Security & Privacy
Your data is not our product.
ETFLens is a research tool, not an ad platform. Here's exactly how we handle your account, payments and data.
No passwords stored
We use Google OAuth exclusively. Your password lives with Google, ETFLens never sees it.
We never see your card
Payments are handled entirely by Stripe. ETFLens stores only your Stripe customer ID, never card details.
Encrypted in transit
All traffic runs over HTTPS with strict transport security enforced. No plain-text connections accepted.
No data selling
We don't sell, share or monetise your data. ETFLens makes money from subscriptions, not advertising.
Account security
Google OAuth only
No username/password authentication. This means no password database to breach and no credential stuffing attacks possible.
HttpOnly session cookies
Your session token is stored in an HttpOnly cookie, JavaScript on the page cannot read it, preventing XSS-based session theft.
Sessions expire automatically
Sessions expire after 30 days of inactivity. You are logged out automatically and must re-authenticate.
SameSite cookie protection
Cookies use SameSite=Lax, which prevents them being sent in cross-site requests, blocking most CSRF attacks by default.
Server-side session validation
Sessions are stored in our database, not in a client-side JWT. We can invalidate any session instantly if needed.
Payment security
Powered by Stripe - the same payment infrastructure used by Amazon, Google and Shopify.
We never store card details
When you enter your card, it goes directly to Stripe's servers over an encrypted connection. ETFLens only stores your Stripe customer ID.
PCI DSS compliant payments
Stripe is certified to PCI Service Provider Level 1, the highest level of payment security certification.
Webhook signature verification
Every Stripe webhook is cryptographically verified before we act on it. Fake or tampered webhooks are rejected immediately.
Idempotent payment processing
We track every Stripe event we process so subscription changes are never applied twice, even if Stripe retries delivery.
Payment failure alerts
Failed payments are logged immediately so we can follow up quickly.
Infrastructure
ETFLens is hosted on infrastructure used by some of the world's largest companies.
Hosted on Vercel
Global edge network with automatic HTTPS, DDoS protection and 99.99% uptime SLA.
Database on Supabase (Sydney)
Your data is stored in Supabase's Sydney region, keeping Australian user data in Australia.
Strict content security policy
Our CSP header restricts what scripts and connections are allowed, preventing malicious code injection.
Clickjacking protection
ETFLens pages cannot be embedded in iframes on other sites, blocking clickjacking attacks entirely.
Rate limiting on all endpoints
API routes are rate-limited per IP to prevent abuse. Repeated suspicious requests are blocked automatically.
What we collect and why
We collect the minimum needed to run the service.
Email address
Required for your account. Not shared with third parties.
Name & profile photo
From Google OAuth. Displayed in your account only.
Subscription status
To know whether you have a Pro account.
ETF searches
To improve search quality. Not sold or shared.
Stripe customer ID
To link your account to your subscription. Not a payment method.
What we don't collect
Card numbers, bank account details, tax file numbers, brokerage account details, portfolio holdings, or any other financial account information.
Found a security issue?
If you discover a security vulnerability, please report it directly rather than publicly. We take all reports seriously and will respond within 24 hours.
๐ security@etflens.com.auWe appreciate responsible disclosure. We'll credit you in our changelog if you'd like.