Security at Bickie.

Stored in Australia. Your data lives in Sydney (the ap-southeast-2 region) on Supabase — a managed Postgres platform that maintains a SOC 2 Type II report.

Encrypted in transit and at rest. Everything moves over TLS, and the database is encrypted at rest by our hosting provider.

Run on trusted infrastructure. Database and authentication run on Supabase; the app is served from Vercel; payments go through Stripe — established providers that carry their own security certifications.

We never see your password. Authentication runs on Supabase Auth — your password is hashed on their servers and is never stored or logged by Bickie.

Passwords are checked against known breaches. When you set a password, we check it against the HaveIBeenPwned database of leaked passwords — without ever sending it anywhere. It's hashed in your browser and only a short hash prefix is shared (k-anonymity). Known-breached passwords are blocked.

Two-factor authentication. Turn on TOTP 2FA with any authenticator app (Google Authenticator, 1Password, Authy…). Once it's on, it's required at every sign-in — including Google and Apple sign-in.

Single-use recovery codes. If you lose your authenticator, single-use recovery codes get you back in. They're shown once, stored only as hashes, and redemption is rate-limited.

Row-level security on every table. Access control isn't just in the app — it's enforced in the database. Every table has row-level security enabled and scoped to your account, so one household can never read another's data.

All payments go through Stripe. We use Stripe's hosted checkout and billing portal (Stripe is PCI-DSS Level 1). Card numbers never reach Bickie — we store only Stripe's customer and subscription IDs and your plan status.

Signed webhooks. Billing events from Stripe are verified by signature before we act on them.

Role-scoped staff access. Internal tools are gated by granular role-based permissions — staff get only what their role needs.

Re-verification for sensitive actions. Sensitive operations require a fresh two-factor check, and every administrative action is written to an audit log.

Export everything. Download your data as JSON whenever you like — accounts, transactions, recurring schedules, mortgages, net-worth items, and your profile.

Delete your account. Permanently delete your account and all your data anytime from Settings → Profile. Households you share with others stay with them.

We keep your data in as few places as we can. Where it can go:

Supabase — your database and authentication, hosted in Australia.

Stripe — payments and subscriptions.

Vercel — application hosting.

Google Gemini (paid AI features only). If you use the AI insights, categorisation, or scenarios, the relevant financial summaries are sent to Google's Gemini API to generate them — only when you use those features, and never on the free plan.

Basiq (optional, beta). Bank feeds, where enabled, connect through Basiq. This is in beta and off by default.

We're not end-to-end encrypted. Your data is encrypted by our hosting provider, but to actually run the product — insights, projections, support — Bickie can access it. We don't claim otherwise.

We rely on certified providers, not our own badge. Our infrastructure (Supabase, Stripe, Vercel) carries SOC 2 / PCI certifications. Bickie itself doesn't hold an independent security certification yet.

2FA is optional. It's strongly encouraged, but not forced on you.

We're in beta. We're actively hardening Bickie and will keep this page honest as things change.

If you spot a vulnerability, please email support@bickie.com.au rather than posting it publicly, and we'll get on it. We're grateful for responsible disclosure.