Draft — requires security review
How we keep your data safe
You are trusting us with financial information. Here is exactly what that trust buys.
We never see your bank credentials
CashMate does not use Plaid, Teller, or any bank-linking aggregator. We do not ask for your online banking password. We cannot log into your bank on your behalf. You enter transactions manually or import them from CSV, which means your bank credentials never exist on our side and cannot be leaked from us.
Row Level Security, enforced in the database
CashMate runs on Supabase (managed PostgreSQL). Every user-scoped table has Row Level Security (RLS) policies that check the authenticated user id on every read and write. Even if an application bug let code try to query another user's data, the database itself would refuse. Isolation is enforced at the lowest layer.
Encryption in transit and at rest
All traffic between your browser and our servers uses TLS 1.2+. Data at rest is encrypted by the underlying Supabase platform. Backups are encrypted. Passwords are never stored in plaintext — they are hashed with bcrypt before they touch the database.
Sensible security headers
CashMate ships with strict security headers: HSTS in production, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, a restrictive Permissions-Policy, and a Content Security Policy. These headers defend against clickjacking, MIME sniffing, and common XSS vectors.
Session hygiene
Sessions use HTTP-only, Secure, SameSite=Lax cookies. Login flows are rate-limited. Password reset links expire quickly. We do not expose session tokens to JavaScript.
You can export or delete everything
Export your transactions, budgets, and Zakat snapshots as CSV any time. Delete your account from Settings — active records are removed within 30 days, backups within 90. No support ticket gatekeeping.
Reporting a vulnerability
Found a security issue? Email us directly. We respond within 48 hours, acknowledge your report, and publish a coordinated fix timeline. We do not currently run a paid bug bounty, but we credit researchers who help.