Security
How we protect your account, your API keys, and your trading data.
Authentication
Powered by Supabase Auth with Google OAuth and email/password. Sessions use secure JWTs with automatic expiry.
Row-Level Security
Every database table uses Postgres RLS policies. Your data is only accessible to your account — not to other users or even our support staff without audit logging.
API Key Storage
Your Finnhub API key is stored encrypted at rest in Supabase and cached in localStorage. It is never logged, never sent to our servers unencrypted, and never shared.
HTTPS Only
All connections to Arowana Profits are encrypted via TLS. We enforce HTTPS site-wide with no fallback to HTTP.
No Third-Party Ads
We use zero advertising pixels, trackers, or analytics that share your data with third parties. No Google Ads, no Facebook Pixel, no data brokers.
Responsible Disclosure
Found a security vulnerability? Please contact us through the contact page before public disclosure. We take all reports seriously.
What we store
- Account data — Email, name, Pro status. Stored in Supabase with RLS.
- API keys — Your Finnhub key, encrypted at rest, scoped to your account only.
- Tool data — Watchlists, journal entries, wheel cycles. Stored locally (localStorage) or optionally synced to Supabase.
- AI chat history — Not stored server-side. Arowana Trader and Portfolio Advisor have no memory between sessions unless you explicitly paste prior context.
What we do NOT store
- Your brokerage credentials or account numbers
- Your actual trade executions (journal entries are self-reported)
- Payment card details (handled by Stripe, PCI-compliant)
- Device fingerprints or behavioral tracking data
Your responsibilities
Keep your password strong and unique. Do not share your account. Your Finnhub API key is free-tier (read-only market data) — it cannot execute trades — but treat it like any API credential. If you suspect your account is compromised, change your password immediately and contact us.