Security
Last updated 6 July 2026
You’re trusting us with receipts, serial numbers, and photos of your most valuable possessions. Here is, concretely, how that data is handled.
Where your data lives
- Everything is stored in a managed PostgreSQL database on Google Cloud, encrypted at rest and reachable only by our API service — never directly from the internet.
- All traffic between your browser and Tresory is encrypted in transit (HTTPS).
- Your items are scoped to your account at the database level; every API request is authorized per user.
Your account
- Passwords are hashed with bcrypt — we never store or see the password itself.
- Sign-in attempts are rate-limited to slow down credential-stuffing attacks.
- You can delete your account at any time from Settings. Deletion removes your items, photos, and documents — it’s a database delete, not a soft hide.
Payments
- Recovery subscriptions are processed by Stripe. Your card details go to Stripe directly and never touch our servers.
What’s shared, and when
- Nothing about your collection is public by default.
- If you create a shareable resale report, it lives at an unguessable link you can revoke, and the serial number on it is masked.
- Stolen-item reports you file for the public ledger show checkers only the item facts — category, brand, dates — never your name or contact details.
- We don’t sell or share your data with advertisers. Ever.
Found something?
If you believe you’ve found a security issue, please tell us and we’ll respond quickly: support@tresory.io.
Also see our Privacy Policy.