How we protect your data
Full transparency. No marketing. Just the facts about what is encrypted, what is readable, and what we can and cannot access.
The model in plain English
- Your vault is encrypted on your device. Your key is derived from your password and never leaves your browser.
- We store ciphertext. We cannot read your vault.
- A few fields (merchant, amount, date, category) are stored alongside the encrypted record to make search and summaries fast. Everything else is ciphertext.
- When you connect an AI service, it gets its own key and its own encrypted copy of only the fields you chose — never your vault.
What is encrypted, exactly
Row by row, field by field. If a claim here ever stops matching the code, that is a bug — tell us.
| Data | Encrypted on your device | Visible to our servers |
|---|---|---|
| Profile dimensionsBasics, interests, preferences, health, values, notes | Everything — encrypted in your browser before upload | Ciphertext, plus each dimension's name and when it last changed |
| Transaction detailsLine items, notes, order numbers, the full receipt | The full record | Ciphertext only |
| Transaction search fields*Merchant, amount, currency, date, category, sender email | Included inside the encrypted record too | Stored readable, so search and spending summaries stay fast |
| Share viewsYour saved sharing selections | All selections and settings | Ciphertext, plus timestamps |
| Shared copies for AI connections†The fields you chose for each connection | Encrypted with that connection's own key — only the fields you chose | Ciphertext, plus which dimensions you shared with each connection |
| Account emailThe address you sign in with | Not encrypted | Yes — we need it to sign you in and send account email |
*A few fields (merchant, amount, date, category) are stored alongside the encrypted record to make search and summaries fast. Everything else is ciphertext.
†Each connection gets its own key and its own encrypted copy of only the fields you chose. During an active AI request the shared copy (never your vault) is decrypted briefly in server memory.
How encryption works
Your password derives your key in the browser. Data is encrypted before it leaves your device — only ciphertext crosses the internet and only ciphertext is stored.
How sharing works
Nothing leaves your hub without passing a filter you set. A Share View selects the fields; only those flow onward — as a live AI connection or a downloadable file.
Your key, and what happens if you forget
Where your key comes from
Your encryption key is derived from your password in your browser (PBKDF2-SHA-256, 100,000 iterations, with a per-account salt). It never leaves your browser. Every item you save is encrypted with it (XSalsa20-Poly1305) before it reaches our servers.
We never see your password and never store your key. Signing out wipes the key from your browser.
Your 12-word recovery phrase
When you set up your account, you get a 12-word recovery phrase. It wraps a copy of your key so that you — and only you — can get back in if you forget your password. We store only the encrypted result; the phrase itself never leaves your device.
If you forget your password: enter your recovery phrase, choose a new password, and your data is re-encrypted under the new key. Nothing is lost.
If you lose both your password and your phrase, we cannot recover your data. Not because we won't — because we can't. That is the point of the design. You can still keep your account and start fresh.
How AI sharing works (Personal MCP)
Each connection gets its own key and its own encrypted copy of only the fields you chose. During an active AI request the shared copy (never your vault) is decrypted briefly in server memory, sent to your AI service, and the key is discarded.
Personal MCP supports two connection methods, each with a different key storage model:
- Manual connection URL: The share key exists only in your connection URL and in your browser (encrypted with your vault key). We never store it. We store only a SHA-256 hash for revocation.
- Directory connection (OAuth): The share key is stored on our server, encrypted with a server-side key-encryption-key, and decrypted only during active requests from your AI service. This is a trade-off: easier setup, but the key is server-stored (encrypted) rather than client-only.
Each AI connection has its own key. Revoking one deletes its shared copy and does not affect any other. Your vault key is never involved in serving MCP requests.
What we want you to know
We believe trust requires honesty about limitations, not just strengths.
- 1
During an active MCP request, your shared copy (never your vault) is decrypted briefly in server memory. A sophisticated memory-level attack during this window could theoretically expose shared data. We mitigate this by discarding the key immediately after each request.
- 2
Your manual MCP connection URL contains your share key. Anyone who obtains this URL can read your shared data. Treat it like a password. We warn you about this during setup and never display URLs in logs or analytics.
- 3
Once your data reaches an AI service (Claude, ChatGPT, etc.), it is subject to that service's privacy policy. We cannot control how they process or retain your data.
- 4
Your encrypted data is stored on Supabase (PostgreSQL hosted on AWS). While the data is encrypted and we do not store your vault key, the infrastructure provider has access to the ciphertext. An attacker who obtained both the ciphertext and the key could decrypt the data.
- 5
Connection tokens are stored in your browser's localStorage, encrypted with your vault key. If someone has physical access to your device and knows your password, they could access your tokens.
Our infrastructure
We use a small number of services to run Personal Hub. Here is where your data touches each one.
Supabase (AWS eu-central-1)
Hosts our database. Stores your encrypted vault data, the readable search fields listed in the table above, and encrypted MCP shared data.
Vercel (AWS)
Hosts our website and API routes, including the MCP server. Processes requests in server memory. Does not persist user data.
Anthropic
Our AI provider for receipt parsing and categorization. Receives receipt text transiently during import, retains inputs for up to 7 days for safety monitoring, then deletes them. Never used for training.
Stripe
Processes payments for Premium subscriptions. Receives your email and payment method. Does not receive any hub data.
Cloudflare
DNS and basic analytics (page views, country-level). Does not receive any hub data.
Postmark
Sends transactional emails (verification codes, etc.). Receives your email address. Does not receive any hub data.
Our commitments
Your vault key is derived from your password and never leaves your browser.
We store ciphertext. We cannot read your vault.
Each AI connection has its own encryption key, separate from your vault key.
You can export all your data, on any plan, at any time, for free.
You can revoke any AI connection instantly. Revoking deletes all shared data.
Our encryption code is open source and available for independent audit.
We are funded entirely by subscribers. No investors. No ads. No data selling.
We do not store your password or your vault key.
We do not store MCP share keys in plaintext. Manual connections: the key is never stored. Directory connections: the key is encrypted with a server-side key-encryption-key.
We do not log the content of MCP requests.
We do not access your AI conversations.
We do not sell, rent, or share your data.
We do not use your data to train any model.
Found a vulnerability?
If you discover a security issue, please email security@personalhub.io with the details and steps to reproduce. We read every report, respond as fast as we can, and will credit you (with your permission) once the issue is fixed.
Please give us a reasonable window to fix the issue before public disclosure. We will never take legal action against good-faith security research.