Skip to content
CalculatorAI
HomeFavoritesHistory
Handbook/Data Security

On this page

  • Encryption everywhere
  • Your data is isolated to your account
  • Sign‑in and passwords
  • Payments never expose your card
  • How the AI assistant handles your data
  • Connected accounts are read‑only
  • What we never do
  • You stay in control
  • Reporting a security issue
  • An honest note

Your Data Security & Privacy

Your numbers are personal. Salaries, portfolios, trades, invoices, net worth — the things you track on CalculatorAI are some of the most sensitive data you own. This page explains, in plain language, exactly how we protect them, who can (and can't) see them, and the controls you have. Where it matters, we link to the official documentation of the infrastructure we build on so you can verify the claims yourself.

The short version: your data is encrypted, isolated to your account alone, never sold, and never used to train AI. We — the people who run CalculatorAI — do not browse through your entries, and our AI assistant only ever sees your data, only when you ask it something, and it is never trained on it.

Encryption everywhere

  • In transit. Every connection to CalculatorAI uses HTTPS/TLS, so the data moving between your device and our servers is encrypted and can't be read in flight.
  • At rest. Your data lives in a managed Supabase Postgres database (built on AWS), encrypted at rest with AES‑256. Daily backups are encrypted too.
  • Sensitive credentials get a second layer. When you connect a read‑only exchange or wallet, the API keys are encrypted a second time with AES‑256‑GCM before they're stored, using a key that never leaves our server environment.

References: Supabase security & compliance (SOC 2 Type II) · Vercel security, where the app itself runs.

Your data is isolated to your account

This is the most important guarantee. CalculatorAI uses Postgres Row Level Security (RLS) — database‑level rules that make it technically impossible for one account to read another account's rows. Every table that holds your content carries a policy of the form "you may only see rows where the owner is you," enforced by the database on every single query, not by app code that could be bypassed.

In practice that means: even a bug in our own frontend can't leak your trades to another user, because the database itself refuses to return rows that aren't yours.

Reference: Postgres Row Level Security, explained by Supabase.

Sign‑in and passwords

  • Authentication is handled by Supabase Auth. If you sign up with a password, it is hashed (with bcrypt) before storage — we never store, see, or log your actual password.
  • You can also sign in with Google, so no password ever touches us at all.
  • Sessions use secure, http‑only cookies.

Payments never expose your card

We do not run our own payment forms and we never see or store your card number. All billing goes through Stripe, a PCI‑DSS Level 1 certified provider (the highest level) used by millions of businesses. Your card details are entered on Stripe's own secured checkout and stay with Stripe — CalculatorAI only receives a token that says "this customer is subscribed."

Reference: Stripe security & PCI compliance.

How the AI assistant handles your data

Our assistant can talk about your finances — your portfolio value, your win rate, your overdue invoices — so it's fair to ask what happens to that data. Here's the honest, complete answer:

  • It only sees your data, only when you ask. When you send a message, we assemble a compact snapshot of your data (protected by the same Row Level Security above) and pass it to the model to compute your answer. It is not a process that sits and watches your account.
  • No cross‑user access. Another person's data is never in your assistant's context, and yours is never in theirs.
  • It is not trained on your data. The assistant runs on Anthropic's Claude via their business API. Under Anthropic's terms, inputs and outputs sent through the API are not used to train their models. We also do not use your data to train any model of our own.
  • You're in control of what it knows. The assistant reads what you've saved so it can be useful; it doesn't act on your money or move funds.

References: Anthropic Privacy Center · Anthropic Privacy Policy.

Connected accounts are read‑only

If you link an exchange or a crypto wallet to the Portfolio Tracker, we ask only for read‑only access. A read‑only key can show balances — it cannot place trades, transfer, or withdraw anything. On top of that, the key is stored encrypted (see Encryption above). We never take custody of your funds and we never have the ability to move them.

What we never do

  • We never sell your data, and we never share it with advertisers or data brokers.
  • We never read through your entries for any purpose other than providing the service you asked for (and supporting you if you contact us).
  • We don't put personal or financial values into URLs, analytics events, or third‑party trackers.

You stay in control

  • Export anytime, for free. Exporting your own data (CSV) is always free, on every tier — it's your data, and it's never held hostage behind a paywall.
  • Delete anytime. Deleting an item removes it from view immediately; deleted content is then permanently purged on a rolling schedule. You can also delete your whole account.
  • Read‑only after a trial ends. If your Pro trial lapses, your existing data stays safe and visible — expiry only limits creating new items, it never deletes what you already have.

Details of what we collect and your rights are in our Privacy Policy, Terms, and Cookie Policy.

Reporting a security issue

Security is never "finished," and we take reports seriously. If you believe you've found a vulnerability, please email us through the contact page with the details and steps to reproduce, and give us a reasonable window to fix it before disclosing publicly. We're grateful for responsible disclosure.

An honest note

No online service — ours included — can promise it is impossible to breach; anyone who claims otherwise is not being straight with you. What we can promise is that we use the same battle‑tested, independently audited infrastructure that banks‑adjacent fintechs rely on (Supabase, Stripe, Vercel, Anthropic), that your data is encrypted and isolated to you, that we never sell it or train AI on it, and that you can export or delete it whenever you want. If our practices ever change, we'll update this page and our Privacy Policy.

Questions about any of this? Reach out — a real person will answer.