Security & Privacy

1. What data we collect

Worthmap collects only what is necessary to operate the platform:

• Account data — name, email address, and hashed password on registration.
• Financial data you enter — asset values, holdings, currencies, and goals. For free-tier users this data lives in your browser's localStorage and is never sent to our servers unless you opt into cloud sync.
• Usage analytics — anonymised page views and feature interactions to improve the product. No personal or financial values are included.
• Support messages — emails and form submissions you send us directly.

Free-tier financial data is stored locally on your device. We do not have access to your portfolio numbers unless you explicitly enable cloud backup.

2. Encryption in transit and at rest

All connections to Worthmap use HTTPS with TLS 1.3. Our infrastructure is served through Cloudflare, which enforces modern cipher suites and provides DDoS protection as a default layer.

Pro-account cloud backups are encrypted before leaving your device using AES-256. Keys are derived from your account credentials; Worthmap staff cannot decrypt your stored portfolio values.

3. No data selling — ever

Worthmap does not sell, rent, or trade your personal data or financial data to third parties for any purpose — including advertising, analytics resale, or marketing. This is a foundational product principle, not just a legal clause.

We use a small number of third-party services (hosting, error monitoring, analytics) bound by data-processing agreements that prohibit them from using your data for their own purposes. A full list is available in our Privacy Policy.

4. Account security tips

The strongest security measure is one you control. We recommend:

• Use a unique password not shared with any other service. A password manager (Bitwarden, 1Password) makes this easy.
• Enable two-factor authentication (2FA) in your account settings once it is available — it stops credential- stuffing attacks even if your password leaks elsewhere.
• Never share your login credentials — Worthmap staff will never ask for your password by email or phone.
• Log out of shared or public devices after each session.
• Keep your registered email account secure — it is the recovery path for your Worthmap account.

5. Cookies and tracking

Worthmap uses a minimal set of cookies:

• Session cookies — required for authentication. Expire when you close the browser.
• Preference cookies — remember language and theme settings across visits.
• Analytics cookies — anonymised, aggregated usage data. No cross-site tracking.

We do not use advertising cookies or sell cookie data. For full details see our Privacy Policy §7.

6. Contact for security issues

If you believe you have found a security vulnerability in Worthmap, please email us before disclosing it publicly:

Security email: [email protected]

For general support or privacy questions: [email protected]

7. Responsible disclosure policy

We welcome security researchers who responsibly help us keep Worthmap safe. If you find a vulnerability:

• Email [email protected] with a clear description, steps to reproduce, and any supporting evidence (screenshots, logs, proof-of-concept).
• Give us reasonable time to investigate and resolve the issue before any public disclosure — we aim to acknowledge all reports within 48 hours and provide a fix timeline within 7 business days.
• Do not access, modify, or delete other users' data during your testing.
• Do not perform denial-of-service testing or social engineering against Worthmap users or staff.

Researchers who responsibly disclose valid vulnerabilities will be credited in our security changelog (with your permission).