Your Data, Your Device, Your Business
No Passwords, By Design
We don't store passwords. Period. You log in via Google OAuth or email OTP verification, no passwords involved.
Encryption happens automatically at the project level. When you create a project, encryption keys are generated on your device and never leave it.How We Handle Your Information
Everything Stays Local
Here's our radical idea: your data never leaves your control. We automatically sync encrypted copies between your devices for convenience encrypting the data before it ever leaves your device. Our servers only see encrypted blobs, never your actual data.Projects Are Encrypted by Default
When you create a project, you set a password specifically for that project. Encryption keys are automatically generated on your device from this password using cryptographic methods (PBKDF2).
The project password is never stored anywhere, not in memory, not on your device, not on our servers. It vanishes the moment you type it. The derived encryption keys never leave your device and are never sent to our servers.
How the keys work together: When you create a project, you get RSA-OAEP public and private keys generated on your device. Your private key is encrypted with the master encryption key. It decrypts a shared key (AES-GCM), which then encrypts and decrypts your actual project data. Projects can have multiple shared keys for different sharing scenarios.
Your public key encrypts shared keys issued to you and verifies messages received from our backend, ensuring only you can read them.
Encryption keys are generated on your device when you create a project. They never get stored on our servers, never transmitted. Encryption keys are cached in your browser for convenience, but they're not exportable; the app can use them to decrypt data, but it literally cannot extract or read the key itself.
We use Web Crypto API for all encryption operations and random number generation.
Security Guarantees
Database breaches: Encrypted data in our database is unreadable without your project password. AES-GCM encryption with keys derived via PBKDF2 ensures data remains secure even if database access is compromised.
Unauthorized decryption: Your private keys are encrypted with keys derived from your project password. Without that password, decryption is computationally infeasible.
Key extraction: Encryption keys are stored in the browser's Web Crypto API as non-exportable. They can perform cryptographic operations but cannot be read, copied, or transmitted.
Server-side access: All data is encrypted client-side before syncing. Our servers store only encrypted blobs and never have access to decryption keys.
Supply chain attacks - someone swaps our code for malicious versions
Direct database tampering - unauthorized writes or deletes
Activity pattern detection - we can see when operations happen and what type, just not the content
The Difference: Encrypted vs. End-to-End Encrypted
You'll see other portfolio apps claim "your data is encrypted" or "bank-level security." Let's explain why that's not the same as what we do, and how you can verify it yourself."Encrypted" Doesn't Mean Private
Encrypted in transit and at rest means:
- Data is encrypted when traveling between your device and their servers (HTTPS)
- Data is encrypted when stored in their database (encryption at rest)
But here's the catch: They hold the encryption keys. They can decrypt your data anytime. When you see your portfolio dashboard, charts, or analytics-their servers are reading your unencrypted data to generate those features.
"Encrypted" just means it's protected from external hackers or if someone steals their hard drives. It doesn't protect you from them seeing your data.
End-to-End Encryption Is Different
You hold the only keys. Your data is encrypted on your device with keys derived from your project password. We never see that password, never see those keys.
Our servers see encrypted blobs. When your data syncs, we store gibberish. We can't decrypt it, can't run analytics on it, can't see your positions or values, even if we wanted to.
No server-side processing. We can't offer features that require reading your portfolio data (AI recommendations, server-side analytics) because we literally don't have access to it.
Don't Trust Us. Verify
We're asking you to trust our encryption, so here's how to verify we're not lying:
Open your browser's Developer Tools (F12 or right-click → Inspect)
Go to the Network tab and start recording
Use the app normally - add transactions, view your portfolio, sync data
Inspect the requests. Look at what's being sent to our servers:
If you see encrypted data: Long strings of random characters blobs-that's E2EE working. We can't read it.
If you see plaintext data: Ticker symbols, quantities, prices, dollar amounts in the request payload-that's NOT E2EE. The app can read your data.
The test: Can you read your portfolio values in the network requests? If yes, so can the platform. If you just see encrypted gibberish, then neither you nor we can read it without the decryption key that lives only on your device.
Why Other Apps Don't Do This
True E2EE is harder to build and limits features. Most portfolio apps need to see your data to:
- Generate portfolio analytics on their servers
- Offer AI-powered recommendations
- Create performance reports
- Show you dashboards without heavy client-side processing
You get the same features, just processed locally instead of on our servers.
If an app claims both:
- "Your data is fully encrypted and private"
- AND "We provide AI portfolio analysis and recommendations"
One of those statements is likely misleading. Server-side AI analysis requires reading your unencrypted data.
Here's why we care: we manage our own portfolios in this app. Every security decision protects our money just as much as yours. Self-interest is a powerful motivator for good security.
Questions? We built this system because we're users too. Your privacy isn't a feature, it's the foundation. ☕ Get in touch
Read more
How We Compare Your Portfolio to Its Benchmark
Understanding our fair and accurate portfolio performance comparison methodology
Portfolio Performance Decoded: Stop Guessing, Start Knowing
Your returns are telling you a story, but are you listening? Learn which metrics actually matter and how Turbobulls helps you track them without the headache.
Installing Turbobulls on Desktop and Mobile
A quick guide to installing Turbobulls as an app on your desktop or mobile device for faster access, offline use, and enhanced privacy.