CashfulnessCashfulness
Join the beta
Radical privacy

Two levels, one promise.

Cashfulness is built to know nothing about you. Not as a political principle, but as a technical choice. For your documents, end-to-end encryption. For your identity and accounting data, maximum anonymization.

Most free apps are not really free: you get them in exchange for your data. In principle it's a transparent trade, and in many cases it's a fair one to make.

Many personal finance apps work this way too: they give you a tracking tool and in exchange they aggregate your spending data to produce reports, recommendations, commercial partnerships.

Cashfulness has made a different choice, because we believe personal finance deserves different treatment. The calm we talk about, if data isn't safe, is an empty promise.

The first level protects the documents you bring into the app, with radical end-to-end encryption. The second level protects your identity and accounting data, with maximum anonymization. Worth explaining one at a time.

A premise

Why connection is required

Cashfulness works only when your device is online. Mobile or desktop, the app needs to talk to a remote database that lives on our servers (European infrastructure).

Why this choice? Because your accounting data must stay synchronized across the different devices you use. If you add a transaction from your phone at lunch, you'll want to see it that evening on your laptop. Without a centralized source of truth, data would systematically drift between clients.

So yes, your accounting transits through a remote server. It's not a renunciation of privacy: it's the technical constraint required to give you accounting that truly works across multiple devices. The interesting question becomes: how do we protect your privacy given this constraint? The answer lies in the two levels we describe next.

Level 1

Radical end-to-end encryption for documents

When you start using Cashfulness, sooner or later you'll want to bring documents into the app: bank statements, mortgage or rental contracts, utility bills, insurance policies, investment statements. They contain everything: your full name, address, tax ID, IBAN, amounts, counterparties.

For them we made the strictest possible choice: end-to-end encryption (E2EE).

Imagine sending a letter via courier. You can put it in a regular envelope — the courier can open it, read it, then close it again. Or you can lock it in a metal box that only opens with a specific key, which only you have. Even if the courier took the box, they couldn't open it.

Your documents on Cashfulness are the metal box. Your device encrypts them before sending them to the server. On the server they arrive and stay encrypted: to us, they are blocks of digital noise.

The key to decrypt them lives only on your device, derived from your personal password and your 24 recovery words (the seed phrase, the most solid standard available today for generating personal cryptographic keys).

How document encryption works

A two-stop journey.

bank-statement.pdf
You upload a document
AES-256
Key on your device
Encrypted on your device
HTTPS
7f3a9d2c8e1b4f76a02e8c4d
On the server, just noise

The other side of the coin — we want to be honest

If you lose your password and you also lose the 24 recovery words, your documents become unreadable even to you. Forever. We cannot recover them, because technically we cannot read what you encrypted. It's a philosophical choice: we'd rather give you full control, even with the weight of safeguarding your credentials, than keep a backup copy on our server.

Level 2

Maximum anonymization for identity and accounting data

Accounting data (numbers, accounts, categories, transactions) is a living structure you need every day. Encrypting it the same way as documents would make the app extremely slow and in many cases unusable.

Our answer isn't absolute encryption. It's maximum anonymization.

Cashfulness doesn't even want to know your name. When you sign up, we don't ask for first and last name: we ask for a nickname (whatever you want, even pure fantasy), an email for technical contact, and a password. No tax ID, date of birth, address, phone number, bank account link, identity verification.

The names you give your accounts are up to you: they describe a function ("Salary", "Main checking account", "House mortgage"), not you. Combined with the nickname, they make your accounting hard to interpret and impossible to link back to you for anyone who isn't you.

Even if someone could look at the server database, they'd see a certain nickname with a chart of accounts, balances and transactions. They wouldn't know who it is. They'd see accounting without a biography.

Payment is anonymous too (to us)

For Cashfulness subscriptions we don't ask for your credit card, IBAN, or billing details directly. Payment goes through the store you downloaded the app from: App Store (Apple) or Google Play (Google) for mobile versions, Stripe for web payments.

These third parties see your name, address, credit card or IBAN — because technically they're the ones collecting the money. They are also responsible for issuing invoices or fiscal receipts for your subscription.

Cashfulness, on the other side of that pipe, only receives the net amount and an opaque subscription identifier (something like sub_abc123). We never see customer name, tax ID, credit card, IBAN.

A few practical tips to stay truly anonymous

Anonymity isn't only a promise from us: it's also a small gesture from you. If you want your accounting to be incomprehensible to anyone who isn't you, we suggest:

  • Name accounts by function, not by person
    "Bank account", "Salary", "House mortgage", "Joint account" work well. "Mario Rossi's account" or a full IBAN in the name opens an unnecessary crack.
  • Let transaction descriptions stay naturally generic
    By their nature they already are: "breakfast at the bar", "dinner at the restaurant", "car refuel". Nobody outside of you could tell whether that dinner was in Milan with a client or in Lucca with your sister.
  • Use a pseudonymous email for signup
    Your email is used only for login and for delivering service communications. A pseudonymous one like aurora.at.night@protonmail.com or anything else convenient works perfectly.
What follows from this

The hard choices. Worth being explicit.

We measure anonymous, aggregated usage — never to profile you

To understand what works, we measure which website pages are read and which app features are used. Always in anonymous, aggregated form, never tied to your real identity. On the website we use Umami: no cookies, no fingerprinting, no cross-site tracking. In the app: no third-party services (no Google Analytics, Mixpanel, Amplitude, Sentry, Firebase), everything on our European Supabase servers, switchable off at any time in Settings (Improvement Programme, opt-out). No commercial profiling, no cross-user correlation, ever.

No personalized commercial recommendations

We don't tell you "other users like you bought X". We don't push sponsored partner products based on your numbers. What we do are educational pointers on your data, computed on your device when the data demands it. Cashfulness does not give personalized investment advice: that's the territory of licensed financial advisors.

AI strictly compliant with the two levels

On documents, AI processing that requires reading content happens on your device, on a locally decrypted copy. On accounting data, any server-side processing runs on numbers without personal identity attached.

No selling of aggregated data linkable to people

We cannot sell "datasets of Italian spending by age and region". We don't have demographic data. We deliberately removed it from the business model. To sustain ourselves, we live only on direct user subscriptions.

Notifications and newsletter: only if you want them, never by default

The fact that we're allergic to commercial profiling doesn't mean we're a silent platform.

Cashfulness can send you useful things — and by "useful" we mean useful to you, not to third parties: alerts if a budget is about to overflow, suggestions on where your numbers say you could save, a short periodic newsletter with educational reflections.

All of this is opt-in: you turn it on at signup or later, whenever you want, and you turn it off whenever you want. No box is pre-checked by default. Your email — even if pseudonymous — is used only to deliver what you asked for, not to chase you with messages you didn't want.

This is the promise, in a single sentence we'd like to stick.

Cashfulness doesn't know who you are, doesn't read your documents, doesn't understand your numbers. Only you hold all the keys.
— Vittorio
Honest questions

No. Documents you upload are end-to-end encrypted with a key that lives only on your device. They arrive at the server and stay encrypted. Not us, not whoever runs the infrastructure, not a potential attacker. Even an authority requesting them formally would receive noise.

Server-side we see numbers linked to a nickname, without real first and last name. It's accounting without a biography: for anyone looking at the database, it would be impossible to link those numbers to a real person.

For end-to-end encrypted documents, they are lost forever — for us too. There's no "password recovery via email" that gives them back, because technically we cannot read them. It's the flip side of full control.

Nothing that can identify you. Payment goes through App Store, Google Play or Stripe — they see name, IBAN, card. Cashfulness only receives the net amount and an opaque subscription identifier. Invoices or fiscal receipts are issued by the store, not by us.

On the website we use Umami: no cookies, no fingerprinting, no cross-site tracking. It measures visits, sources and pages in anonymous, aggregated form — IPs are not stored, they're only used to infer the country and then discarded. In the app: no third-party services (no Google Analytics, Mixpanel, Amplitude, Sentry, Firebase). What we measure — errors, performance, sessions, feature usage — stays on our European Supabase servers in anonymous, aggregated form, switchable off in Settings (Improvement Programme, opt-out). One always-on technical exception: the system records the IP of login sessions for anti-abuse reasons — it's the minimum safeguard to protect your account. For the full list of infrastructure services (hosting, mail, payments, etc.), see our privacy policy.