How we protect your data

Your data is isolated from everyone else's

Every row of your data — trades, notes, prop-firm accounts — is tied to your account and walled off at the database level (Postgres row-level security on Supabase). It isn't just the app being careful: the database itself refuses to hand one person another person's data. No customer can ever see your numbers.

We never see your card

All payments run through Stripe. Your card number and security code go straight to Stripe and never touch our servers — we only ever see a reference ID for your subscription. Stripe is a PCI-DSS Level 1 provider, the highest tier, and handles the card data so we don't have to.

Broker connections are read-only — and encrypted

• When broker auto-sync launches, connecting a broker grants a read-only token: it can pull your fills and nothing else. It cannot place trades, move funds, or withdraw.
• Those tokens are encrypted at rest with AES-256-GCM (authenticated encryption) before they're stored, in a table that's only reachable by our server — never the browser.
• You can disconnect a broker at any time, which revokes the token.

Encrypted in transit

Every connection to Mirrored is served over HTTPS and pinned with HSTS, so traffic between your device and us is encrypted and can't be downgraded.

Two-factor login

You can turn on two-factor login (TOTP) from Settings → Security. After your password, sign-in then asks for a rolling 6-digit code from an authenticator app — so a stolen password alone isn't enough to get in. We strongly recommend it.

Sign-in & passwords

Authentication is handled by Supabase. We never store your password in readable form — it's salted and hashed by Supabase. You can also use Sign in with Google, in which case Google verifies you and we never see a password at all.

Found a security issue?

Please tell us. Email david@mirrored.online or see our disclosure policy at mirrored.online/.well-known/security.txt. We read every report and respond personally.