Legal

Security, Retention & Breach Response

Last updated: 3 July 2026

This page describes the controls Continuly currently has in place, the data-retention rules we follow, and what happens if a security incident occurs. It is maintained by Continuly to answer common security and privacy questions about the service.

1. Access controls

  • Every user account is protected by email + password.
  • Optional two-factor authentication (TOTP) — recommended for all accounts. Manage it in Settings.
  • Sensitive fields (like bank balances) are masked by default and require identity verification (password re-entry, plus TOTP if enrolled) before they can be revealed. Every reveal is written to a per-user audit log you can review.
  • Trusted contacts you nominate can only see what you allow, and require both a personal PIN (which you set) and their own authentication before accessing anything sensitive.

2. What we never store

  • Full bank account numbers
  • Online banking usernames or passwords
  • Card numbers, CVVs, PINs
  • Security question answers
  • Passwords for other services

3. Data at rest and in transit

All traffic to Continuly is encrypted in transit using TLS. Data is stored on managed cloud infrastructure with encryption at rest, strict per-user row-level security policies, and least-privilege access for engineers.

4. Data retention

  • Active accounts — we retain your data for as long as you use Continuly.
  • Deleted accounts — personal data is removed within 30 days of deletion, except limited records we must retain for legal reasons (typically no longer than 6 years).
  • Audit logs — sensitive-access audit entries are retained for up to 24 months.
  • Backups — encrypted backups rotate on a rolling 35-day cycle.

5. Sub-processors

Continuly uses a small number of vetted infrastructure providers to host the app and its data. A current list is available on request from privacy@continuly.app.

6. Breach response process

In line with UK GDPR Art. 33/34, if we detect a personal-data breach that is likely to result in a risk to your rights and freedoms:

  1. We contain the incident and preserve evidence.
  2. We notify the UK ICO within 72 hours of becoming aware of a notifiable breach.
  3. Where the breach is high-risk to you, we notify you directly without undue delay, in clear language, describing what happened, the likely consequences and the steps we are taking.
  4. We produce a post-incident report and update our controls to prevent recurrence.

7. Reporting a vulnerability

If you believe you have found a security issue, please contact us privately at security@continuly.app before disclosing publicly. We appreciate responsible disclosure and will respond promptly.

8. Your controls in-app

  • Enable / disable two-factor authentication.
  • Review sensitive-field reveal history in your security audit log.
  • Export your entire dataset as JSON.
  • Delete your account and associated data.

This page describes current practices and is not a certification. Continuly does not claim independent audit or regulatory certification; we describe the controls we operate today and welcome feedback.