Crecivo.

Security Overview

Placeholder — final legal language pending attorney review.

Authentication

Sign-in is passwordless — a one-time code sent to your email, or Google sign-in — so there's no password for us to store at all. Optional multi-factor authentication (authenticator app or text message) is available free, for anyone who wants an additional sign-in step. All of this is handled by Supabase Auth.

Bank and mortgage connections

Bank and mortgage account connections are not currently available. When we launch this feature, it will be brokered by Plaid — your bank credentials would be entered into Plaid's own secure flow and never touch our servers, and we'd store only an encrypted access token rather than balances or mortgage data.

Row-level isolation

Every table (life items, documents, tasks, links, categories) enforces row-level security in Postgres, scoped to your household membership. Even if a query is crafted maliciously, the database itself blocks access to other households' data.

Documents

Uploaded documents live in a private storage bucket, organized by household, and are never publicly listable. Access is only ever granted through short-lived signed URLs generated on demand — there is no permanent public link to any document.

No iframing of third parties

Crecivo never embeds your bank, insurer, or password manager inside an iframe to capture credentials. Every outbound link opens the provider's real site directly.

Reporting a concern

If you believe you've found a security issue, let us know below and we'll investigate and respond promptly.