Security

Cancelette uses passwordless magic link authentication powered by Supabase. We never store passwords. Sign-in links expire after 1 hour and can only be used once. Sessions are managed via secure, httpOnly cookies that cannot be accessed by JavaScript.

When you connect Gmail, Cancelette requests the minimum required permissions:

• ·gmail.readonly — to scan billing receipt emails and detect subscriptions
• ·gmail.send — to send cancellation emails on your behalf, only when you explicitly approve

We never read full email body content — only subject lines and snippets. Raw email data is processed in memory and immediately discarded. We never store email content. You can revoke Gmail access at any time from your Google Account settings.

• ·All data is encrypted in transit via TLS 1.3
• ·Database encrypted at rest via Supabase (AES-256)
• ·Row Level Security enforced on all database tables — users can only access their own data
• ·Payment processing via Stripe — we never see or store card numbers
• ·API rate limiting on all endpoints to prevent abuse
• ·Security headers on all responses (X-Frame-Options, CSP, HSTS)

We take security seriously. If you discover a vulnerability in Cancelette, please report it responsibly:

• ·Email us at security@cancelette.com
• ·Include a description of the vulnerability and steps to reproduce
• ·Give us reasonable time to fix it before public disclosure

We will acknowledge your report within 48 hours and keep you updated on our progress.