Security

Built to protect your plan.

Calcifir holds some of the most sensitive numbers you have. We treat them that way. Here is exactly how your plan is protected — every claim scoped to what is true of our stack today, nothing overstated.

Your data is isolated to your account

Plans live in a managed Postgres database (Supabase) with row-level security — a per-user policy enforced by the database itself, so one account can never read another's rows.

Encrypted in transit and at rest

Every connection is served over HTTPS (TLS), with HTTP Strict Transport Security so browsers refuse to fall back to plain HTTP. Data at rest is encrypted by our infrastructure provider.

Hardened sync, no resurrected data

Cloud sync is tombstone-guarded with an owner-scoped local cache and unique plan ids, so a deleted plan stays deleted and a shared device can't leak another account's plans.

We never store your card

Payments run through Stripe Checkout with idempotent webhooks. Card details go straight to Stripe — Calcifir never sees or stores them. And we never ask for your bank logins.

Your data, on demand

Export your full plan whenever you want, and delete your account and its data yourself — no support ticket required. We never sell, share, or mine your financial information.

Defense-in-depth headers

Responses set X-Frame-Options: DENY (no clickjacking via iframes), X-Content-Type-Options: nosniff, a strict referrer policy, a locked-down permissions policy, and a content-security policy (currently in monitoring mode).

Honestly scoped

A security page should be as honest about its limits as its strengths:

  • Calcifir is not itself SOC 2 certified. Our infrastructure provider, Supabase, maintains its own compliance program for the platform we run on.
  • Our content-security policy currently runs in monitoring (report-only) mode while we tune it — it reports violations but does not yet block them.
  • We’re a small team shipping quickly. If you find a security issue, email security@calcifir.com and we’ll respond.

This summary reflects how Calcifir works today and is updated as our security posture evolves. See also our privacy commitments.