Verify it yourself.

Every privacy claim on this site is testable in under a minute. Follow these steps before trusting us with your statement.

Watch the Network tab

Open your browser's DevTools (F12 on Windows/Linux, ⌥⌘I on macOS).
Switch to the Network tab.
Click the clear button to empty the log.
Head to the app and upload your statement.
Watch the Network log. You should see zero new requests while your file is parsed and categorised.

Turn off your Wi-Fi

The strongest test: disconnect from the internet, reload the app, and upload your statement. If it still works, the app can't possibly be sending your data anywhere.

Check the Content-Security-Policy header

Every response from this site carries this header:

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-<per-request>' 'strict-dynamic';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: blob:;
  font-src 'self' data:;
  connect-src 'self';
  worker-src 'self' blob:;
  frame-ancestors 'none';
  form-action 'none';
  base-uri 'self';
  object-src 'none';
  upgrade-insecure-requests;

The load-bearing directive is connect-src 'self': it tells the browser to refuse any outbound network request beyond this domain. Even if a bug tried to exfiltrate your data, the browser would block it.

What we promise

No uploads
Your statement is read by a file input and parsed in-memory. There is no form submission, no multipart POST, no API endpoint.
No server-side code touches your data
The pages ship as static HTML plus a JavaScript bundle. The server only serves files — it never sees a transaction.
No third-party scripts
Zero analytics. No Google Analytics, Sentry, Vercel Analytics, or any other tracking. Fonts are self-hosted.
No localStorage
Nothing is persisted between sessions. Closing the tab wipes everything.
Strict Content-Security-Policy
The browser enforces connect-src 'self' — meaning the page literally cannot contact any third party, even if a bug tried to.

Found something that worries you?

Open an issue on GitHub or email us. Do not paste any transaction content into a bug report — describe what you saw in terms of file sizes, timestamps, or the structure of the problem, never the specifics.