Security

Your financial data deserves real protection

Portfolio and wealth data are among the most sensitive things you manage online. Here's how we handle it at Planafolio.

Sicherheit

Deine Finanzdaten verdienen echten Schutz

Wir wissen, wie sensibel Depot- und Vermögensdaten sind. Deshalb behandeln wir sie entsprechend.

Verschlüsselt gespeichert

Zugangsdaten und Bestände werden verschlüsselt abgelegt, niemals im Klartext.

Kein Produktverkauf

Wir verkaufen keine Finanzprodukte und geben deine Daten nicht an Dritte weiter.

Hosting in Deutschland

Server und Backups laufen auf deutscher Infrastruktur.

Kein Abo-Risiko

Pro ist jederzeit monatlich kündbar — ohne Mindestlaufzeit.

In detail

Concrete safeguards

Not just promises — these are the technical measures behind them.

Encryption

Passwords are stored exclusively as a hash, never in plain text. The connection to Planafolio is TLS-encrypted throughout.

Two-factor authentication

Optional, enabled in account settings — an extra layer of protection against compromised passwords.

Regular backups

Your data is backed up regularly, so a technical failure doesn't mean data loss.

Minimal permissions

Internally we follow the principle of least privilege: access to user data is restricted to what's technically necessary.

Secure sessions

Session cookies are set httpOnly and secure and expire automatically — a stolen cookie can't be read out via JavaScript.

Data portability

A full JSON export of your data is available anytime in account settings — no support request needed.

Protected API keys

API keys are stored only as a hash and shown to you once in plain text — after that, not even Planafolio knows them anymore.

Responsible disclosure

You can report security vulnerabilities to us directly and confidentially — we handle reports promptly, before any details are published.

In case of an incident

How we handle security incidents

Security isn't a one-time checkbox, it's an ongoing process. Should an incident still occur, you have clear rights and we have clear obligations.

Notification without delay

In the event of an incident risking your data, we notify affected users without undue delay, per GDPR requirements.

Containment before communication

The cause is isolated and access is closed off first — transparent follow-up communication comes after.

Reporting to the supervisory authority

Notifiable incidents are reported to the responsible data protection authority within the required deadline.

Security questions

Frequently asked

See for yourself, for free.

Start for free