XAU
---.--
--.--
XAG
---.--
--.--
XPT
---.--
--.--
XPD
---.--
--.--
HG
---.--
--.--
ALI
---.--
--.--
NI
---.--
--.--
ZN
---.--
--.--
XAU
---.--
--.--
XAG
---.--
--.--
XPT
---.--
--.--
XPD
---.--
--.--
HG
---.--
--.--
ALI
---.--
--.--
NI
---.--
--.--
ZN
---.--
--.--

Privacy & Security

How we protect your portfolio data

The Short Version

Your portfolio data is encrypted on your device before it ever reaches our servers. We store only scrambled data that looks like random characters. Without your passphrase, nobody can read your holdings — not even us.

How Your Data is Protected

Your Device

Where encryption happens

Your portfolio data:

10 oz Gold
$2,650/oz

Encrypt with your passphrase

Becomes unreadable:

aGVsbG8gd29ybGQh
Kx7mN9pQ2vL3...

Our Servers

Only stores encrypted data

aGVsbG8gd29ybGQh...

We cannot read this

Secure (on your device)
Encrypted only

What We Cannot See

  • Which metals you own
  • How much of each metal you have
  • Your purchase prices
  • Your purchase dates
  • Your notes
  • Your total portfolio value

What We Can See

  • Your email (for login)
  • That you have a portfolio (not its contents)
  • Encrypted data (unreadable without your passphrase)
  • When you last accessed your portfolio

How the Encryption Works

1

You create a passphrase

When you first add a holding, you'll create a secret passphrase. This is like a password, but you can make it longer and easier to remember (like a sentence).

2

Your passphrase derives a unique encryption key

We use your passphrase to derive an encryption key using PBKDF2-SHA256 with 310,000 iterations (OWASP 2023 recommendation). This key derivation makes brute-force attacks computationally infeasible, even with powerful hardware.

3

Your data is encrypted on your device

Before any data leaves your phone or computer, it's encrypted using AES-256-GCM (authenticated encryption) — the same standard used by banks and governments. Each holding uses a unique random IV, and the authentication tag ensures data integrity.

4

Only scrambled data reaches our servers

We only ever receive and store the encrypted version. Even if someone broke into our database, they would only find gibberish that's impossible to decode without your passphrase.

5

You unlock it each session

When you want to view your portfolio, you enter your passphrase. Your device downloads the encrypted data and decrypts it locally — we never see the unencrypted version.

Important Things to Know

Remember your passphrase: If you forget it, there's no way to recover your data. We don't store your passphrase and cannot reset it for you.

No recovery option: This is by design. If we could recover your data, so could a hacker. Your security is our priority.

Vault reset: If you forget your passphrase, you can reset your vault, but this will permanently delete all your portfolio data.

Have questions about our security practices? Email us at metalchartsorg@gmail.com