Security at Luminoly
We understand that trusting a platform with your financial data is a big deal. Here is exactly how we protect it.
Encryption in transit & at rest
All communication between your device and Luminoly is encrypted via HTTPS/TLS. Your data is encrypted at rest in our database. Passwords are hashed using industry-standard bcrypt — we never store them in plain text.
Read-only bank access
Bank sync uses PSD2-regulated open banking APIs. Luminoly only has read-only access to your transaction history and balances — it is technically impossible for us to initiate payments or move money. Your banking credentials are never shared with or stored by us.
Secure infrastructure
Your data is hosted on Supabase, a SOC 2 Type II certified infrastructure provider with data centres in the EU. Database access is strictly restricted and audited. We apply the principle of least privilege to all internal services.
GDPR compliance
Luminoly is fully compliant with the EU General Data Protection Regulation. You can request a copy of your data, correct inaccuracies, or permanently delete your account and all associated data at any time.
Secure authentication
Authentication is handled by Supabase Auth with support for OAuth providers. Sessions are managed with short-lived tokens and automatic rotation. We support secure logout across all devices.
Payment security
All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. Luminoly never sees or stores your full card number. Stripe handles all sensitive payment data in their secure, certified environment.
Our security practices
Beyond our core infrastructure, we follow security best practices across the entire development lifecycle.
Dependency vulnerability scanning on every deployment
Rate limiting and abuse protection on all API endpoints
Error monitoring via Sentry with no PII in error logs
Regular security reviews of third-party integrations
Principle of least privilege for all internal service access
Data processing agreements in place with all sub-processors
Sub-processors
We work with the following trusted third-party providers. Each is bound by a Data Processing Agreement (DPA) and GDPR obligations.
| Provider | Role |
|---|---|
| Supabase | Database & authentication hosting |
| Stripe | Payment processing |
| Enable Banking | PSD2 bank connectivity |
| Anthropic | AI insights (no data retention) |
| Sentry | Error monitoring |
Found a security issue?
We take security reports seriously. If you believe you've discovered a vulnerability, please disclose it responsibly by emailing us. We aim to respond within 48 hours.
Report a Vulnerabilitysecurity@luminoly.com