How PortfolioTrackr Protects Your Investment Data (2026)
Your portfolio tracker holds sensitive financial information: your holdings, trade history, total wealth, and notification preferences. We've built multiple layers of protection to keep that data yours — here's exactly what each layer does and why it matters.
Two-Factor Authentication (2FA)
PortfolioTrackr supports TOTP-based two-factor authentication — the same standard used by banks and major financial institutions. When you enable 2FA, every login requires your password plus a six-digit code that changes every 30 seconds on your phone.
This means that even if your password is exposed in a data breach somewhere else on the internet, an attacker still cannot get into your account without physical access to your device. 2FA is available on all plans at no extra cost and can be enabled in Account Settings → Security.
It works with any TOTP-compatible app: Google Authenticator, Authy, 1Password, Microsoft Authenticator, Bitwarden, and others.
Secure Password Reset Tokens
When you request a password reset, PortfolioTrackr generates a cryptographically random 64-character token and emails it to you as a link. Critically, this raw token is never stored in the database. Instead, only a SHA-256 hash of the token is saved.
This matters because it means that even someone with direct read access to the database cannot extract usable reset tokens. The only place the raw token ever exists is in your email inbox. Reset links expire after one hour and can only be used once.
Email Verification
Every new account requires email verification before it can access the dashboard. This confirms you own the email address you registered with, prevents accounts being created with someone else's email, and ensures that password reset links and security alerts actually reach you.
Password Confirmation for Email Changes
If you want to change your account email address, PortfolioTrackr requires you to enter your current password to confirm the change. This is an important protection: if someone found a way to access your active session (for example on a shared computer you forgot to log out of), they cannot silently redirect your account to a new email address without knowing your password. Changing your email is irreversible without your co-operation.
CSRF Protection on Every Action
Cross-Site Request Forgery (CSRF) is an attack where a malicious website tricks your browser into making a request to PortfolioTrackr on your behalf — for example, changing your password or deleting a position. PortfolioTrackr defends against this by embedding a unique secret token in every form and API request. The server validates this token before processing any action. A request from an external site cannot know your token, so it cannot forge valid requests.
Payment Session Security
When you upgrade your plan through Stripe, the payment session is cryptographically bound to your logged-in account. The upgrade confirmation page verifies that the Stripe session belongs to the same user who initiated the checkout. This prevents anyone else from claiming a payment that was made under a different account.
Admin Access — Double-Gated
The admin panel requires two independent checks to pass: a role field in the database, and a hardcoded email address match. Even if the database role field were somehow changed, access would still be denied unless the account email matches the hardcoded admin email. This means gaining admin access requires compromising the server itself, not just the database.
AI Input Validation
The Smart & Easy Import and Smart & Easy Sell features use AI to parse your trade details. Any text you submit is wrapped in structural delimiters before being sent to the AI, with an explicit instruction that everything inside is raw user data to be parsed — not instructions to follow. The AI's output is then validated against strict rules: tickers must be valid formats, shares and prices must be within realistic ranges. Any response that doesn't pass validation is rejected before it reaches your portfolio.
What PortfolioTrackr does not store
PortfolioTrackr does not store your brokerage credentials, bank account details, or payment card information. Payments are processed entirely by Stripe — PortfolioTrackr never sees your card number. Broker screenshots uploaded for AI trade import are processed transiently and never saved to disk or stored in the database.
HTTPS everywhere
All traffic between your browser and PortfolioTrackr is encrypted via HTTPS (TLS). This means your session token, your portfolio data, and your account details cannot be intercepted in transit by anyone monitoring the network.
Start Tracking With Confidence
Your financial data deserves serious protection. Enable 2FA after you sign up — it takes 60 seconds and adds a second lock on your account. Free 3-day trial, no credit card required.
Start Free Trial →Frequently asked questions
Does PortfolioTrackr support two-factor authentication?
Yes. TOTP-based 2FA is available on all plans at no extra cost. Enable it in Account Settings → Security. Compatible with Google Authenticator, Authy, 1Password, and any standard TOTP app.
What happens if someone gets my password?
With 2FA enabled, a stolen password alone cannot be used to log in — they also need the six-digit code from your authenticator app. Without 2FA, your account is protected by email verification and CSRF defences but not by a second factor. We strongly recommend enabling 2FA.
Is my portfolio data stored securely?
Yes. Data is stored in a private database accessible only via authenticated connections. It is transmitted over HTTPS. Passwords are hashed using bcrypt. Reset tokens are stored as SHA-256 hashes, never as raw values.
Can I change my email without my password?
No. Changing your account email requires entering your current password to confirm. This protects you even if someone gains temporary access to your logged-in session.