Security
How we protect your data, and how to reach us if you find a problem.
Foresight Planner is built by Multiverse Arc Inc., a Canadian corporation, and runs on Google Cloud infrastructure in Montréal. This page summarises the technical safeguards that protect the information you enter, the controls available to you as a user, and the channel security researchers should use to report a vulnerability. For the long-form description we provide on request to regulators, see our Privacy Policy.
What we're protecting
When you use Foresight Planner, we hold:
- Account identifiers from your Google sign-in: your email address and display name.
- Plan inputs you enter into the planner: ages, account balances, income, retirement targets, asset allocation, and similar parameters.
- Simulation outputs produced from those inputs.
- Consent records: when you accepted our Privacy Policy and which version you accepted.
We do not collect government identifiers (SIN, SSN), account numbers, or credentials for any financial institution. Foresight Planner is a projection tool, so it never needs to authenticate to your bank, brokerage, or any other third-party account.
Where your data lives
All personal information is stored and processed in Montréal, Québec, Canada (Google Cloud's northamerica-northeast1 region). That covers our databases, application servers, background workers, and log storage.
The one globally-distributed component is Google's sign-in service, which handles your Google account password, which we never see. Development and production data live in separate Google Cloud projects with no shared credentials, so a mistake in our development environment cannot reach production data.
Encryption
- In transit: all traffic between your browser and our servers uses TLS (HTTPS). Plain-HTTP connections are refused. Browsers that have visited the site refuse to talk to it over plain HTTP for two years afterwards (HSTS preload).
- At rest: Google Cloud encrypts every database row, file, and backup on disk with AES-256.
- Backups inherit the same encryption and live in the same Montréal region. No personal information is exported to any external store.
Sign-in
You can sign in with Google or with an email and password. With Google, password handling is delegated entirely to Google (including two-factor authentication if you have it enabled); we never see it.
For an email and password, your password goes directly to Firebase Authentication (Google) over an encrypted connection, which stores it only in salted, hashed form. Our own servers never see or store your password. We require at least 8 characters and screen new passwords against Have I Been Pwned's public breach database to block known-compromised choices — using k-anonymity, so only a short, irreversible fragment of your password's hash is checked and the password itself never leaves your device.
Behind the scenes our application servers authenticate to the database using short-lived Google Cloud credentials, not static keys, so there is no long-lived service password that could leak.
You only see your own data
Two independent layers enforce that one user cannot read or modify another user's plans:
- Database security rules: every database request is checked against your signed-in identity before the database returns any data. A signed-in user can only access documents stored under their own account.
- Server-side authorisation: every API endpoint that writes data re-verifies your identity and validates the request before committing anything.
Sensitive internal records (consent acceptance, account deletions, regulator-facing audit events) are never readable by the client at all. Only server-side processes can touch them.
Controls available to you
- Delete your account. From Settings → Danger Zone, you can erase your account profile, saved plans, and simulation results immediately. Google Cloud's automated backups retain a snapshot for up to 30 days before they are overwritten.
- Access & correction. You can request a copy of all personal information we hold about you, or ask us to correct it. See the Privacy Policy for how to make the request.
- Manage access.If you signed in with Google, you can revoke our application's access at any time from your Google Account permissions page. If you signed in with an email and password, use Forgot password? on the sign-in screen to reset it.
Web defences
We send the strictest browser security headers we can (Content Security Policy, HSTS, frame-blocking, and a Permissions-Policy that disables the device APIs the planner doesn't use), so a stored-script or cross-site bug can't easily be exploited even if one were introduced. Every endpoint that touches your data is also rate-limited to deflect abusive traffic.
Audit logging
Compliance events (consent acceptance, deletion and access requests, breach notifications) are written to a dedicated audit log readable only by server-side processes. Operational events (request traces, simulation runs, errors) are recorded separately in Google Cloud Logging and contain only the minimum identifier needed to debug a request.
Compliance
Multiverse Arc Inc. operates under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). The safeguards summarised on this page are calibrated to PIPEDA Schedule 1 Principle 7 (Safeguards). A long-form description of those safeguards is maintained as a regulator-facing document and is available on request from [email protected].
Reporting a vulnerability
Thanks for helping keep Foresight Planner and its users safe. If you believe you have found a security issue, please do not file a public issue. Public reports give attackers a head start before a fix is deployed.
Send your report by email to [email protected]. This mailbox is monitored by our privacy officer. The machine-readable RFC 9116 record is at /.well-known/security.txt (valid through May 21, 2027).
Please include:
- A description of the issue and its impact.
- Steps to reproduce or a proof-of-concept (please use a non-production account where possible).
- Any relevant logs, screenshots, or affected URLs.
- Whether the issue has been disclosed to anyone else.
What to expect
- Acknowledgement within 3 business days.
- Initial severity assessment within 7 business days.
- Fix or mitigation deployed within 90 days for high or critical severity issues.
- Coordinated public disclosure within 90 days of acknowledgement, or sooner once a fix is live.
If a fix will take longer than 90 days, we will say so explicitly and agree a revised timeline with you. We do not currently run a paid bug-bounty program, but we are happy to publicly credit reporters in release notes.
Scope
In scope: the Foresight Planner web app at mvplan.web.app (and any future production hostnames), and the API services that back it.
Out of scope (please do not report these as vulnerabilities): denial-of-service via traffic floods, social engineering of staff or users, physical attacks, vulnerabilities in third-party services such as Google Cloud or Firebase (report those to the vendor), issues that require a compromised device or already-stolen credentials, missing security headers or TLS-configuration nits without a concrete exploit, and automated-scanner output without a demonstrated impact.
Safe harbor
We will not pursue legal action against researchers who make a good-faith effort to avoid privacy violations, data destruction, and service interruption; only interact with accounts they own or have explicit permission to access; and give us a reasonable opportunity to address the issue before any public disclosure.