This is part 8 of our series on how Gylder works. In the previous post, we covered alerts and insights. Now let's talk about something foundational: how we protect your data.
Why security matters more for financial apps
When you connect your bank accounts and crypto exchanges to any platform, you're trusting it with a detailed picture of your financial life. That's a level of trust that demands serious security — not just checkboxes, but meaningful protection at every layer.
Here's how we approach it.
Encryption at rest
Every piece of financial data in Gylder is encrypted before it's stored. Your balances, transactions, account names, and personal details are all encrypted with a unique key that belongs to you and only you.
This means that even in the unlikely event of a database breach, your financial data would be unreadable without your individual encryption key. It's not a single master key protecting everyone — each user's data is independently encrypted.
Encryption in transit
All data moving between your browser and our servers, and between our servers and third-party APIs (banks, exchanges), is encrypted using TLS. This is standard for any serious web application, but worth stating explicitly: your data is never transmitted in plain text.
Read-only access
Gylder never has the ability to move your money, make trades, or perform any action on your accounts. Every connection is strictly read-only:
- Bank accounts use PSD2 open banking, which provides read-only access by design. We receive balances and transactions — nothing more.
- Crypto exchanges connect via API keys that you generate with read-only permissions. Gylder cannot place orders, withdraw funds, or modify anything on your exchange account.
Even if someone were to compromise Gylder entirely, they could not use our access to move funds from any connected account.
Two-factor authentication
Your Gylder account supports two-factor authentication (2FA) using an authenticator app. When enabled, logging in requires both your password and a six-digit code from your authenticator — making it significantly harder for anyone to access your account, even if they know your password.
EU-only data storage
All Gylder data is stored in data centres within the European Union. We don't replicate data to US or other non-EU regions. This keeps your data under EU jurisdiction and subject to European data protection regulations — which are among the strictest in the world.
No third-party data sharing
We don't sell, share, or provide your financial data to any third party. Your data exists for one purpose: to show you your own finances. We don't use it for advertising, analytics, or any form of monetisation beyond the subscription you pay for.
What we don't store
We deliberately don't store certain sensitive information:
- Banking credentials — We never see your bank login details. Authentication happens directly on your bank's website via PSD2.
- Full card numbers — We don't receive or store credit or debit card numbers.
- Exchange passwords — We only store the read-only API keys you provide, not your exchange account passwords.
Security is ongoing
Security isn't a one-time effort. We regularly review our codebase, update dependencies, and assess our infrastructure for potential vulnerabilities. When issues are found, they're prioritised and addressed promptly.
We believe transparency about our security approach builds trust. If you have questions about how we protect your data, reach out to us at support@gylder.nl.
