# worthi security and privacy

> Public security information for a manual-first finance product that protects sensitive fields with application-level envelope encryption and per-user data keys.

- Canonical URL: https://www.worthi.app/security
- Product: worthi
- Content reviewed: July 15, 2026

## Security model

worthi uses HTTPS in transit and application-level envelope encryption for sensitive finance fields before ordinary database storage. The current field-encryption implementation uses AES-256-GCM authenticated encryption and a separate data encryption key for each user. The database stores a wrapped version of that user key.

Encrypted values use unique initialization vectors and authenticated metadata tied to the user, record type, field, and encryption version. This context helps detect altered ciphertext and makes copying an encrypted field into a different context fail authentication.

## Protected information

Protected fields include financial names, notes, labels, asset descriptions, holdings, transaction details, recurring-rule details, and financial-history labels. Shared reference data such as currencies and market symbols may remain searchable so the product can perform FX and quote lookups.

## User isolation

Server-side data access scopes user-owned accounts, assets, holdings, transactions, recurring rules, categories, settings, and history to the authenticated account. Web access uses private email sign-in and server-side sessions. The official mobile client uses verified authentication and mobile sessions.

## Reduced credential exposure

worthi is manual-first and does not ask for bank, brokerage, or card login credentials. Market and FX integrations use reference information such as public symbols, exchanges, dates, and currency codes rather than a user's financial-institution password.

## Payments

Web payments are processed through Stripe Checkout. Mobile purchases use app-store payment infrastructure with entitlement validation through RevenueCat. worthi stores billing and access status but does not store full payment-card numbers.

## Important limitation

No online service can be guaranteed perfectly secure. Encryption is one layer of the security model and does not replace access control, secret management, monitoring, backups, dependency updates, or incident response.

## Frequently asked questions

### How are sensitive finance fields protected?

They are encrypted with application-level envelope encryption before ordinary database storage. The current implementation uses AES-256-GCM and per-user data keys.

### Does worthi need bank credentials?

No. A user can build a net worth dashboard without bank, brokerage, or card login credentials.

### Does worthi store card details?

No full card numbers are stored by worthi. Payment details are handled by Stripe or app-store payment infrastructure.

### What does tamper-aware encryption mean here?

Encrypted values include authenticated metadata tied to the user, record type, field, and encryption version. Altered or copied ciphertext should fail authentication in the wrong context.

## Related documentation

- [Privacy policy](https://www.worthi.app/privacy/index.html.md)
- [Product overview](https://www.worthi.app/index.html.md)
- [Private finance dashboard](https://www.worthi.app/private-finance-dashboard/index.html.md)
- [Support](https://www.worthi.app/support/index.html.md)
