Most companies publish a privacy policy written by lawyers for lawyers. It tells you nothing about what the server actually stores, who can read it, or what happens when you hit "delete."
This page is different. It's a technical transparency report. Every row in the table below is accurate and verifiable. If you export your data, you'll see exactly what's described here.
The Transparency Matrix
This is what the server stores, how it's protected, and whether we can read it.
| Data Type | Encryption | Who Holds the Key | Server Can Read? |
|---|---|---|---|
| Vault passwords & TOTP secrets | AES-256-GCM (client-side) | You (your vault password) | No |
| Shared files (E2EE) | RSA-4096 + AES-256-GCM | Sender + Recipient | No |
| Vault private keys | AES-256-GCM (client-side) | You (your vault DEK) | No |
| Email / phone | AES-256-GCM (server-side) | Server | Yes |
| Spending data | HMAC-SHA256 pseudonyms | Server | Amounts yes, identity pseudonymized |
| Calendar event titles | AES-256-GCM (server-side) | Server | Encrypted at rest (server can decrypt) |
| Calendar event times | Plaintext | N/A | Yes (needed for free/busy) |
| Bookmarks | AES-256-GCM (client-side) | You (vault DEK) | No |
| Contacts (PII fields) | AES-256-GCM (server-side) | Server | Encrypted at rest (server can decrypt) |
| Tasks | Plaintext | N/A | Yes |
| Sticky notes | AES-256-GCM (client-side) | You (vault DEK) | No |
The "Yes" rows are honest. We could have encrypted everything and claimed "zero-knowledge" across the board. But calendar event times need to be readable for free/busy scheduling. And contacts need to be searchable server-side. So we don't pretend. We tell you what we can read.
What We Cannot Do
We cannot read your vault passwords. They're encrypted in your browser before they reach the server. We never see the plaintext. If you lose your vault password, we cannot recover your data. That's the tradeoff of zero-knowledge — and it's the right one.
We cannot read your sticky notes. They're encrypted client-side with your vault key before being sent to the server. We store encrypted blobs we cannot decrypt.
We cannot read files shared through E2EE. The sender encrypts with the recipient's public key. The server transports the ciphertext. We never hold the decryption key.
We will never share your data with anyone. No third parties, no partners, no advertisers, no AI training pipelines. And we will never spend a single second looking at it ourselves. Your data exists to serve you, not us.
We chose to publish this instead of hiding it. Most companies bury this information in vague privacy policies. We put it in a table.
What We Can Do
We can read your calendar event times and tasks. These are stored as plaintext in the database. We can decrypt your email, phone number, calendar event titles, and contact PII fields because the server holds the encryption key. We cannot read your bookmarks or sticky notes — they are encrypted client-side with your vault key.
Why is this OK for now? Three reasons:
- One operator. One person runs this, not 200 employees with varying access levels and motivations.
- No business model conflict. No ads, no data selling, no model training on your content. Your data has zero value to us beyond providing you the service.
- We keep moving data toward encryption. Sticky notes are now E2EE. Calendar event titles are now encrypted at rest. This table reflects reality, not aspirations.
Delete Means Delete
When you delete your data, it's a real SQL DELETE. Not a soft delete. Not a "mark as inactive." Not "we'll get to it in 30 days." The row is removed from the database. Gone means gone.
When you delete your account, every row associated with your user ID is deleted. Vault items, calendar events, contacts, tasks, notes, bookmarks, spending data, session tokens — all of it. We don't keep a ghost profile.
Export Means Everything
When you export your data, you get everything the server has. If we were storing data you didn't know about, you'd see it in the export. The export is a verification mechanism — it proves the transparency matrix is accurate.
Export your data now and see for yourself.
What Secure Means
"Secure" is a word that gets thrown around loosely. Here's what it actually means for your data on Alito.
- Encrypted in transit. All traffic between your browser and our server is encrypted via TLS. Caddy automatically provisions and renews Let's Encrypt certificates. HTTP requests are permanently redirected to HTTPS.
- Encrypted at rest. Sensitive data is encrypted before it's written to the database. Vault items and sticky notes use client-side AES-256-GCM — the server never sees plaintext. PII fields like email and phone use server-side AES-256-GCM — protected against database breach.
- Passwords are hashed, not stored. We use scrypt with a unique 16-byte random salt per user. We don't store your password. We store a one-way hash that can't be reversed.
- No SQL injection. Every database query uses parameterized inputs. User data never touches raw SQL strings.
- Rate limiting. Login attempts, magic links, and AI features are rate-limited to prevent brute-force attacks.
- Cookies are locked down. Authentication cookies are
httpOnly(no JavaScript access),secure(HTTPS only), andSameSite=Strict(no cross-site leakage). - Timing-safe comparisons. Token and password verification use constant-time comparison to prevent timing attacks.
- PII access is logged. Every time the system accesses a PII field (email, phone), it logs who accessed it, why, and from where. This is HIPAA-grade audit logging.
- Key separation. Encryption keys and authentication keys are derived separately using HKDF-SHA256. Compromising one doesn't compromise the other.
Encryption Details
For the technical reader. These are the actual algorithms and key derivation chains.
Your password → PBKDF2-SHA256 (600K iterations) → KEK
KEK wraps DEK → DEK encrypts each item via AES-256-GCM
Server stores: encrypted DEK + encrypted items. Never sees plaintext.
Random AES-256-GCM key per file → encrypts file content
AES key wrapped with recipient's RSA-4096 public key (OAEP)
Server stores: ciphertext + wrapped key. Cannot decrypt either.
AES-256-GCM with server-held key
Encrypted values prefixed with
enc: for detectionServer can decrypt. Protects against database breach, not operator access.
HKDF-derived sub-key → HMAC-SHA256 per merchant name
Irreversible. Server sees amounts but cannot reverse the pseudonym to identify the merchant.
Consistent hashing means same merchant always maps to same pseudonym (for grouping).