Alchemy

Privacy Lock & Security at Alchemy

How Alchemy protects sensitive holdings data with client-side encryption, PIN unlock, and recovery keys.

By Alchemy Team 2 min read

Privacy Lock & Security at Alchemy

Security is a core part of Alchemy. Privacy Lock is designed so your most sensitive transaction values are encrypted on your device before they are uploaded.

Why Privacy Lock exists

Your account password signs you in.
Privacy Lock is a second layer that protects sensitive transaction values if someone views backend tables directly.

What we encrypt

When a transaction is saved, these sensitive values are encrypted client-side:

  • quantity
  • prices
  • notes

They are stored as ciphertext in the database, not plaintext.

What remains plaintext

Some non-sensitive metadata remains plaintext so the app can function normally:

  • asset type
  • transaction type (buy/sell)
  • timestamps
  • IDs used for account/portfolio linking

This allows filtering, joins, and app performance without exposing sensitive value fields.

How unlock works

  • You unlock with a 6-8 digit PIN.
  • The PIN is used on-device to derive an encryption key.
  • That key unlocks your data encryption key in memory.
  • Your PIN itself is never stored by Alchemy.

Recovery key

During setup, you receive a recovery key shown once.

  • Keep it offline and private.
  • If you forget your PIN, recovery key lets you reset the PIN.
  • If both PIN and recovery key are lost, encrypted values cannot be recovered.

Device behavior

  • Decrypted key material is kept in memory while unlocked.
  • You can lock manually at any time.
  • Logging out locks first, then signs out.
  • Auto-lock can be configured (or left off).
  • Trusted-device unlock state is stored as encrypted session data tied to that browser/device.

What we never store

  • Your PIN
  • Plaintext sensitive transaction values when Privacy Lock writes are used

Security boundaries (important)

Privacy Lock protects sensitive values in storage. It does not replace basic account and device security.

You should still:

  • use a strong account password
  • keep your device updated
  • avoid untrusted browser extensions
  • store your recovery key safely offline

Our commitment

Alchemy is built to minimize exposure of sensitive holdings data, with client-side encryption, strict key handling, and lock-first session controls.

Related guides

Writing Guides

Internal guide placeholder for documenting how to write Alchemy guides.

Track your portfolio with Alchemy

Apply these workflows directly in your account and keep your holdings records clean.

Back to home