How we protect your money data
Last updated: July 6, 2026
Your financial life is yours. We built this app so that we cannot read your financial data — and neither can anyone who might break into our servers.
Your data is encrypted on your device
When you set a password, your device uses it to create an encryption key. That key never leaves your device and is never sent to us. Everything sensitive — your transactions, balances, budgets, accounts, and forecasts — is locked with that key before it is saved to our servers.
What we store is unreadable scrambled text. We don't have the key to unscramble it. If someone stole our entire database, they'd get nothing they could read.
This is called zero-knowledge encryption: we have zero knowledge of what your numbers actually are.
What this means in plain terms
- We can't read your transactions, balances, or budgets. Not our team, not our support staff, not our database administrators.
- A hacker who breaches our servers can't read them either.They'd only find encrypted text.
- Your password is the key.We never see it, and we cannot recover it for you (see “If you forget your password” below).
The technical details
This section explains exactly what cryptographic operations run on your device. If you prefer plain language, skip to the next section.
Your password is processed using Argon2id(a memory-hard, deliberately slow key-derivation function) with a random per-account salt stored on our servers. Argon2id is the gold standard for password-based key derivation. The output is a 256-bit Master Key that exists only in your device's memory for the duration of a session.
Two subkeys are derived from the Master Key using HKDF-SHA-256 with domain-separated labels:
- Auth Key — its SHA-256 hash is stored on our server as a login verifier. Even with this hash, neither we nor an attacker can derive the Wrapping Key or your data.
- Wrapping Key — used to encrypt a random 256-bit Data Encryption Key (DEK). The wrapped DEK is stored on our server.
All data records are encrypted with the DEK using XChaCha20-Poly1305, an authenticated cipher with a 192-bit random nonce per record. The authentication tag protects against tampering — any modification to the stored data is detected and rejected.
On the rare browser where the primary library's WebAssembly module can't load, records are encrypted with AES-256-GCMinstead — a 256-bit authenticated cipher from the browser's built-in Web Crypto. Every record is self-describing, so it is always decrypted with the exact algorithm it was written with.
The primary cryptographic library is libsodium(via libsodium-wrappers-sumo), with the browser's native Web Crypto as the fallback. We do not hand-roll any cryptography — both are standard, audited implementations.
What we can see
To run the app, our servers do see a small amount of non-financial structure: that a record exists, when it was created or updated, the date of a transaction, which account or category a record links to, and which month a budget belongs to. In plain terms: we can see that you made a transaction on a given day, but not the amount, the payee, the account name, or anything else inside it — those are encrypted. We never sell or share this information.
Using the AI advisor
The AI advisor is the one feature where data leaves your device — and only because it has to in order to answer you, and only when you ask.
When you ask the AI a question, your device unlocks just the information needed to answer it and sends that to the AI over a secure connection. Wherever possible, we send summaries(like “dining total this month”) rather than your individual transactions. The AI is never given access to your full data, and nothing is sent in the background — only in response to your question.
If you never use the AI advisor, your data never leaves your device in readable form.
The AI feature requires explicit in-app consent before any data is sent. Refer to the current terms of your chosen AI provider (e.g., Anthropic) for their data handling practices.
If you forget your password
Because only you hold the key, we cannot reset your password and recover your data — we have no way to unlock it. That's the trade-off that keeps your data private even from us.
When you sign up, we give you a one-time Recovery Code. Save it somewhere safe. If you forget your password, that code is the only way to get back in. If you lose both your password and your Recovery Code, your data cannot be recovered by anyone, including us — you would have to start a fresh account.
On your iPhone
On iOS, your encryption key is stored in the device's secure hardware (the Keychain / Secure Enclave) and protected by Face ID or Touch ID, so you can unlock quickly without retyping your password — and the app locks itself when you switch away. The key is marked so it never syncs to iCloud or other devices.
Google and Apple sign-in accounts
Zero-knowledge encryption requires deriving a key from a secret only you know. If you sign in with Google or Apple, there is no Welfi password to derive that key from — so by default these accounts are protected by TLS in transit and access controls, but are readable by our infrastructure like a standard web app.
You can still turn on full encryption: in Settings → Security, set up an encryption passphrase(separate from your Google/Apple sign-in). From then on your financial data is encrypted with that passphrase exactly like a password account. As with any zero-knowledge key, we can't recover the passphrase — keep your Recovery Code.
Honest limits
No system is magic. Our encryption protects your data on our servers, but it cannot protect:
- A compromised device. If someone has access to your unlocked phone or computer, they can see your data while the app is open.
- A phished or guessed password. Keep your password private and make it strong.
- A malicious client build. The encryption only works honestly if the code running on your device is trustworthy. Welfi is distributed through official channels (the App Store and vercel.app). A backdoored build could undermine these guarantees — this is a known limitation of all client-side encryption systems.
- The AI moment. By design, when you ask the AI a question, the relevant data is decrypted on your device and sent to the AI provider. This is explicit and opt-in.
This page describes how the app actually works, not just what we promise. If you have questions about our security, contact us.