How we protect your data
You’re trusting us with the most detailed picture of your money most apps will ever see. Here’s the honest version of how that’s protected, where the realistic holes are, and what you can do to keep yourself safe.
We’re not a zero-knowledge product. The app’s job is to calculate things about your money — your net worth, your tax position, your pension projection — and that needs server-side access to your figures. The security model below is the one used by every credible finance SaaS: defence-in-depth, not magical encryption.
What protects your data today
- Row-Level Security in Postgres. Every table enforces a policy at the database level that scopes queries to the signed-in user’s ID. Even if a bug in our code tried to read someone else’s data via the public API, the database itself would reject the query.
- Service-role key never touches the browser. The privileged key that bypasses Row-Level Security only lives in our backend environment. Every server endpoint that uses it first validates your JWT and scopes the query to your user ID before doing anything.
- TLS in transit, AES-256 at rest. Standard cloud database posture — data is encrypted on disk by Supabase, and every connection between your browser, our API and the database uses TLS 1.3.
- Field-level encryption for the most sensitive items. Affiliate payout details (sort code, account number, PayPal email), Google Sheet IDs and a few other high-risk fields are additionally encrypted with AES-256-GCM before they hit the database. That means a database compromise alone doesn’t reveal them — an attacker would need a separately-held encryption key as well.
- No third-party data sharing. Your numbers aren’t sent to analytics SDKs, advertising networks, chat-with-your-data LLM providers that persist context, or any other downstream system. The two external services we use are Stripe (for billing — never sees your financial data) and Anthropic Claude (for AI features — calls are stateless and not retained for training).
- Admin access is consent-gated and audited. An admin (currently just the founder) cannot read your financial profile, transactions or AI chat history without first requesting a one-hour grant that you have to approve from your account page. Every grant and every read under that grant is logged forever — you can see exactly when someone looked at your data and why.
Where the realistic risks actually are
The honest version: any system that lets a server do useful things with your data has a window where that data is accessible. Layered defences reduce the surface, they don’t eliminate it. The four real risks, ranked by likelihood:
| Risk | What would happen | What we do about it |
|---|---|---|
| Your email account is compromised | Attacker requests a magic link, signs into your No More Winging It account | Enable two-factor authentication on your No More Winging It account (Account → Two-factor authentication). Magic-link sign-in alone is then no longer enough — a 6-digit code from your authenticator app is also required. |
| Our service-role key leaks (Vercel account breach, accidental logging, supply-chain attack) | Attacker can read any row in the database for as long as the key is valid | 2FA on Vercel + GitHub + Supabase, restricted account access, periodic key rotation, monitoring of unusual query patterns |
| Supabase admin login is compromised | Same as above — full DB access through the dashboard | 2FA enforced on the Supabase account |
| Code bug bypasses Row-Level Security | Cross-user data exposure via a specific endpoint | Parameterised queries everywhere, code review on every PR, and a planned annual independent penetration test once we have early traction |
What you can do
The two single biggest improvements to your account security are both quick:
- Enable two-factor authentication on your No More Winging It account. Account → Two-factor authentication → Enable, then scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, Apple Passwords — any TOTP app works). Future sign-ins ask for a 6-digit code after the magic link. This neutralises the email-account-compromise risk at the top of the table above.
- Strong password and 2FA on your email account. Even with our 2FA on, your email is still the recovery path for many other services. Gmail, Outlook, iCloud all support authenticator-app 2FA — turning it on takes two minutes.
- Use a unique, strong password manager. 1Password, Bitwarden and the browser-built-in managers (Chrome, Safari) all work fine.
-
Be alert to phishing. We will never email
you asking for a password (you don’t have one), bank
details, or to “verify” via a different URL than
nomorewingingit.ai. If something looks off, forward it to nick@nomorewingingit.ai and we’ll confirm.
We deliberately don’t offer SMS as a second factor. SIM-swap fraud — where an attacker convinces the carrier to port your number to a new SIM — is routine in the UK, and SMS codes are the first thing the attacker captures. Authenticator apps (and on iOS, your built-in Passwords app) tie the second factor to a device you control, which closes that hole. If we offered SMS as a fallback for “low-friction” users we’d be giving them weaker protection while letting them believe they were protected.
What we deliberately don’t do
- We don’t store your bank credentials. We don’t use Open Banking screen-scraping or credential-sharing aggregators. Transactions get into the app via you uploading a statement (which the AI extracts and we then discard the file) or by manual entry. There is no login to your bank stored anywhere in our system.
- We don’t move money. No payments, transfers or trades happen through us. Stripe handles your subscription payments to us and never gives us your card details.
- We don’t sell or share your data. Not to advertisers, not to data brokers, not to affiliate partners, not to anyone. This is in the Privacy Policy in legal terms; this page is the plain-English version.
What zero-knowledge would mean (and why we’re not)
Some products — password managers, encrypted notes apps like Standard Notes — encrypt everything client-side with a key derived from your password. The server only ever sees encrypted blobs. That model is excellent for opaque storage but breaks if the server needs to do anything with the data: calculate aggregates, run projections, surface intelligence, search. You can’t compute your net worth across all your accounts if the database can’t read the numbers in those accounts.
Because No More Winging It’s value is calculation — the daily intelligence feed, the AI chat that knows your figures, the 60% tax-trap analysis, the pension projection — we run a layered defence-in-depth model instead. The same model your bank’s online banking, every budgeting app on the market, and every accountancy SaaS use.
Reporting a security issue
If you find a vulnerability, please email nick@nomorewingingit.ai with the subject “Security report”. We acknowledge within 24 hours and aim to fix anything material within 7 days. We don’t yet run a paid bug bounty programme but we will credit researchers publicly with permission, and we take responsible disclosure seriously.
Roadmap
- Done: 2FA on user accounts via authenticator apps (TOTP)
- Backup recovery codes for 2FA (currently lost-device reset is operator-mediated — email Nick)
- Passkey support as an alternative second factor
- Independent penetration test once we have meaningful traction (target: first half of 2027)
- SOC 2 Type 1 if and when growth or partnerships require it
This page is plain-English supplement to our Privacy Policy and Terms. If anything here conflicts with those, those are the binding documents.