CACulator.io security overview

CACulator.io is operated by Gulf Holdings LLC. The app enforces authenticated access and row-level data isolation so each customer's scenarios, board books, and connected metrics are visible only to that account and any teammates the owner has invited.

Payment processing is handled by Stripe. CACulator.io does not see or store full payment card numbers — Stripe captures card details directly and confirms subscription lifecycle events through signed webhooks.

Board book viewer links are issued per recipient, expire on revoke, and every PDF page carries the recipient email plus a forensic hash embedded in the document metadata so a leaked copy can be traced back to the source recipient.

Connected data (e.g. read-only Stripe sync) is scoped to the operator who authorized it and is never shared across accounts. Cohort benchmarks are computed only on opted-in, anonymized inputs — see the Privacy Policy for details.

Report security concerns to security@caculator.io with enough detail to reproduce the issue.