Security
How we protect your data
invest-like is built solo by Zaid Ghazal in Kiel, Germany. The product handles investing-research data, not financial accounts or trades — but you still trust us with your email and your watchlist. Here's the posture, with no hand-waving.
EU-hosted infrastructure
- Database: Supabase, Frankfurt (eu-central-1) region. Postgres with row-level security enabled on every table that holds user data.
- App + edge: Vercel, deployed to a Frankfurt-pinned region (fra1) so SSR requests stay inside the EU.
- Email: Resend (US-headquartered, EU-region delivery). Required for transactional and onboarding email; the only user-data point transmitted is your email address.
Encryption
- In transit: TLS 1.3 (HSTS enforced). The site won't serve HTTP at all.
- At rest: AES-256 on the Supabase database volume.
- Passwords: Hashed via Supabase Auth (bcrypt). We can't see your password. We also offer Google sign-in and magic-link login if you prefer to skip passwords entirely.
Payments
Stripe handles all payment processing. invest-like servers never see your card number, CVV, or full billing details — that data lives only with Stripe (PCI DSS Level 1, the highest certification). We receive only a customer ID and the subscription status. If we're ever compromised, your card data isn't there to leak.
Your data, your control (GDPR)
- Export: Your watchlist, settings, and account history are exportable from /settings any time. JSON format, you keep a copy.
- Delete: Account deletion is one click from /settings. Triggers a cascading wipe of profile, watchlist, alert preferences, and Stripe customer record within 24 hours.
- No sale of data: We do not sell, share, or syndicate user data to third parties. We do not run third-party ad pixels.
- Analytics: PostHog (EU-hosted instance) for product analytics. Pseudonymous user_id, no email or PII in event properties. Sentry for error monitoring with PII scrubbing enabled.
What we don't claim
Honest framing: invest-like is solo-founded and bootstrapped. We don't carry SOC2, ISO 27001, or HIPAA certifications — the cost and audit overhead aren't justified at our scale. We also don't custody assets, execute trades, or hold any financial-account credentials, so the data we hold (email, watchlist, preferences) is narrower than a brokerage's. The protections above are the ones that actually apply to that data.
Responsible disclosure
Found a security issue? Email hello@invest-like.com with details. I read every message and respond within one business day. No bug bounty (yet) — but I'll credit you publicly with your permission, and fix the issue fast.
Public security contact also published at /.well-known/security.txt per RFC 9116.
Last reviewed: 24 May 2026. Material changes are versioned in git and announced in the product changelog.