There's a sentence we repeat often when we talk about Cashfulness.
"We don't see your documents."
It's an easy sentence to say. Plenty of apps say it.
The point is what sits underneath that sentence. Because "we don't look at them" and "we can't look at them" are two very different promises.
The first is a promise of good will: trust us not to.
The second is a promise of impossibility: even if we wanted to, we can't.
In Cashfulness, for the documents you upload, the second one holds. And the technical word that makes it true is end-to-end encryption.
You'll often see it shortened to E2EE, from end-to-end encryption: scrambling "from one end all the way to the other."
I know it sounds like a thing for computer scientists. I promise: by the end of this article you'll have understood it even if you've never written a line of code in your life. And you'll have understood why, for an app where you keep your household numbers, it's a choice that changes everything.
First, the right words
Let's start with the verb. To encrypt a file means to turn it into an unreadable sequence.
Not to hide it behind a password that asks "let me in." To actually transform it: take the text, the numbers, the images, and reduce them to a block of characters that mean nothing to anyone without the right key.
The thing that brings that block back to a readable form is called a key. It's a piece of information — think of it as a very, very long password generated by the computer — without which the file stays noise.
You encrypt with the key. You decrypt with the key. Without the key, it's a wall.
Keep these two words in mind — encrypt and key — because everything else revolves around where the key lives.
The safe deposit box at the bank
Here's the example that, to me, makes it all clear.
You know those safe deposit boxes at a bank? The ones where people keep important documents, a bit of jewelry, the things they don't want to keep at home.
They work like this.
The bank gives you an armored vault, guarded, thief-proof. Inside it sits your box.
But the key to your box is held by you. Only you.
The bank guards the vault. It can't open your box. It doesn't have the key. If tomorrow a dishonest employee wanted to snoop, they couldn't: the lock won't open without your key. If thieves broke in and hauled off the entire vault, they'd find themselves holding a locked metal box they can't open.
The bank offers you a service — the security of the vault — without demanding access to what you put inside it.
End-to-end encryption is exactly this, applied to digital files.
Cashfulness is the bank: it offers you the vault, meaning our servers where your documents are kept.
You are the only one who has the key to the box.
And we, like the bank, guard it without being able to open it.
What actually happens when you upload a document
Say you want to keep, inside Cashfulness, your bank statement, an electricity bill, a rental contract, an insurance policy.
Those are the documents you can upload into Cashfulness: statements, bills, contracts, policies. Stuff full of your own data — full name, address, IBAN, amounts, counterparties.
Here's the sequence.
You pick the file from your phone or computer.
Before it leaves, still on your device, the document is encrypted. It becomes that block of noise I mentioned.
Only afterward, already encrypted, does it travel to our servers.
Noise arrives at the server. Noise stays on the server.
When you want to read it again, the document comes back to your device still encrypted, and there — only there, with your key — it becomes readable again.
The moment of encryption is the important part: it happens on your side, before departure. Not "once it reaches the server, we lock it up for you." That would be the bank keeping a copy of your key in the manager's drawer.
No. We never have the key. It's born on your side and stays on your side.
Where your key lives
Fair question at this point: what if I lose this precious key? Where do I keep it?
The key to your documents is born from two things that are yours.
The first is your password, the one you use to log into Cashfulness.
The second is a sequence of 24 words you receive when you turn this protection on. It's a system used elsewhere too, to safeguard the most sensitive keys — twenty-four common words, in a certain order, that together act as a master recovery key.
From these two things, on your device, the key that encrypts and decrypts your documents is built.
And here's the point that's worth the whole article: that key never leaves your device.
It doesn't pass through our servers. We don't save it anywhere. We don't see it go by.
It's as if the key to the box were forged inside your home, by you, and never left. The bank has never seen it, not even for an instant.
To our servers, I repeat, every document of yours is and stays a block of digital noise.
Who can't read your documents (that is: everyone but you)
Let me be explicit, because this is usually where a privacy promise either holds or deflates.
The documents you upload can't be read by us who built Cashfulness. There's no panel somewhere where one of our engineers opens your insurance policy. Technically it doesn't exist, because we don't have the key.
They can't be read by whoever runs the servers the data lives on.
They couldn't be read by an attacker who one day breached our systems and carried everything off: they'd end up holding noise, unusable files.
And we couldn't hand them over readable even if an authority formally asked us for them, because we don't have them in the clear. We can only hand over the noise we guard.
The sentence "we don't see your documents," at this point, stops being a kind reassurance.
It becomes a technical description of a fact.
We don't see them because we can't. That's different.
The flip side (and I want to tell you myself, first)
Protection this tight has a price, and it would be dishonest to hide it.
If you lose your password and you also lose your 24 recovery words, your documents become unreadable. Forever. For us too.
There's no "I forgot everything, send me my files back" button. There's no engineer of ours who can climb back in through the window and recover them for you.
Back to the box at the bank: if you lose your key and no one else has a copy, everything stays inside the box, but no one can open it anymore.
I understand that, put this way, it might cause a little anxiety. But look at it from the other side, which is the reason we chose it.
If a "backup copy" of your key existed somewhere — on our server, in the manager's drawer — that copy would be the weak point of the whole system. It would be the thing an attacker would look for first. It would be the door an authority could ask us to open. It would be the file a dishonest employee could copy for themselves.
A key that exists only on your device — that door simply doesn't open.
We chose to give you full control — with the weight that comes with it — instead of keeping a shortcut that, sooner or later, would have become the hole in the dam.
The one practical thing we ask in return is this: guard your 24 words the way you'd guard the deed to your home. Written down, in a safe place, away from prying eyes. Not inside an email to yourself, not in a note on your phone. Those 24 words are the backup copy of your key. Keep them the way you keep the things that matter.
An honest clarification: E2EE here covers documents
I don't want to sell you more than there is, because that would be the opposite of everything in this article.
The end-to-end encryption I've described protects the documents you upload: statements, bills, contracts, policies. Those are the most sensitive layer, and that's where we put the tightest lock.
Your actual accounting data — the accounts, the balances, the movements that form your fix, meaning your net worth — follow a different logic instead.
They live in a database of ours, on European servers, and they're in the clear on the server side. It's a necessary technical choice: they're needed to keep your books in sync between phone and computer, and to compute in real time the metrics we show you. Encrypting them in the exact same way as the documents would make the app painfully slow and, in practice, unusable.
But — and here's the part many people don't expect — those numbers travel without your biography attached.
When you sign up we ask for a nickname (whatever you like, even a made-up one), an email, and a password. We don't ask for your name, surname, tax code, date of birth, address, or phone number.
So even someone with access to the database would see a certain nickname with some accounts, some balances, some movements — but with no way to tie those numbers to the real person you are.
On how this second layer works, and on why we built it in two levels instead of one, there's a dedicated article: Radical privacy: two levels, one promise. I'll stop here, because today's subject is the key to the box.
The point I wanted to nail down is this: when we say end-to-end encryption makes your documents unreadable, we mean the documents. For the rest, a different protection applies, just as serious. And I'd rather tell you precisely myself than let you believe in a magic encryption that covers everything.
Why it mattered to us, this much
I could close here on the technical side. But the technical side, on its own, isn't the reason.
The reason is that personal finance is the place where you keep the things you don't even talk about easily with friends. How much you really earn. How much you've set aside, or how little. A debt that weighs on you.
If, the moment you open an app like this, a doubt lingers at the bottom that someone, somewhere, might take a look, that app will never give you the thing it exists for.
We call that thing calm. The calm side of money. And calm, if your numbers aren't truly safe, is just a word on a website.
End-to-end encryption on documents isn't a technical trophy to put in a display case. It's the floor everything else rests on: without it, the metrics and the fix are furniture propped up over nothing.
That's why we wrote it into the foundations, not added it later like one more switch.
In one line
I'll leave it to you in the shortest form I have.
You lock your documents in a box. The key to the box is held only by you, and it never leaves your device. We guard the closed box, and we can't open it.
Not because we promised to be good.
Because we deliberately took away our own ability not to be.
— Vittorio