Tracefolio for Binance

Keys never stored

Track Your Crypto Investment

Enter your Binance read-only API credentials to view your complete history and portfolio P&L across all transaction types.

Only read-only API keys accepted — cannot trade, withdraw, or modify your account

API Key

API Secret

From Year

Currency

Data Sources

Card Purchases P2P Trades Convert Crypto Deposits Crypto Withdrawals Simple Earn Futures (PnL) Binance Pay

Your API keys are sent directly to Binance and are never stored, logged, or shared.

How We Protect Your Data

API Key Security

Only read-only API keys accepted — we reject keys with trade or withdrawal permissions
Keys are encrypted with AES-128-CBC (Fernet) using an environment-injected secret — never in source code
Keys are decrypted only inside the sync worker at the moment of fetching — never held in memory longer than the request
Keys are transmitted over HTTPS/TLS 1.3 — encrypted in transit end-to-end
Your API key is sent directly to Binance's API — we act as a passthrough, not a proxy
Database column uses dedicated encryption — even a full DB dump reveals nothing

Login & User Data Security

Passwords hashed with bcrypt (cost factor 12) — irreversible, no plaintext storage
Sessions use JWT tokens with short expiry — signed with HS256, HttpOnly cookies
OAuth 2.0 login (Google, GitHub) — we never see your password for these providers
Twitter/X uses PKCE flow — OAuth 2.0 security best practice, no shared secrets
No tracking pixels, no analytics scripts, no third-party data sharing
All user data stored in PostgreSQL with connection encryption — isolated per user

Frequently Asked Questions

Can you trade or withdraw from my Binance account?

No, it is technically impossible. We only accept API keys that have the Can Read permission enabled. Keys with Enable Spot & Margin Trading, Enable Withdrawals, or Enable Futures permissions are rejected at input.

Even if someone gained access to our database, the encrypted API key can only read your transaction history — it cannot move funds, place orders, or modify your account in any way.

How is my API key stored?

Your API key is encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256 authentication). The encryption key is injected via environment variable at deploy time — it never exists in source code, config files, or version control.

The encrypted key is stored in a dedicated PostgreSQL column. Decryption happens only inside the background sync worker, at the exact moment it needs to call Binance's API. After the sync completes, the decrypted key is garbage-collected.

What happens to my data if I delete my account?

All your data is permanently deleted: encrypted API keys, trade history, deposit records, portfolio snapshots, and user profile. This is a hard delete — no soft-delete, no 30-day retention, no backups kept.

Do you share my trading data with anyone?

No. Your trading history, portfolio value, and transaction data are never shared with third parties. We don't run analytics, don't sell data, and don't show ads. The only external services we integrate with are:

• Binance API — to fetch your history (read-only)
• Stripe — to process payments (they never see your trading data)
• Google/GitHub/Twitter — for OAuth login only (they never see your trading data)

How does the 90-day free tier work?

Binance's own export tool limits you to 90 days at a time. Our free tier matches this — you see the last 90 days of your history across all transaction types (card purchases, P2P, convert, deposits, withdrawals, earn).

The Premium tier ($4.99 one-time + $2.99/month) removes this limit entirely. We fetch your complete history going back to your first Binance transaction, and auto-refresh it every 6 hours so it's always up to date.

Is my connection to your server secure?

Yes. All traffic is encrypted with TLS 1.3 (HTTPS). Your API key travels encrypted from your browser to our server, then encrypted again to Binance. At no point does your key travel in plaintext over the network.

We enforce HSTS (HTTP Strict Transport Security) headers, so browsers refuse to connect over unencrypted HTTP even if someone tries to downgrade the connection.

How do I create a read-only Binance API key?

Step 1: Log in to Binance → go to Account → API Management

Step 2: Click "Create API" → choose "System Generated"

Step 3: Complete 2FA verification

Step 4: In the API restrictions, ensure only "Can Read" is checked. Uncheck everything else (trading, withdrawals, futures).

Step 5: Copy the API Key and Secret — paste them into the form above.

Tip: you can also restrict the key to specific IP addresses for extra security, though this isn't required.

What authentication methods do you support?

We support four login methods:

• Email + Password — password is hashed with bcrypt, never stored in plaintext
• Google OAuth 2.0 — uses Google's secure token exchange
• GitHub OAuth 2.0 — same industry-standard flow
• Twitter/X OAuth 2.0 with PKCE — the most secure OAuth flow available, eliminates shared client secrets

All sessions use HttpOnly, Secure, SameSite=Strict cookies — immune to XSS token theft.

Can I export my data?

Yes. After fetching your history, click the "Export CSV" button ($1 one-time) to download a complete CSV file compatible with:

• Excel, Google Sheets, Numbers
• Crypto tax tools: Koinly, CoinTracker, TaxBit, CoinLedger
• Custom analysis tools and scripts

The CSV includes: date, source, direction, fiat amount, crypto amount, price, fees, and payment method for every transaction.