Cost Me.
Security

Security at Cost Me

Last Updated: May 17, 2026

Cost Me is built around a privacy-first architecture, with most of your financial data residing on your device. We apply industry-standard security practices to protect the limited data that reaches our infrastructure, and we welcome responsible disclosure from the security-research community.

Our security posture

  • All traffic to and from the Cost Me application and website is encrypted in transit using industry-standard TLS.
  • Sensitive identifiers on the device are stored in iOS's hardware-backed secure storage. The app's transaction store is excluded from device backups.
  • Our backend infrastructure is hosted with reputable cloud providers and protected by a layered authentication model, including per-request cryptographic signatures and replay-attack protection.
  • We follow the principle of least privilege: each component has access only to the data it needs.
  • We use no third-party analytics SDKs or advertising trackers in the application.

Reporting a vulnerability

If you believe you have discovered a security vulnerability in the Cost Me iOS application, the marketing website (costme.io), or the chat backend, please report it responsibly by emailing CostMeSupport@marcymail.com.

Please include sufficient information for us to reproduce the issue, including the affected URL or app version, steps to reproduce, and any proof-of-concept materials. We will acknowledge receipt within seventy-two (72) hours and provide a remediation timeline within seven (7) days.

What we ask

  • Do not exploit a vulnerability beyond what is necessary to confirm its existence.
  • Do not access, modify, or exfiltrate data belonging to other users.
  • Do not perform denial-of-service testing, brute-force attacks, or social engineering against Cost Me, its users, or its employees.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate.
  • Comply with all applicable laws.

Our commitment

We commit to investigating reports in good faith. Provided you follow the responsible-disclosure practices above, we will not pursue legal action against you for your research activities. We may, at our discretion, publicly acknowledge reporters who report verified, material vulnerabilities.

Out of scope

The following are generally considered out of scope for vulnerability reports: missing security headers without a demonstrable exploit, denial-of-service vulnerabilities, rate-limiting bypasses without a privilege escalation, self-XSS, attacks requiring physical access to a user's device, third-party software vulnerabilities, social-engineering attacks, and reports generated by automated scanners without manual verification.

Machine-readable contact

A security.txt file is available per RFC 9116.