Privacy & Security
How we protect your data and handle cookies & advertising
The Short Version
Your portfolio data is encrypted on your device before it ever reaches our servers. We store only scrambled data that looks like random characters. Without your passphrase, nobody can read your holdings — not even us.
How Your Data is Protected
Your Device
Where encryption happens
Your portfolio data:
$2,650/oz
Encrypt with your passphrase
Becomes unreadable:
Kx7mN9pQ2vL3...
Our Servers
Only stores encrypted data
We cannot read this
What We Cannot See
- Which metals you own
- How much of each metal you have
- Your purchase prices
- Your purchase dates
- Your notes
- Your total portfolio value
What We Can See
- Your email (for login)
- That you have a portfolio (not its contents)
- Encrypted data (unreadable without your passphrase)
- When you last accessed your portfolio
How the Encryption Works
You create a passphrase
When you first add a holding, you'll create a secret passphrase. This is like a password, but you can make it longer and easier to remember (like a sentence).
Your passphrase derives a unique encryption key
We use your passphrase to derive an encryption key using PBKDF2-SHA256 with 310,000 iterations (OWASP 2023 recommendation). This key derivation makes brute-force attacks computationally infeasible, even with powerful hardware.
Your data is encrypted on your device
Before any data leaves your phone or computer, it's encrypted using AES-256-GCM (authenticated encryption) — the same standard used by banks and governments. Each holding uses a unique random IV, and the authentication tag ensures data integrity.
Only scrambled data reaches our servers
We only ever receive and store the encrypted version. Even if someone broke into our database, they would only find gibberish that's impossible to decode without your passphrase.
You unlock it each session
When you want to view your portfolio, you enter your passphrase. Your device downloads the encrypted data and decrypts it locally — we never see the unencrypted version.
Important Things to Know
Remember your passphrase: If you forget it, there's no way to recover your data. We don't store your passphrase and cannot reset it for you.
No recovery option: This is by design. If we could recover your data, so could a hacker. Your security is our priority.
Vault reset: If you forget your passphrase, you can reset your vault, but this will permanently delete all your portfolio data.
Cookies & Local Storage
We use cookies and local storage to provide essential functionality and improve your experience.
Essential Cookies
Required for the site to function. These handle authentication, remember your preferences (theme, currency, chart settings), and store your encrypted portfolio passphrase verification hash locally.
Analytics Cookies
We use Vercel Analytics to understand how visitors use our site. This helps us improve performance and fix issues. Analytics data is aggregated and does not identify individual users.
Advertising Cookies
Google AdSense may set cookies to display relevant ads and measure ad performance. See the "Advertising & Ad Targeting" section below for more details and opt-out options.
Advertising & Ad Targeting
MetalCharts displays ads through Google AdSense to support free access to our tools and data. Here's how advertising works on our site:
What Google AdSense Collects
Google may collect and use data for ad personalization, including:
- •Cookies stored on your browser to track preferences and interactions
- •Device identifiers and IP address (often anonymized)
- •Browsing activity across sites that use Google services
- •Demographic and interest data associated with your Google account (if signed in)
How Ads Are Personalized
Google uses this information to show ads that may be more relevant to your interests. For example, if you've previously searched for investment products, you might see ads related to financial services. Personalized ads help support our site while potentially showing you more useful content.
Third-Party Vendors
Google works with third-party vendors and ad networks that may also place cookies on your device. These partners help serve and measure the effectiveness of ads. You can view a list of Google's advertising partners at Google's Partner Sites
Your Choices & Opt-Out Options
You have control over how your data is used for advertising:
Opt Out of Personalized Ads
Visit Google's Ad Settings to control personalized advertising:
Google Ad SettingsNAI Opt-Out Tool
Opt out of interest-based advertising from NAI member companies:
NAI Consumer Opt-OutBrowser Settings
Most browsers allow you to block or delete cookies through their settings. Note that blocking all cookies may affect site functionality, including remembering your preferences and keeping you logged in.
Do Not Track
Some browsers offer a "Do Not Track" setting. While we respect this preference where possible, note that third-party ad networks may not honor DNT signals.
Note: Even if you opt out of personalized ads, you will still see ads on MetalCharts. They just won't be tailored to your interests and browsing history.
Data Retention
We retain different types of data for different periods:
- •Account data: Retained while your account is active. You can delete your account and all associated data at any time from Settings.
- •Portfolio data: Encrypted and stored until you delete it or delete your account.
- •Analytics data: Aggregated and anonymized; retained for up to 12 months.
- •Ad-related cookies: Managed by Google according to their retention policies.
Have questions about our privacy practices? Email us at [email protected]