Security Overview

The CostLoop marketing website is deployed via Cloudflare Pages, one of the world's largest and most trusted CDN and security platforms. Cloudflare provides DDoS protection, Web Application Firewall (WAF), and automatic edge caching across 300+ global data centres.

All traffic to costloop.app and app.costloop.app is served exclusively over HTTPS with TLS 1.2/1.3. HTTP requests are automatically redirected to HTTPS. HTTP Strict Transport Security (HSTS) is enabled. You can verify our SSL configuration independently via SSL Labs.

CostLoop sets the following HTTP security headers on all responses: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy (camera, microphone, geolocation, and payment all disabled), X-XSS-Protection, and Cross-Origin-Opener-Policy.

costloop.app has no malware, phishing, or unsafe content flags. Verify independently: Google Safe Browsing.

CostLoop never connects to your bank account, requests banking credentials, or integrates with open banking APIs. Users add subscriptions manually. No sensitive financial data is stored on CostLoop servers.

Billing and payment processing is handled entirely by Stripe, Inc. - a PCI DSS Level 1 certified payment processor. CostLoop never sees, stores, or processes raw payment card numbers. Stripe's security documentation is available at stripe.com/docs/security.

User account data and subscription records are stored in Supabase, hosted within the European Union. Supabase is SOC 2 Type II compliant and encrypts data at rest and in transit. Passwords are hashed and never stored in plain text.

CostLoop does not sell user data to third parties, does not use advertising trackers, and does not build user profiles for marketing purposes. The only analytics tool used is Google Analytics with Consent Mode v2 - no data is collected without explicit user consent.