You choose what to provide
OpenFolio can work from manual records, CSV uploads, or optional platform connections. The dashboard is only as complete as the data you choose to enter, import, or connect.
Security and data
OpenFolio handles financial records, so the product is designed around user control, limited data collection, account-level separation, and clear incident response. This page explains the controls we use today and the choices you have as a user.
Last updated: 24 May 2026
OpenFolio can work from manual records, CSV uploads, or optional platform connections. The dashboard is only as complete as the data you choose to enter, import, or connect.
You can avoid direct connections entirely and use CSV imports instead. If you do connect a platform, we ask you to use the lowest-risk permissions available, preferably read-only access.
OpenFolio is designed for tracking, reporting, and analysis. It is not designed to move money, place trades, or withdraw from connected platforms.
Data choices
OpenFolio stores the records needed to show your dashboard, imports, calculations, and account preferences. If you do not enter or import a category, OpenFolio does not know it.
Controls
User-facing database tables are designed around per-user ownership. Supabase row-level security policies help prevent one user from reading or writing another user's records.
Traffic is served over HTTPS. Database and infrastructure providers also use managed encryption controls for data at rest and in transit.
Server secrets are kept outside the browser in environment variables. Service-role credentials are reserved for trusted server-side workflows.
Direct integrations are opt-in. You can revoke credentials at the platform or remove the connection in OpenFolio when you no longer want sync access.
No internet service can guarantee absolute security. We keep the public promise practical: use strong authentication, protect your email account, avoid uploading documents the app does not need, and revoke third-party credentials if you suspect risk.
Data protection
Imports and connections
CSV
Upload files when you want control over exactly what comes into OpenFolio.
API
Connect supported platforms only if you are comfortable with the requested access.
Manual
Enter approximate or selective records where precision is less important to you.
Your OpenFolio values are records you provide or connect. They may be incomplete, stale, estimated, duplicated, or wrong. Always compare important figures against official broker, bank, super fund, tax, and accountant records before making financial decisions.
Australian privacy
OpenFolio is designed with Australian privacy expectations in mind, including data minimisation, access control, correction, deletion, and transparent notices. The formal details live in our Privacy and Data Policy and Terms.
If we suspect a serious security incident, we assess it, contain it, and notify users or regulators where required. Under the Notifiable Data Breaches scheme, assessment should be completed as quickly as practical and within the required 30 calendar day assessment period where it applies.
Operations
If we reasonably suspect compromise, misuse, credential exposure, legal risk, or a threat to users or the service, we may act quickly. That can include pausing imports, disabling integrations, invalidating sessions, rotating secrets, suspending affected accounts, limiting exports, or temporarily taking parts of the service offline while we investigate.
Disclosure
If you believe you have found a vulnerability, email security@openfolio.com.au. Please include enough detail for us to reproduce the issue, avoid accessing other users' data, and avoid destructive testing. We aim to acknowledge good-faith reports promptly and prioritise fixes based on risk.