Chapter 03 · Security

What we hold, and how we hold it.

Twiggybank is not a real bank, and that simplifies the security posture more than you’d guess. No funds to move. No card numbers to lose. No payment rails to abuse. The data we do hold is a small ledger and the names attached to it, and we treat it with the care that family records deserve.

We do hold

Family: A family name, a currency, a time zone, and your chosen configuration (allowance schedules, saving interest rate, bucket labels).
People: An email address for each parent. A display name and an optional birthday for each kid. A chosen color or emoji, if you set one.
Ledger: Every journal entry your family posts — payday, interest, transfer, void. Immutable once posted. Sized in integer cents of your family currency.
Auth metadata: Session tokens and password hashes managed by our auth provider. Standard browser cookies for keeping you signed in.

We do not hold

Card numbers: We never see or touch a card. No PCI scope.
Bank accounts: No ACH, no balances at any real institution. Nothing to drain.
Real money: Every figure in the ledger is monopoly money. There is no cash to take.
Behavioural data: No advertising profile, no third-party trackers, no resale of anything we collect.
Photos of children: Only display names. No image uploads of kids in v1.

How we protect it

Boring is the goal.

Twiggybank runs on well-trodden infrastructure. We have not invented our own crypto, our own auth, or our own database. The less novelty in the stack, the more the security guarantees come from the people who do this for a living.

Hosting: The web app is deployed on Vercel; the database is managed Postgres hosted by Supabase. Both encrypt data at rest by default and serve all traffic over TLS.
Isolation between families: Postgres row-level security policies tie every read and write to your family ID. There is no API path that can ask for another family's data — the database refuses before the app ever sees the request.
Authentication: Passwords are never stored in plaintext; auth is handled by Supabase Auth, which uses industry-standard hashing and short-lived session tokens.
Transport: HTTPS everywhere. Cookies are marked secure and HttpOnly. No mixed-content surfaces.
Ledger immutability: Posted entries cannot be edited from any client. Corrections are voids, which append a reverse entry. Tampering would require database access we do not give to ourselves casually.
Least privilege: The service key that can bypass row-level security never ships to the browser or mobile app. It lives only on the server, scoped to specific operations.

Kids

The smaller set.

We collect the minimum from children. Display name. An optional birthday. A chosen color. Whatever transactions a parent (or, if the parent allows it, the kid) posts to the family ledger. No real names beyond the display name, no contact information, no advertising data.

Read our children’s privacy notice →

Honest about what we don’t do yet

We’ll get to it.

We are a small project. We do not yet offer two-factor authentication, hardware-key sign-in, audit-log export to parents, or SOC 2 certification. None of these are off the table; none of them are shipped. We’d rather tell you that than imply otherwise.

Reporting an issue

We want to hear it.

If you’ve found something that looks like a vulnerability, email security@twiggybank.com. Please give us a chance to look at it before publishing details. We’ll respond within a few days and credit you, if you’d like the credit.