Kapers

Trust packet

Privacy boundaries in plain language.

Trust is not a marketing asset. It is a technical boundary. This packet explains what data you generate, where it lives, what the company can and cannot see, how to exit cleanly, and why the architecture is built this way.

Your records

Financial statements, categorized transactions, balances, and forecasts all stay on your device in an encrypted vault. This is a structural choice, not a policy promise.

Data you control

Your device is the primary storage.

Statements you import, the ledger you build, the categories you assign, balances, forecasts, and notes all live in an encrypted vault on your device first. The company never sees the plaintext of any of this. The vault is encrypted with keys only you hold.

Data the company cannot see

We do not hold decrypted records.

No matter what you configure or what features you enable, the company's servers cannot and do not store your financial records in a readable form. This is not a setting you can turn off. It is a boundary built into the system architecture.

What happens if you sync

Sync only exchanges anonymous hashes and metadata.

If you enable sync across devices, only anonymized transaction hashes and your personal metadata leave your device. No transaction details. No amounts. No dates attached to amounts. The server can help reconcile, but it cannot read.

Staying offline

You can use the full product without ever syncing.

Turn off sync and the entire application becomes fully local. No network calls. No company access. No background sync. Your device becomes the only copy of your records, and you remain in complete control.

Exit strategy

Your records stay yours. Export anytime.

Your data exports as plain-text CSV and human-readable PDF. You can print a recovery kit that contains everything needed to restore your records. Deletion is immediate and complete. The company is not an archive for your financial life.