Contents · 10 sections
Our Commitment to Security
At Colvesta, the security of your data is a core responsibility — not an afterthought. We design our systems with security in mind from the ground up, and we continuously work to protect the personal information and collection data you entrust to us.
This page describes the technical and organizational measures we take to keep your account and data safe.
Account Security
Authentication
Colvesta does not store passwords. All authentication is handled through trusted third-party providers — Google Sign-In and Apple Sign In — which use industry-standard OAuth 2.0 protocols. Your credentials never pass through or are stored on Colvesta's servers.
Session Management
Active sessions are managed with short-lived, signed tokens. If suspicious activity is detected on your account, sessions may be invalidated automatically.
What you can do
The security of your account also depends on the strength of your Google or Apple account. We strongly recommend enabling two-factor authentication on whichever provider you use to sign in to Colvesta.
Data Protection
Encryption in transit
All data transmitted between the Colvesta app and our servers is encrypted using TLS (Transport Layer Security). This applies to every request — from loading your collection to uploading images.
Encryption at rest
Personal data and collection content stored in our databases is encrypted at rest. Images and media files are stored in access-controlled cloud storage with encryption enabled by default.
Payment data
Colvesta does not process, store, or have access to any payment or billing information. All Pro tier subscriptions are handled entirely by Apple (App Store). Payment data is governed by Apple's security standards, which include PCI DSS compliance.
Infrastructure
Colvesta is hosted on reputable, enterprise-grade cloud infrastructure. Our infrastructure providers maintain their own comprehensive security programs, including physical security, network isolation, and compliance certifications.
We use Supabase Edge Functions for server-side logic and market data caching, designed to minimize the exposure of sensitive operations to the client layer.
Access to production systems is restricted to authorized personnel only, using role-based access controls and audit logging.
Application Security
We follow secure development practices throughout our engineering process, including:
- Input validation and sanitization to prevent injection attacks
- Rate limiting on API endpoints to reduce abuse and brute-force risks
- Dependency monitoring to identify and patch known vulnerabilities in third-party libraries
- Regular review of authentication flows and data access patterns
As Colvesta is an iOS-native application, we also adhere to Apple's App Store security guidelines and leverage platform-level security features including secure enclave and app sandboxing where applicable.
Vulnerability Disclosure
We take security reports seriously. If you believe you have discovered a security vulnerability in Colvesta, we ask that you disclose it to us responsibly before making it public.
Please report security concerns to: support@colvesta.com
Include as much detail as possible — steps to reproduce, potential impact, and any relevant screenshots or logs. We will acknowledge your report within 72 hours and work to resolve confirmed vulnerabilities promptly.
We ask that you do not access, modify, or delete any data that is not your own during your research, and that you give us reasonable time to address the issue before public disclosure.
Data Breach Response
In the unlikely event of a data breach that affects your personal information, we will:
- Investigate and contain the incident as quickly as possible
- Notify affected users within a reasonable timeframe, in accordance with applicable law
- Take corrective action to prevent recurrence
- Cooperate with relevant authorities as required
Limitations
While we take security seriously and invest in strong protections, no system is completely immune to risk. We cannot guarantee that unauthorized access, data loss, or disclosure will never occur. We encourage you to take steps to protect your own account, including keeping your authentication provider credentials secure and reporting any suspicious activity promptly.
Changes to This Page
We may update this Security page as our practices evolve. When we do, we will revise the "Last updated" date at the top. Significant changes will be communicated through the app or via email.
Contact
For any security-related questions or to report a vulnerability, contact us at: