Security & privacy

Your money data, treated like it matters.

Coinly is built around a simple principle: only you and the people you invite should ever be able to see your finances. Here's exactly how we enforce that — at the network, the database, and the team level.

Encryption everywhere

TLS 1.2+ for everything over the wire. AES-256 for data at rest. Receipt files served only through signed, expiring URLs.

Row-level isolation

Every database row carries an owner. Postgres row-level security policies block any cross-account read — at the database layer, not just the app.

Strong authentication

Email + password with strong hashing, Google sign-in, and optional TOTP two-factor with recovery codes.

EU hosting & GDPR

Hosted in Frankfurt (EU). GDPR-compliant by default. DPA available for Business customers. No data sold to advertisers — ever.

Read-only bank access

PSD2 connections via Enable Banking. We can read transactions you approve, never move money. You can revoke access from your bank at any time.

Audit logs

Admin actions, data exports and access events are logged. On Business plans, you can review who accessed what and when.

What we will never do

  • Sell, rent or share your financial data with advertisers, data brokers, or AI training providers.
  • Move money on your behalf — bank connections are read-only by design.
  • Email you marketing junk you didn't sign up for.
  • Lock you in — you can export everything to CSV and delete your account on your own, any time.

Frequently asked

Where is my data stored?

On managed EU infrastructure (Frankfurt region). Backups are encrypted and stored in the same region. We never sell or share your data with advertisers.

Who can see my transactions?

Only you and the people you explicitly invite to an asset. Database-level row-level security enforces this — even our own services can only read rows you own or are a member of.

Do you store my bank credentials?

No. Bank connections use Enable Banking, a regulated PSD2 provider. You authenticate directly with your bank; we only receive the read-only data feed you approve.

How are receipts and documents stored?

Encrypted at rest, served through signed time-limited URLs scoped to your account. You can delete any document and it's removed from active storage immediately.

Can I enable two-factor authentication?

Yes. TOTP (Authy, 1Password, Google Authenticator) is supported. Recovery codes are generated when you enroll.

Can I export or delete my data?

Yes. Export everything to CSV at any time from Settings. Account deletion is permanent and removes all your data within 30 days, including backups.

Are payments processed securely?

Card details never touch our servers — billing is handled by Stripe, a PCI-DSS Level 1 provider.

Do you have a DPA?

Yes. A Data Processing Agreement is available for Business plan customers — see the DPA page or contact support.

Found a vulnerability?

We appreciate responsible disclosure. Email security@coinlyfinance.com with details and we'll get back to you within 2 business days.