Read-only broker OAuth. AES-256-GCM per-user encryption. TLS 1.2+ in transit. Your data is never used to train AI models.
Every broker connection goes through official OAuth. We never see your password. We literally cannot place an order.
Zerodha Kite Connect, Upstox API, Angel One SmartAPI, Groww API, Dhan API, Fyers API, HDFC Sky, ICICI Direct. No scrapers, no screen automation — only official broker APIs.
We store only the OAuth access token, encrypted. Your broker password never enters UseMoney servers — you log in on the broker's own site and we receive a scoped token.
The order-placement API scope is never requested. We can only read: holdings, positions, tradebook, MF folios. Nothing else — the broker enforces this, not just our promise.
The end-to-end OAuth flow, simplified. The broker holds your credentials. We never see them.
All sensitive data — broker tokens, contract notes, documents — is encrypted at rest with AES-256-GCM. Encryption keys are per-user, so one compromised key cannot decrypt another user's data.
In transit: TLS 1.2+ everywhere. HSTS enforced.
Portfolio data stored in MongoDB Atlas (encryption at rest + TLS in transit). Hosted on Google Cloud Platform (us-central1) and Vercel. Market-data cache in Redis with short TTLs (quotes 5 min, historical 1 hr).
Authentication via Clerk — supports OAuth social login and MFA.
The production AI engine is Google Gemini, accessed via Google Vertex AI (us-central1). When you chat with StockSage, anonymised portfolio context (symbol + quantity, never your name, email, or broker credentials) is sent to Gemini for the response.
Chat history is stored so you can refer back. It is never used for training. It can be deleted any time from the chat history page.
Full subprocessor list: /subprocessors.
We are pre-RIA — SEBI Investment Adviser registration is in motion. We will publish certifications as they are earned. We do not (yet) hold SOC 2 or ISO 27001; we will not claim either until we do.
If you believe you've found a vulnerability in UseMoney, email security@usemoney.ai. Include reproduction steps. We respond within 48 hours and will keep you updated through remediation.
Read-only OAuth means we don't have the capability to place orders. By design.