Your data is safe here.
Financial data is sensitive. Here is exactly how we protect yours.
Encryption in Transit
All communication between your browser and our servers is encrypted using TLS 1.2+. We enforce HTTPS across all endpoints and reject insecure connections.
Password Security
Passwords are never stored in plaintext. We hash every password using bcrypt with a cost factor of 12, making brute-force attacks computationally impractical.
Infrastructure
Our servers run on private infrastructure behind a Cloudflare tunnel. Database access is restricted to internal network connections only: the database port is never exposed to the public internet.
No Third-Party Tracking
We have zero analytics trackers (no Google Analytics, Meta Pixel, or similar). No advertising networks have access to your activity on DebtMirror.
Authentication Tokens
We use short-lived JWT access tokens (7 days) paired with rotating refresh tokens (30 days). Logging out immediately invalidates your refresh token server-side.
Payment Security
We never see, store, or transmit your full card number. All payment data is handled end-to-end by Stripe, a PCI DSS Level 1 certified provider.
What data do we actually store?
Email address
Required for authentication and transactional email
Password
Only a bcrypt hash is stored: never the actual password
Debt balances & rates
Stored only if you are logged in and save your data
Subscription amounts
Stored only if you are logged in and save your data
AI chat messages
Forwarded to Groq for inference; not permanently stored by us
Credit card / bank numbers
Never transmitted to or stored by us: handled by Stripe only
IP address
In server access logs for up to 90 days for security purposes
Cookies / trackers
We use zero advertising or tracking cookies
Found a vulnerability?
We take security seriously. If you discover a security vulnerability in DebtMirror, please report it responsibly by emailing [email protected] with the subject "Security Disclosure".
Please give us a reasonable amount of time to respond before public disclosure. We appreciate security researchers who help keep our users safe.