Security & Trust
How we protect your account, data, and privacy. Security practices built into every layer of the platform.
Security by Design
Security is not an afterthought — it's built into every component of the HEVEA Genius platform.
End-to-End Encryption
All data in transit is protected with TLS 1.3. Passwords are hashed with bcrypt. No plain-text credentials are ever stored.
Two-Factor Authentication
TOTP-based 2FA available for all accounts. Compatible with Google Authenticator, Authy, and any standard TOTP app.
Minimal Data Collection
We collect only what's necessary: email, subscription status, and usage analytics. No financial data, no ID documents stored.
Session Security
Sessions expire automatically after 30 days of inactivity. Active sessions are visible and revocable from your account dashboard.
Infrastructure Security
Hosted on Hetzner Cloud EU. Regular automated backups. Firewalled with IP allowlisting for admin access. SSH key-only access.
Payment Security
Payments processed via Stripe — we never see or store your card details. PCI DSS compliance handled entirely by the payment processor.
Account Security Features
Your HEVEA Genius account comes with multiple layers of protection. Here's what's available and what we recommend enabling.
- +Strong password enforcement (minimum 10 characters)
- +TOTP two-factor authentication (strongly recommended)
- +Email notification on new login from unknown device
- +Session management — view and revoke active sessions
- +Account deletion available on request
- +Data export available on request (GDPR Article 20)
Enable 2FA — 3 Steps
Open Your Account
Go to Account → Security tab and click "Enable 2FA".
Scan QR Code
Open your authenticator app and scan the QR code displayed.
Verify & Save
Enter the 6-digit code from your app to confirm. 2FA is now active.
Data Privacy & GDPR
We believe in minimal data collection and maximum transparency about what we store and why.
What We Collect
Email address, subscription plan and status, login timestamps, 2FA configuration, affiliate referral links, and anonymized usage analytics (page views, feature usage).
What We Don't Collect
No financial information (handled by Stripe). No government ID or KYC documents. No trading account details. No location data beyond country (from IP, anonymized).
Your Rights
Right to access, rectify, or delete your data. Right to data portability. Right to withdraw consent. Exercise any right by emailing us — processed within 30 days.
Data Retention
Active account data retained while subscription is active. After cancellation: email and basic records kept 3 years for legal compliance, then deleted. Request earlier deletion anytime.
Security Questions?
Report a vulnerability or ask about our security practices. We take every report seriously.
Responsible Disclosure
Found a security issue? Please report it responsibly. We review all reports promptly and appreciate coordinated disclosure.
security@heveagenius.ioSecurity in Your Hands
Manage 2FA, active sessions, and account security directly from your device.