Security
EmotionLock uses your MT5 investor password exactly once, to establish a read-only connection. After that, it is gone from our systems permanently.
The investor password gives read-only access only. EmotionLock can never place, close, or modify trades on your account. This is enforced by the MT5 protocol itself, not by a software rule.
How it works
The exact journey, step by step.
You type it in the app
Your investor password enters your iPhone. It is never saved to disk, never written to a log file, never sent to analytics. It exists only in memory.
Encrypted in transit
The password is sent over HTTPS/TLS from your device to our Railway backend. The connection is encrypted end-to-end. No one can intercept it.
Backend receives it once
Our backend receives the password and immediately forwards it to MetaAPI. It is never written to our Supabase database. We store only your MT5 server name and account number, not the password.
MetaAPI takes over
MetaAPI stores your encrypted investor password on their SOC2 Type 2 certified infrastructure, purpose-built for MT5 connectivity. This is the only place it persists, and it is not our server.
The app clears the field
The moment the connection succeeds, the app resets the password field to empty. It no longer exists anywhere on your device.
Security facts
EmotionLock only ever asks for your investor password, not your master password. The investor password is a built-in MT5 feature that enforces read-only access at the protocol level. This is not a software restriction. MetaTrader's own protocol physically cannot place trades with an investor password.
Only your MT5 server name and account number are stored in our Supabase database. The investor password is never written to our database. Ever. You can verify this independently in our Privacy Policy.
The only copy of your encrypted password lives on MetaAPI's SOC2 Type 2 certified infrastructure, which is purpose-built for MT5 connectivity and used by over 100,000 traders worldwide.
Every connection between your app, our backend, and MetaAPI is encrypted over HTTPS/TLS. There is no unencrypted path, from first keystroke to final connection.
Our Supabase database has Row Level Security (RLS) enabled on every table. Each user can only access their own data. Anonymous access to sensitive tables is blocked entirely.
When you disconnect your MT5 account in the app, EmotionLock immediately removes your credentials from MetaAPI's systems. You can also invalidate the connection instantly by changing your investor password in MetaTrader 5.
MT5 connectivity powered by MetaAPI · SOC2 Type 2 certified · Used by 100,000+ traders worldwide
Investor password
MetaTrader 5 has two separate passwords for every account. The master password controls everything. It can open trades, close trades, and manage your account.
The investor password is a read-only credential built into the MT5 protocol itself. With it, you can see account information and trade history, but you cannot place a trade, close a trade, modify a position, or withdraw funds. This is enforced by MetaTrader, not by us.
EmotionLock only ever asks for your investor password. This means that even if our entire infrastructure were somehow compromised, your funds could never be touched.
Find your investor password in MT5: Tools > Options > Security
MT5 Password types
Master password
Full trading access. NOT used by EmotionLock.
Investor password
Used by EmotionLockRead-only. Cannot place or close trades.
Security FAQ
No. This is technically impossible. The MT5 protocol itself blocks all write operations when authenticated with an investor password. EmotionLock has never had and never will have master password access. Even our backend code does not contain any trade-execution logic.
Even in a worst-case MetaAPI breach scenario, your investor password can only be used to read trade history, the same data EmotionLock already reads. It cannot be used to place trades, close positions, or withdraw funds. Your account balance is safe.
Two ways: (1) Tap Settings, then MT5 Connection, then Disconnect in the EmotionLock app. This immediately removes your credentials from MetaAPI. (2) Change your investor password in MetaTrader 5 under Tools, Options, Security. This instantly invalidates any stored credential.
Get started
Your MT5 account is safe. EmotionLock is designed to protect you, not just from bad trades, but from bad actors too.
Download on App StoreiOS 16+ · Payments via Apple · Cancel anytime