Security is structural
Not by promise — by architecture. Your data is encrypted before it leaves your device. The server can't read it.
The guarantees
Local-first encryption
Your device holds the keys. The server holds only ciphertext.
No tracking
No ads, no analytics, no third parties watching your ledger.
Offline by default
Works with no connection. Your numbers stay yours.
You type in an account, a balance, a transaction.
Fully private, fully local. The most honest tier — and the default.
- Every number you type
- Account names and balances
- Budgets, goals, and debt payoff plans
- Nothing. There is no server in this path.
Questions?
Yes. Everything is encrypted on your device before it leaves. The server holds only ciphertext. We literally cannot read your numbers.
Bank connections are architecture-only right now — we're not live yet. When we wire it, it'll be labeled plaintext transit through a third-party provider (SnapTrade, SimpleFIN, Plaid). Fully honest about the privacy tradeoff.
Yes. Anytime. As JSON. No restrictions. Your data is yours to take.
Nothing extra. Grove is part of the app. It works on your device only — no API calls to OpenAI or anywhere else.
We're still figuring that out. Beta testers keep lifetime access for free. When we do charge, it'll be honest and low — server costs plus a small margin. No surprise paywalls.
No. We don't sell it, don't share it with advertisers, don't use it to train models. We can't — it's encrypted.