructure

8.2 Third-Party Security Certifications

  • Supabase: SOC 2 Type II
  • Teller: SOC 2 Type II, PCI DSS
  • Hosting Provider: SOC 2 Type II

9. Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

  1. Email us at support@proppnl.com
  2. Do not disclose publicly until we have had time to address the issue
  3. We aim to respond within 48 hours
  4. We do not pursue legal action against good-faith security researchers

10. Contact Information

For security concerns or questions, please contact:

  • Security Issues: support@proppnl.com
  • Privacy Requests: support@proppnl.com
  • General Support: support@proppnl.com
    Security & Privacy | Prop PNL Data Protection