Placeholder — final legal language pending attorney review.
Sign-in is handled by Supabase Auth. We never store your password — it's hashed and managed by our auth provider, not in plain text in our database.
Every table (life items, documents, tasks, links, categories) enforces row-level security in Postgres, scoped to your household membership. Even if a query is crafted maliciously, the database itself blocks access to other households' data.
Uploaded documents live in a private storage bucket, organized by household, and are never publicly listable. Access is only ever granted through short-lived signed URLs generated on demand — there is no permanent public link to any document.
Crecivo never embeds your bank, insurer, or password manager inside an iframe to capture credentials. Every outbound link opens the provider's real site directly.
If you believe you've found a security issue, let us know below and we'll investigate and respond promptly.