Effective date: May 31, 2026 · Thrrive LLC
Thrrive is a personal net-worth tracker. We have designed it with security as a first-class concern because it handles sensitive financial data. This page describes the specific security controls we have implemented. We believe transparency about our practices helps you make an informed decision about trusting us with your data.
The credentials that let us read from your banks and brokerages are encrypted with AES-256-GCM before they are stored, and decrypted only in memory when a sync runs. The encryption key is held as an environment variable, never in source code or the database. Other data lives in our managed database with access restricted to the application.
Passwords are hashed with bcrypt — never stored in plaintext — and the login endpoint is rate-limited against brute-force attempts. Web sessions use encrypted, HTTP-only cookies; the iOS app uses signed tokens sent over HTTPS with a secret kept separate from the web session.
Our connections to your banks (Teller) and brokerages (SnapTrade) are read-only. Thrrive cannot move money, pay bills, place orders, or change your accounts in any way — so even a compromised account could only view data, not transact.
We send providers only what they need. The optional AI analysis (Anthropic) receives a financial summary — balances and exposures — but never your name, email, or other identifying details. Market-price lookups (Yahoo Finance) send only ticker symbols, never any user or account information.
Thrrive is hosted on Railway, which provides the application server and a managed PostgreSQL database. All communication between clients (web browser and iOS app) and the Thrrive backend occurs over HTTPS.
Database access is restricted to the application server; the database is not publicly exposed. Railway provides infrastructure-level security controls, network isolation, and automatic backups.
If you discover a security vulnerability in Thrrive, please report it responsibly. Contact us at privacy@thrrive.io with a description of the issue and steps to reproduce it. We will acknowledge receipt promptly and work to address confirmed vulnerabilities.
We ask that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate them.
The security measures described on this page reflect our actual implementation in good faith. However:
THE SERVICE IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTY OF SECURITY. No security system is impenetrable. Thrrive LLC does not guarantee that the Service is free from unauthorized access, data breaches, or other security incidents. To the fullest extent permitted by law, Thrrive LLC disclaims all liability for any security incident or data breach that occurs despite the measures described here.
This page was prepared by the product owner with AI assistance and is provided for transparency. It is not a formal security audit, security certification, or legal advice. If you have questions about our security practices, contact us at privacy@thrrive.io.
This page is governed by the laws of the State of California, and the disclaimers and limitations of liability in our Terms of Service control over anything stated here.