Security · Updated June 2026

Is CueFlow & CueBill Secure? How We Protect Your Club's Data

July 1, 2026
·8 min read

If you run your club on CueFlow, a competitor's comparison page may have reached you claiming that the CueBill app 'exposes Supabase database credentials and Google API keys', and that your members' phone numbers and khata balances are therefore at risk. Your members' trust is your business, so this deserves a clear, honest, technical answer rather than marketing. Here it is — and the short version is that your data is safe, for reasons any engineer can verify.

The claim, and the straight answer

The accusation is that because a key can be read out of the CueBill app, anyone can pull it and read your club's data. It sounds alarming. It is also based on blurring the single most important distinction in modern app security: the difference between a publishable key that is meant to be public, and a secret key that never leaves the server.

CueBill's app contains a publishable key — exactly as every professional app built on modern cloud platforms does. That key is not a database credential, and on its own it cannot read a single row of your club's data. The protection that actually matters lives on the server, and it is fully in place. Below is precisely how it works.

Publishable keys vs secret keys — the distinction that matters

Almost every app you already trust — your bank's app, your favourite shopping app, ride-hailing apps — ships a publishable key inside it. Platforms like Supabase, Google Firebase, Stripe and Google Maps all issue two kinds of key: a publishable one for the app, and a secret one for the server. The vendors document, in writing, that the publishable key is safe to include in client code.

A useful way to picture it: a publishable key is like the public street address of a bank. Anyone can read it, but knowing the address does not let you into the vault. It only tells the app which backend to talk to. The keys the comparison page points at — the Supabase publishable key, the Firebase configuration key, and the Google Sign-In client IDs — are all public identifiers of exactly this kind. None of them is a 'credential to your database'.

Row-Level Security: your data only ever answers to you

Here is the part the accusation leaves out — the part that actually protects your members. Every data table behind CueFlow and CueBill is guarded by Row-Level Security, enforced by the PostgreSQL database itself on our servers. We run Row-Level Security on all data tables, backed by 64 access policies that scope every request to the club that made it, using server-side membership and role checks.

In plain terms: even if someone reads the publishable key straight out of the app and sends a request with it, the database will only ever return rows that belong to their own authenticated club. There is no path from that key to another club's customers, credit balances or bills. The key opens the front door of the building; every room inside has its own lock, keyed to you alone.

The real secrets stay on our servers

Cloud platforms do issue one powerful 'master' key — in Supabase's case, the service role key — that can bypass Row-Level Security. If that key ever shipped inside an app, it would be a genuine problem.

It does not. In CueBill it exists only inside our server-side functions, read from a protected server environment, and it appears nowhere in the app that runs on your phone. Privileged operations — subscription validation, push notifications, payment webhooks — execute on the server, never as raw commands from the device. Data also travels encrypted in transit, as standard.

Bank-grade session handling

We go beyond the baseline on the things that genuinely matter:

  • Your login session is stored in the device's hardware-backed secure store — the iOS Keychain or Android Keystore — not in plain, readable storage.
  • Sign-in uses the PKCE flow, the modern standard designed to stop tokens being intercepted.
  • Access to sensitive actions is enforced by server-side roles and permissions, not by merely hiding buttons in the interface.
  • Every club's data is isolated at the database layer, so there is no cross-club visibility even for authenticated users.

Why the 'exposed keys' claim doesn't hold up

We will be measured here, because the facts do the work. The comparison page making this accusation — Cuetronix — is itself built on Supabase. Its own website ships a Supabase project URL and a publishable key to every visitor's browser, exactly as our app does. We are not suggesting their product is insecure for it; it isn't, and neither is ours. That is the whole point: shipping a publishable key to the client is how these platforms are designed to work, for them and for us.

So the 'exposed keys equals a data leak' claim does not survive contact with how the technology actually works. Reading a publishable key out of an app is the same as opening the developer tools on any website and seeing the public keys it uses — routine and harmless. Without a valid login and a matching Row-Level Security policy, that key returns nothing sensitive. Anyone describing a publishable key as a 'breach' is either misunderstanding the platform they themselves rely on, or hoping you will not check.

How we keep our comparisons honest

One more thing worth saying plainly, because reputation cuts both ways. When a competitor publishes their pricing or ships a new feature, we update our comparison pages to reflect it — because a comparison is only useful if it is true. We do not call rivals 'scams', and we do not invent 'data leaks' to scare their customers.

If you have read claims of that kind about CueFlow or CueBill, weigh the source and the motive. Software should be chosen on how it runs your club and how it protects your members — verifiable facts — not on the loudest accusation. We are happy to be judged on exactly that.

How to judge any club software's security

Do not take anyone's word for it — including ours, or a comparison page's. Ask any vendor these four questions, and the answers will tell you far more than a scary headline:

  • Is Row-Level Security enabled on every data table? (CueFlow: yes — on all data tables, 64 policies.)
  • Does the admin / service key ever ship inside the app? (CueFlow: no — server-side only.)
  • Where is my login session stored? (CueFlow: the phone's hardware-backed keystore.)
  • Do privileged actions run on the server, or as raw commands from the client? (CueFlow: server-side functions.)

The bottom line

CueFlow and CueBill are built the way professional, production software is built: publishable keys in the client, real secrets on the server, and Row-Level Security ensuring every club only ever sees its own data. Your members' phone numbers and khata balances are protected by the database itself, not by hoping nobody opens the app file — and 500+ clubs, supported by Khushi Catalyst, run on exactly this architecture every day.

If a comparison has to misrepresent how app keys work to make its case, that tells you more about the comparison than about CueFlow. You can start a 7-day free trial and evaluate the real thing in your own club.

Frequently asked questions

Is CueFlow / CueBill safe to use for my club's data?

Yes. Every data table is protected by Row-Level Security enforced by the database, so each club only ever sees its own data. The keys visible in the app are publishable keys — public by design — not database credentials, and the powerful secret key never leaves our servers. Sessions are stored in the phone's hardware keystore.

Does the CueBill app really 'expose database credentials'?

No. What is in the app is a publishable (anon) Supabase key and a Firebase configuration key — both meant to be public and documented as safe to include in client code by the platform vendors. They are not database credentials. The service role key that can bypass security exists only in server-side functions, never in the app.

What is a Supabase anon / publishable key?

It is a public identifier that tells the app which backend to talk to and lets it request data. What the app is actually allowed to see is decided by server-side Row-Level Security policies. On its own, without a valid logged-in session that passes those policies, the key cannot read sensitive data — which is exactly why it is safe to ship in the client.

Can someone read my members' data by extracting keys from the app file?

No. Reading a publishable key from an app file is like viewing the public keys on any website through developer tools — routine and harmless. Without a valid login and a matching Row-Level Security policy, the database returns nothing that belongs to another club. Your members' phone numbers and credit balances remain protected at the database layer.

Is CueBill a scam?

No. CueBill is the club-management app from CueFlow by Khushi Catalyst, used by 500+ clubs across India and the Gulf, with a published price, a self-serve free trial, and a security architecture built to production standards. Claims to the contrary tend to come from competitor comparison pages, not from independent evidence.

Is my club's data encrypted and isolated from other clubs?

Yes. Data travels encrypted in transit, and Row-Level Security isolates every club's records at the database layer so there is no cross-club visibility, even between authenticated users. Privileged actions run through server-side functions rather than as raw commands from the device.

Run your club on CueFlow

Billing, UPI reconciliation, canteen and members in one app trusted by 500+ clubs. Try CueFlow free for 7 days — no credit card required.