Security Practices

Last updated: 11 April 2026

We take the security of your account, your rewards, and your personal data seriously. This page explains the protections we've built into CoinJeeto and what you can do to keep your account safe.

1. Authentication

  • We use Google Sign-In exclusively. We never see or store your Google password.
  • Sessions use Firebase Authentication with short-lived tokens that are automatically refreshed.
  • When you sign out, all tokens on that device are immediately invalidated.

2. Data in transit

  • All traffic between the CoinJeeto app and our servers uses HTTPS with TLS 1.2+.
  • Third-party API calls (PubScale, CPX Research, Cashfree) are made over TLS.
  • The Android app ships with a network_security_config.xml that blocks cleartext traffic for all domains.

3. Data at rest

  • User accounts and transaction history are stored in Google Firestore (asia-south1, Mumbai) with encryption at rest.
  • Access to the production database is restricted to a small set of engineers via Google Cloud IAM.
  • Passwords are never stored because we use Google Sign-In.
  • Firestore security rules enforce that a user can only read and write their own document — you cannot access any other user's data even with valid auth.

4. Fraud prevention

Reward fraud is the biggest threat to any earn-to-cash app. We've built several layers of detection:

  • VPN / proxy detection — rewarded flows (surveys, offers, videos) are disabled when we detect a VPN, proxy, or Tor connection. Using a VPN to farm rewards violates our Terms of Service.
  • Root & tamper detection — rooted devices, emulators, and modified APKs cannot earn rewards.
  • Device fingerprinting — each device has a unique identifier that prevents the same phone from opening multiple accounts.
  • Velocity checks — automated review flags accounts that earn unusually fast or complete offers in humanly-impossible sequences.
  • Partner postback validation — we only credit offers after a signed server-to-server postback. We never trust client-side events for real money.
  • Manual review — first payouts above ₹100 are manually reviewed.

5. Payout security

  • UPI payouts go through Cashfree Payouts and Razorpay — both RBI-licensed payment aggregators.
  • We validate your UPI ID before submitting the payout. Failed payouts are automatically returned to your Jeeto balance.
  • CoinJeeto never stores your UPI PIN, bank password, or debit-card information.
  • Gift cards are issued by Xoxoday Plum and Tango Card and delivered directly to the email you specified.

6. Infrastructure

  • Hosted on Google Cloud Platform (Firebase) — ISO 27001, SOC 2 Type II certified.
  • Automated Firestore backups every 24 hours, retained for 30 days.
  • Crash monitoring via Firebase Crashlytics (PII scrubbed before upload).
  • Release builds signed with a dedicated upload key held offline. Debug builds are never distributed publicly.
  • Dependency updates reviewed weekly; security advisories patched within 48 hours.

7. Responsible disclosure

If you think you've found a security vulnerability, email security@coinjeeto.com. We ask that you:

  • Give us a reasonable time (usually 90 days) before public disclosure.
  • Do not access, modify, or delete user data other than your own test accounts.
  • Do not run automated scans that degrade the service.
  • Provide enough detail for us to reproduce the issue.

Valid, impactful reports are eligible for a thank-you reward paid in Jeetos (or INR if you prefer). We publicly credit you in a "Hall of Fame" once the fix ships, unless you ask to remain anonymous.

8. Tips to keep your account safe

  • Enable 2-Step Verification on your Google account.
  • Never share your UPI PIN with anyone claiming to be from CoinJeeto. We will never ask.
  • Only download the app from our official website or the Google Play Store. Beware of fake "CoinJeeto mod APKs".
  • Be suspicious of anyone offering to "boost your Jeetos".
  • Report anything that looks wrong to security@coinjeeto.com.