Clearview Savings

Security

Clearview Savings is a memory-care companion application, not a real financial institution. The data we hold is simulated banking display data, caregiver email addresses, and the display names of the people caregivers set up. We do not handle real banking credentials or real money.

Reporting a vulnerability

If you believe you have found a security issue, please email security@clearviewsavings.com with a short description and reproduction steps. We will reply within seven days to acknowledge the report and to coordinate a fix and disclosure window.

Please do not test against other caregivers’ accounts, do not run automated scans that generate significant traffic, and do not publish details of an issue before we have had a chance to address it. Good-faith research that follows these limits is welcome.

Security posture

  • Authentication. Email + password via Supabase Auth, with mandatory email confirmation before a caregiver dashboard becomes reachable.
  • Multi-tenancy. Every data row in the database is gated by PostgreSQL Row-Level Security policies keyed to the caregiver id. Cross-tenant access is prevented at the database layer, not just in application code.
  • Encryption. All traffic to the application is over TLS. The Supabase-managed database is encrypted at rest.
  • Transactional email. Sent via Resend with SPF, DKIM, and DMARC alignment on clearviewsavings.com. No marketing email is sent under any circumstance.
  • Error tracking. Server- and client-side errors are captured by Sentry. Session replay is disabled to keep patient-visible screens out of any captured trace.
  • Rate limiting. Sign-up, sign-in, and password-reset endpoints are rate-limited per-IP to slow credential-stuffing attempts.
  • No real banking data. No account numbers, no routing numbers, no payment cards, no integration with any real financial institution. There is no real money to steal.
  • No regulated health data. The product stores no diagnoses, no clinical records, and nothing that would meet the definitions of PHI under HIPAA or PHIPA.

Scope of this policy

This policy covers clearviewsavings.com and the application served from it. Third-party services we depend on (Supabase, Resend, Sentry, Vercel) publish their own security posture; issues you find in them should be reported to those providers directly.