CashfulnessCashfulness
Join the beta
Privacy

Radical Privacy: Two Layers, One Promise

11 May 202616 min

Most of the free apps on your phone aren't free.

They are offered to you in exchange for your data.

It's a trade.

It's transparent in principle, and in many cases it's also a trade worth making — there's nothing scandalous about doing it.

Many personal finance apps work this way too.

They give you a tracking tool that's free or nearly free, and in exchange they aggregate your spending data to produce market reports, personalized recommendations, advertising suggestions, profiling, commercial partnerships.

Here too, in principle, it's a legitimate choice on the provider's part.

In an instant you accept the terms of service and move on.

Cashfulness made a different choice.

Not to judge other apps — everyone builds their own model, and many do it honestly — but because we believe that personal finance deserves different treatment.

It's an area where the fog is already heavy, and where the awareness that someone (even theoretically) could look at your numbers strips the product of its very meaning.

The calm we speak of, if the data isn't safe, is an emptied promise.

For this reason we built Cashfulness around a precise technical choice, written into the foundations of the code, which works on two layers.

The first layer protects the documents you bring into Cashfulness — with radical end-to-end encryption.

The second layer protects your identity and your accounting data — with maximum anonymization.

The two layers respond to different needs and use different tools. Each is worth explaining one at a time.

Why connectivity is required (and what that means for privacy)

A technical premise, before going into the two layers.

Cashfulness works only if your device is online.

Mobile or desktop, the app needs to be able to speak with a remote database that lives on our servers (European infrastructure).

Why this choice? Because your accounting data must remain synchronized between the different devices you use.

If you add a transaction from your smartphone during your lunch break, you want to see it again in the evening from your laptop. If you do it the other way around, the same applies.

Without a centralized point of truth, the data would systematically diverge between clients, and you'd find yourself with two inconsistent copies of your bookkeeping — a small nightmare that defeats the entire point of double-entry bookkeeping.

So yes, your bookkeeping transits over a remote server.

It's not a renunciation of privacy: it's the technical constraint required to give you bookkeeping that really works across multiple devices.

The interesting question becomes: how do we protect your privacy given this constraint?

The answer lies in the two layers I'll describe now.

Layer 1 — Radical end-to-end encryption for documents

When you start using Cashfulness, sooner or later you'll want to bring your documents into the app: bank statements, mortgage or rental contracts, electricity and gas bills, insurance policies, investment certificates, fund reports, important fiscal receipts.

These documents contain everything: your full name, address, tax code, IBAN, amounts, counterparties, details of your life.

They are the most sensitive level of all.

For them we made the strictest choice possible: radical end-to-end encryption.

The technical term is end-to-end encryption, or E2EE.

To understand what it is without technicalities, imagine you want to send a letter via a courier.

You have two choices.

Choice 1, standard model.

You write the letter in plain text, you put it in an envelope, you give it to the courier.

The courier — if they want — can open the envelope, read the letter, take notes, and then close it again and deliver it.

You trust they won't because they promised not to, perhaps because there are laws that forbid it and give you some guarantees.

But materially, they can.

Choice 2, end-to-end encryption.

You write the letter, you close it in a metal box that opens only with a specific key.

You have the key. Only you.

You give the box to the courier. The courier transports and stores it.

Even if they took it and brought it home, they couldn't open it, because they don't have the key.

When you need the letter, you reopen the box with your key, and you read.

End-to-end encryption of documents in Cashfulness is the metal box of Choice 2.

When you upload a document into the app, your device encrypts it before sending it to the server. On the server, it arrives encrypted and stays encrypted.

For the server, each of your documents is a block of digital noise.

The key to decrypt it resides only on your device, derived from your personal password and your 24 recovery words (the so-called seed phrase, the most solid standard available today for generating and protecting personal cryptographic keys).

What this means, in practice:

  • The Cashfulness server cannot read your documents. Not us who built the app, not whoever manages the infrastructure, not a possible future attacker.
  • If tomorrow Cashfulness were breached and all the documents on the servers were stolen, the attacker would see noise. Unusable.
  • Even an authority formally requesting your documents would receive noise. We can't provide them, because we don't have them in plain text.

There is a flip side, and we want to be honest about it.

If you lose your password and you also lose the 24 recovery words, your documents become unreadable even to you.

Forever.

We cannot recover them, because we technically cannot read what you have encrypted. There is no "password recovery via email" that gives you the documents back, because there is no one on the other end who can do it.

The key is only yours.

This means freedom — you are the only one who can access — and responsibility — you are the only one who can lose access.

It is a philosophical choice. We prefer giving you full control, even if it includes the weight of safeguarding your credentials, rather than keeping a "backup" copy on our server. That copy, sooner or later, could become a point of compromise.

A key that exists only on your phone, no.

Layer 2 — Maximum anonymization for identity and accounting data

The second layer is different, and covers everything else: who you are and what you do inside the app in terms of numbers.

For this data we chose a different strategy, because the problem is of a different nature.

Documents are "boxes" with sensitive contents, and it makes sense to encrypt them in full.

Accounting data, instead, is a living structure: numbers, accounts, categories, movements that you need every day, and on which Cashfulness builds the financial-health metrics it shows you.

Encrypting them the same way as documents would make the app extremely slow and in many cases unusable.

Our answer is not absolute encryption. It is maximum anonymization.

In practice it means two things.

Cashfulness doesn't even want to know your name.

When you register, we don't ask for your first and last name.

We ask for a nickname — whatever you want, it can even be pure fantasy.

We ask for an email for technical contacts (access recovery, service communications), and a password.

Stop.

No tax code, no date of birth, no address, no phone number, no link to your bank account, no identity verification.

For Cashfulness, you are a nickname with an email. Nothing more.

Your accounting spaces are hard to decode for anyone who isn't you.

The app invites you to articulate income and expenses in specific accounts and sub-accounts. The names you give those accounts, the labels of your movements, the level of granularity with which you describe your financial life — you decide them, with the vocabulary that is most useful to you.

Cashfulness never asks you to enter personal data inside account names: no tax code, no IBANs in the headers, no proper names. The names are operational (for example: "Salary", "Main checking account", "Home mortgage", "Car expenses", "Rental income received"): they describe a function, not you.

Combined, these two factors — a nickname that doesn't reveal who you are, and account names that describe what and not who — make your bookkeeping hard to understand and impossible to link back to you for anyone who isn't you.

The concrete result is this: even if someone (an attacker, a dishonest employee, an authority) could look at the database server-side, they would see a certain nickname with a chart of accounts, some balances and some movements.

They wouldn't know who that nickname is.

They would have no way to link those numbers to the real person behind the screen.

They would see accounting without a biography.

A few practical tips to stay truly anonymous

Anonymity isn't just our promise: it's also a small gesture on your part.

If you want your bookkeeping to be incomprehensible to anyone who isn't you, we suggest:

  • Name accounts by function, not by person. "Bank account", "Salary", "Home mortgage", "Joint account" all work well. "Mario Rossi's Account" or a full IBAN in the header open an unnecessary crack.
  • Let transaction descriptions stay naturally generic. By their nature they already are: "coffee at the bar", "dinner at the restaurant", "car refueling", "grocery shopping". No one outside of you would understand whether that dinner was in Milan with a client or in Lucca with your sister.
  • Use a pseudonymous email for registration, if you want to push it to the extreme. Your email serves only for login and for delivering service communications: no one obliges you to use an "official" one like name.surname@domain.com. A pseudonymous one like aurora.di.notte@protonmail.com or any other one that suits you works fine.

Payment is anonymous too (to us)

A point that the reader generally doesn't expect, and that's worth saying clearly.

For Cashfulness subscriptions, we don't directly ask for credit card, IBAN, or billing data. The payment goes through the store from which you downloaded the app: App Store (Apple) or Google Play (Google) for the mobile versions, Stripe for payments from the website.

These are third-party entities that see your name, address, credit card, or IBAN — because technically they are the ones who cash in. It is they, as a rule, who issue invoices or fiscal receipts for your subscription (with your country's rules).

Cashfulness, on the other end of that pipe, receives only the net payment and an opaque identifier for the subscription (something like sub_abc123).

We never see: customer name, tax code, credit card, IBAN.

We don't issue invoices or fiscal receipts to end users.

In other words: even on the commercial front, all we need to know about you is that there's an active subscription linked to a certain nickname and a certain pseudonymous email. The customer biography stays on the other side, at the store, and there it remains.

The difficult choices that follow

Putting these two layers together is not a free feature.

It's a choice that closes certain doors structurally, and on those doors it's worth being explicit, because this is where the price of coherence shows.

No granular behavioral analytics per profile.

We cannot correlate activity inside the app with real identities, because the real identities we don't have.

Product development is a little blinder on individual patterns. We rely much more on direct feedback, beta testing, qualitative interviews.

It works, but it's less automatic.

No personalized commercial recommendations.

We don't tell you "other users like you bought X" based on your profile. We don't push sponsored partner products based on your numbers. The commercial profiling model that is the bread and butter of many free apps, in Cashfulness, doesn't exist.

What we do instead — and we want to say it clearly — is paths to improve your financial situation: indications of where your numbers suggest you could save, where the composition of your wealth deserves reflection, where the months of coverage could grow with small adjustments.

These are educational indications, built on your data, and — when the nature of the data requires it — calculated on your device, on a locally decrypted copy.

An important clarification: Cashfulness doesn't give personalized investment advice. That's the territory of financial advisors registered with the relevant professional body, and for good reasons: it's a regulated activity that requires expertise, responsibility, and a fiduciary relationship different from the one between you and an app. Cashfulness helps you see clearly, not choose the fund to buy next week.

Notifications and newsletter: only if you want them, never by default.

The fact that we are allergic to commercial profiling doesn't mean we are a silent platform.

Cashfulness can send you useful things — and when I say "useful" I really mean for you, not for third parties: an alert if a budget is about to overflow, suggestions on where your numbers indicate you could save, a short periodic newsletter with educational reflections on personal finance and product updates.

All of this is opt-in: you turn it on at registration or afterward, when you want, and you turn it off when you want.

No box is pre-ticked by default. Your email — even if pseudonymous — serves us only to deliver what you asked for, not to chase you with messages you didn't want.

AI strictly compliant with the two privacy layers.

The artificial intelligence features Cashfulness develops or will develop respect the distinction described above.

For documents (bank statements, contracts, utility bills, insurance policies), the AI processing that requires reading the content happens on your device, on a locally decrypted copy. The server never sees the content of those documents.

For accounting data (balances, movements, categories of your nickname), any server-side processing runs on numbers stripped of personal identity — the "accounting without a biography" I mentioned earlier. AI can help you read useful patterns (for example, flagging an expense out of scale with your usual, or suggesting where to cut), but never able to link those numbers to a real first and last name.

What we won't do is build an AI model that links who you are to your financial life — because "who you are", in Cashfulness, we don't have.

No sale of aggregated data traceable to people.

We can't sell "datasets of Italian spending by age range and region" to banks, research institutes, advertising agencies. The demographic and residence data we don't have.

It would have been a significant revenue channel. We deliberately eliminated it from the business model.

The commercial consequence of these choices is clear: to sustain ourselves we live only on direct subscriptions from users.

Minimal free tier, Base subscription, Top subscription.

No advertising, no data sales, no partnerships requiring access to user data.

It's a stricter model than the standard one in the market, but it's honest, and it's the only one that lets Cashfulness keep the promise it makes on the first screen of onboarding.

One consequence of this model we like: every user who chooses to pay for Cashfulness is a user who truly wants the product.

There's no dynamic where "the product is free because you are the product".

You are the customer, and the product is what you pay for.

Partnerships, too, respect this rule

There is a question we will eventually be asked — and it's worth anticipating.

If in the future Cashfulness opened up to integrations with other financial services (rate comparators, insurance brokers, investment managers), would these two layers of protection stay in place?

Yes, and we frame the rule this way: if Cashfulness integrates an external partner, the call to the partner will always start from your device, on your specific request, for a specific item.

Never aggregated server-side.

Never automatic.

Never without your conscious gesture.

I'll give a concrete example, however future and hypothetical.

Suppose you've uploaded your electricity bill into Cashfulness and you want to know whether there's a better offer on the market.

In a standard app, the system would automatically send the bill data to the partner (and perhaps other context data), receive the response, and show it to you.

In the Cashfulness model, instead, you'll see a "verify with [partner]" button on that specific bill.

When you press it, your phone downloads the bill from the Cashfulness archive, decrypts it locally — because remember: uploaded documents are end-to-end encrypted and only your device has the key to read them in plain text — extracts only the data necessary for the verification (consumption, tier, current provider), sends it directly to the partner without going through our server, and shows you the response.

The Cashfulness server, even in this scenario, has seen nothing.

Not the document, not the numbers, not your identity.

This isn't a belated concession to privacy.

It's the way we think partnerships should work in personal finance.

It's more cumbersome to build technically — it requires device-side SDKs, fine-grained authentication, credential management on the phone — but it's the only way coherent with the brand promise.

Partnerships that ask Cashfulness for aggregated server-side access to data will receive a polite no.

The promise, in one sentence

This is the promise, summarized in a sentence we'd like to stick:

Cashfulness doesn't know who you are, doesn't read your documents, doesn't understand your numbers. Only you hold every key.

Three different verbs for three different levels.

Doesn't know who you are: because you don't tell it. You'll use a nickname, and that's enough.

Doesn't read your documents: because they are encrypted with a key only you possess.

Doesn't understand your numbers: because without your context they are accounting without a biography.

Everything else in the product leans on this sentence.

The financial-health metrics, the distinction between Assets+ and Assets-, the invisible double-entry bookkeeping, the weekly ten-minute ritual — all things we talk about in the other articles of this blog — really work only if above them there is a ceiling of privacy that makes them yours for real, not just in marketing language.

If this is what you're looking for, you are in the right place.

We're waiting for you on the beta waitlist at cashfulness.com/beta.

If instead you prefer an app that analyzes your behaviors to advise you better in exchange for part of your privacy, it's a legitimate choice — there's nothing wrong with it — but we won't be that place.

That's fine.

Cashfulness is designed for people for whom the household numbers must stay at home, and it knows perfectly well that it is one choice among others.

— Vittorio