Privacy & Security

Privacy Policy & Security Practices

Last updated: March 2026

Overview

FireRunway is a personal financial dashboard that helps you track your path to financial independence. We take your privacy and security seriously and are committed to protecting your personal and financial information. This policy describes what data we collect, how we use it, how we protect it, and your rights regarding your data.

Information We Collect

We collect only the data necessary to provide our service:

  • Account Information: Name, email address, and profile photo from your Google account when you sign in via Firebase Authentication.
  • Financial Data: Portfolio holdings, account balances, real estate values, RSU grants, income, and spending information you provide or connect via read-only brokerage integrations (SnapTrade, Plaid).
  • Uploaded Documents: Brokerage statements and tax documents you upload for AI-powered extraction. Documents are processed in-memory and are not permanently stored after extraction.
  • Usage Data: Basic analytics to improve the product experience. We do not use third-party tracking pixels or advertising SDKs.

How We Process & Use Your Data

Your data is processed solely to power your personal financial dashboard:

  • Collection: Financial data is collected via authenticated, read-only API connections to SnapTrade and Plaid. We never access your bank login credentials — authentication is handled entirely by these providers using OAuth.
  • Processing: Data is used to calculate net worth, FIRE score, projections, and AI-powered insights via Google Gemini. AI analysis is performed on-demand and is not used to train models.
  • Storage: Processed financial data is stored in Supabase (PostgreSQL) with row-level security policies ensuring users can only access their own data.

We never sell your data.

Your financial information is used solely to power your personal dashboard. We do not monetize, sell, or share your data with advertisers or data brokers.

Encryption & Data Security

We implement industry-standard security controls to protect your data at every layer:

Data in Transit

  • All data transmitted between your browser and our servers uses TLS 1.2 or higher.
  • API connections to third-party services (Plaid, SnapTrade, Gemini) use HTTPS with certificate validation.

Data at Rest

  • Database storage is encrypted at rest using AES-256 via Supabase's managed PostgreSQL infrastructure.
  • API keys and secrets are stored as environment variables, never committed to source code.

Authentication

  • User authentication is handled by Firebase Authentication (Google) with industry-standard OAuth 2.0 flows.
  • Server-side API routes verify Firebase ID tokens on every request.
  • No passwords are stored — authentication is delegated to Google's identity platform.

Access Management

  • Row-Level Security: Database queries are scoped to the authenticated user's UID via Supabase RLS policies. Users cannot access other users' data.
  • Read-Only Brokerage Access: Brokerage connections via SnapTrade and Plaid are strictly read-only. We cannot move money, execute trades, or modify your accounts in any way.
  • Principle of Least Privilege: Server-side service accounts have the minimum permissions required to perform their function.
  • No Shared Credentials: All system access uses unique credentials. Secrets are rotated periodically.

Network & Infrastructure Security

  • Hosting: The application is deployed on managed cloud infrastructure with built-in DDoS protection, firewall rules, and automatic security patching.
  • No Direct Database Access: The database is not exposed to the public internet. All data access goes through authenticated API routes.
  • CORS Policies: API routes enforce strict Cross-Origin Resource Sharing rules to prevent unauthorized cross-site requests.
  • Dependency Management: Dependencies are regularly audited for known vulnerabilities.

Third-Party Services & Vendor Management

We integrate with the following vetted third-party services. Each vendor has been selected for their strong security posture:

Firebase (Google): Authentication and identity management. SOC 2 Type II certified. ISO 27001 compliant.
Supabase: Secure PostgreSQL database with row-level security, encrypted at rest, and SOC 2 Type II certified.
Plaid: Bank account and transaction data aggregation. SOC 2 Type II certified. Read-only OAuth access. No bank credentials stored.
SnapTrade: Brokerage account connections. Read-only access via industry-standard OAuth. No trading credentials stored.
Google Gemini: AI-powered financial analysis. Data sent to Gemini is not used to train models per Google's API data usage policy.
Formspree: Contact form submissions only. No financial data is transmitted.

All vendor integrations are reviewed for security compliance. Confidential information shared with vendors is governed by their respective data processing agreements.

Incident Response

  • Monitoring: Application errors and security events are logged and monitored.
  • Response: In the event of a data breach, affected users will be notified within 72 hours with details of the breach and remediation steps taken.
  • Post-Incident: All security incidents are reviewed with a post-mortem to prevent recurrence.

Change Management

  • All code changes are version controlled via Git and reviewed before deployment.
  • Production deployments go through CI/CD pipelines with automated builds and linting.
  • Environment-specific configurations are managed through environment variables, never hardcoded.

Your Rights

You have the following rights regarding your data:

  • Access: You can view all data we hold about you directly in your dashboard.
  • Correction: You can update your profile, financial data, and connected accounts at any time.
  • Portability: Your financial data is accessible through your connected account providers.
  • Revocation: You can disconnect brokerage accounts at any time, immediately revoking our read-only access.
  • Deletion: You can request complete deletion of your account and all associated data.

Data Deletion

You can request deletion of your account and all associated data at any time by contacting us via our contact page. Upon receiving your request:

  • All brokerage connections will be immediately revoked.
  • Your financial data, uploaded documents, and profile will be permanently deleted from our database within 30 days.
  • Backups containing your data will be purged on the next retention cycle.

Questions?

If you have any questions about this privacy policy or our security practices, please get in touch. We are committed to transparency and will be happy to address any concerns.

FireRunway — Financial Independence Dashboard

© 2026 Gunaratne. All rights reserved.