Security
Last updated July 1, 2026
We take protecting your financial data seriously. Here is how NoteWallet is built to keep it safe.
How we protect your data
- No passwords. Sign-in uses Telegram's OpenID Connect, so we never store a password for you to lose.
- Signed sessions. Your session is a signed, http-only cookie that JavaScript cannot read, sent only over HTTPS.
- Encryption in transit. All traffic to NoteWallet is served over TLS.
- Scoped data access. Your records are isolated to your account in our managed Postgres database.
- Encryption at rest. Your data is encrypted at rest in our managed database.
- Audio handled in transit only. Voice notes are sent over TLS to our transcription provider and are not retained after the entry is created.
- We never touch your card. We do not see or store your card details. Payments are handled entirely by our payment provider (Lemon Squeezy) or by Telegram (Telegram Stars).
- Least-privilege access. Access to production systems is limited to authorized maintainers.
- Backups. Our database is backed up regularly by our managed database provider.
If something goes wrong
If a security incident affects your data, we will notify affected users and, where required by law, the relevant authority, without undue delay.
Protect your Telegram account
Because you sign in with Telegram, the security of your NoteWallet account depends on your Telegram account. We recommend enabling Telegram's two-step verification.
Reporting a vulnerability
If you believe you have found a security issue, please email security@notewallet.app before disclosing it publicly. We will acknowledge your report and keep you updated on the fix.
Questions
For anything else, reach us through the Contact page.