Security

Your account and data are your shared responsibility with us. Frihet implements industry-standard cloud security practices, but you control access to your account.

Authentication

When logging in, Frihet validates your identity using Cloudflare Turnstile, a humanity verification system without traditional CAPTCHAs.

This process:

Occurs once per session
Requires no additional actions in most cases
Prevents automated access to your account

If you experience issues, ensure JavaScript is enabled in your browser.

Email verification code

After authenticating, you will receive an email with a 6-digit code valid for 15 minutes.

This additional step ensures that it is genuinely you attempting to access.

Note: If you did not receive the code, check your spam folder.

Firebase Authentication

Frihet uses Google's Firebase Authentication to securely manage sessions. Your password is stored encrypted and is never directly accessible.

Password Management

Requirements

A valid password must have:

Minimum 12 characters
At least 1 uppercase letter, 1 lowercase letter, 1 number, and 1 special character

Ejemplos válidos:

Fr1het!2024Secure
P@ssw0rd#Frihet
Banca$2024*Segura

Change password

In Settings > Security > Password:

Confirm your current password
Enter the new password (adhering to requirements)
Confirm the new password
Click Update

You will be logged out of all your devices. You will need to log in again with the new password.

Forgotten password recovery

If you forget your password:

On the login screen, click Forgot your password?
Enter your email
You will receive an email with a recovery link
The link is valid for 1 hour
Create a new password

Devices and Sessions

Active sessions

From Settings > Security > Devices, you can:

View all devices where you are logged in
Information: browser, operating system, IP, última actividad
Log out of specific devices

Ejemplo:
Chrome en macOS, IP: 192.168.1.100, Última actividad: 2 min
Safari en iOS, IP: 192.168.1.101, Última actividad: 1 hora

Automatic logout

Inactive sessions are automatically closed after 30 days.

If you attempt to access from an unrecognized device, you will be prompted for additional verification.

Authorization and Permissions

In future versions, Frihet will support roles and permissions to manage team access:

Owner (full control)
Admin (almost all permissions)
Accountant (access only to invoices and expenses)
Viewer (read-only)

For now, your account has full access.

Data Privacy

Data we collect

Your company data (name, NIF, address)
Invoices, expenses, clients, vendors
Usage analytics (PostHog, hosted in EU)
Access and change logs

We do not collect:

Passwords in plain text
Credit card data (managed by Stripe)
Tracking cookies

You have the right to:

Access: Download a copy of all your data
Rectification: Correct inaccurate information
Portability: Export data in a standard format
Erasure: Delete your account and data

Download your data

In Settings > Privacy > Export data:

Click Request export
You will receive an email with a link
The file contains:
- All your clients, invoices, expenses
- Account settings
- Change history

The file is a .zip with data in JSON and CSV, compatible with any software.

The export is generated within a maximum of 48 hours.

Export format

frihet-export-2024-02-09.zip
├── clientes.json
├── facturas.csv
├── gastos.csv
├── configuracion.json
└── historial_cambios.json

Account Deletion (Right to Erasure)

Process

In Settings > Privacy > Delete account:

Read the warning (it is irreversible)
Confirm your password
Click Permanently delete account

A 30-day process will begin:

Days 1-30: Your account will be inactive, data hidden
Day 30: Permanent deletion from databases
Not reversible: You will not be able to recover your account

Before deleting, you can export your data (see previous section).

Security Incidents

If you suspect your account has been compromised:

Change your password immediately
Close all sessions in Settings > Security
Contact support: security@frihet.io

Frihet will investigate and notify you of any detected unauthorized access.

API Keys

If you use Frihet's REST API or MCP server, you can manage your API keys from Settings > API. Each key starts with fri_ and has read and write permissions over your account's resources.

Recommendations:

Generate independent keys for each integration or environment
Revoke keys that you no longer use
Do not share keys in public repositories or in plain text

For more details, consult the API authentication section.

Audit and Compliance

Frihet maintains:

Immutable change log (Audit Trail)
TicketBAI compliance in Euskadi
Traceability of all operations
Daily encrypted backups

For technical details, consult our documentation on TicketBAI and electronic invoicing.

Authentication​

Login with Cloudflare Turnstile​

Email verification code​

Firebase Authentication​

Password Management​

Requirements​

Change password​

Forgotten password recovery​

Devices and Sessions​

Active sessions​

Automatic logout​

Authorization and Permissions​

Data Privacy​

Data we collect​

GDPR Compliance​

Data Export (GDPR)​

Download your data​

Export format​

Account Deletion (Right to Erasure)​

Process​

Security Incidents​

API Keys​

Audit and Compliance​