Security Statement

PayCycl handles personal finance information, so we treat security as a product requirement. We use practical safeguards designed to protect account access, reduce unnecessary data exposure, and keep sensitive financial records available only to the right user.

• PayCycl is served over HTTPS in production.
• Authentication uses secure cookies in production, with the main auth token marked HTTP-only.
• Session cookies use SameSite protections to reduce cross-site request risk.
• We separate the app domain from the API domain while keeping production cookies scoped for PayCycl access.

We design account and API access around authenticated users, ownership checks, and least-privilege operational access. You should keep your email account, Google account if used, devices, and browser sessions secure because they can affect access to PayCycl.

We aim to collect only what PayCycl needs to provide personal finance tracking, group payments, reports, reminders, and related account features. Operational logs and backups may be retained for reliability, security, recovery, or legal reasons, but should not be used for unrelated purposes.

No internet service can guarantee perfect security. If we discover a security incident that materially affects users, we will investigate, take appropriate steps to reduce harm, and provide notice where required.

If you believe you found a security issue, email security@paycycl.com. Please do not include another user's real financial data in a report, and do not test in a way that disrupts PayCycl or accesses data that is not yours.