Security

Access control

• Authentication, account state, and billing entitlements are enforced server-side.
• Privileged keys and service-role access should remain on backend systems only and must not be shipped in the client app.
• User-specific access is expected to be constrained by row-level policies and authenticated edge-function checks.

Data handling

• Sensitive files are uploaded through app-managed storage instead of embedding privileged cloud credentials in the app.
• Subscription verification happens against Google Play APIs from backend services.
• Support, receipt, and billing flows are logged and synced server-side for auditability and entitlement control.

Operational limits

No internet-connected service can guarantee perfect security. If SettleEase learns of a material security issue affecting users, the team should investigate, contain, remediate, and communicate appropriately based on the scope of the incident.