Financial statements, categorized transactions, balances, and forecasts all stay on your device in an encrypted vault. This is a structural choice, not a policy promise.
Trust packet
Privacy boundaries in plain language.
Trust is not a marketing asset. It is a technical boundary. This packet explains what data you generate, where it lives, what the company can and cannot see, how to exit cleanly, and why the architecture is built this way.
Data you control
Your device is the primary storage.
Statements you import, the ledger you build, the categories you assign, balances, forecasts, and notes all live in an encrypted vault on your device first. The company never sees the plaintext of any of this. The vault is encrypted with keys only you hold.
Data the company cannot see
We do not hold decrypted records.
No matter what you configure or what features you enable, the company's servers cannot and do not store your financial records in a readable form. This is not a setting you can turn off. It is a boundary built into the system architecture.
What happens if you sync
Sync only exchanges anonymous hashes and metadata.
If you enable sync across devices, only anonymized transaction hashes and your personal metadata leave your device. No transaction details. No amounts. No dates attached to amounts. The server can help reconcile, but it cannot read.
Staying offline
You can use the full product without ever syncing.
Turn off sync and the entire application becomes fully local. No network calls. No company access. No background sync. Your device becomes the only copy of your records, and you remain in complete control.
Exit strategy
Your records stay yours. Export anytime.
Your data exports as plain-text CSV and human-readable PDF. You can print a recovery kit that contains everything needed to restore your records. Deletion is immediate and complete. The company is not an archive for your financial life.