A detailed look at how we ensure your data is never readable by anyone but you.
Not a policy — a property of the math.
Every byte on our servers is sealed under a key that never leaves your device — and nothing reaches your bank unless you unlock it. The backend stores only ciphertext and public keys.
An ECDH P-256 keypair is generated in your browser via the Web Crypto API. The private key is wrapped under your passphrase (PBKDF2) and stored in IndexedDB — it never leaves your device.
The backend receives only the public key — enough to encrypt data for you, but mathematically useless for decrypting it.
During a sync you authorize, the backend fetches from your bank and immediately seals every account and transaction under your public key (ephemeral ECDH P-256 + HKDF-SHA256 + AES-256-GCM) — ciphertext it can write but never read.
Nothing is persisted in the clear — not even your bank session token. Each record is just an envelope: ephemeral public key, nonce, and ciphertext.
Just three things live on our servers — and none of them can reveal your banking data.
Never stored: plaintext banking data. We keep only ciphertext that we can't decrypt.
You fetch ciphertext and decrypt it locally. The browser and the headless S2S client run the same code path, so the cryptographic guarantees are identical.
Even the banking session token is encrypted under your key. A sync runs only while you're present with your key unlocked: decrypt the session → fetch from your bank → re-encrypt the results → discard all plaintext.
No silent jobs, no standing access — without your unlocked key, we cannot fetch anything from your bank.
Server-to-server
Export your private key (JWK or PKCS#8) and provision it into your own infrastructure. The headless S2S client uses the same decryption path as the browser, and the key never leaves systems you control.
Export requires an explicit confirmation from you. The key becomes extractable only at that moment — in normal operation the local copy stays locked in your browser.