Security & privacy

REFERENCE

Security & privacy.

Where data lives, who can read it, and what happens when something goes wrong.

Spent is built to be the kind of finance app you’d actually trust with your bank password. That means a clear story.

What Spent stores, and where

Everything Spent saves lives inside the data/ folder of your install directory. Two files:

• data/spent.db — a SQLite database with your encrypted bank credentials, transactions, categories, and settings.
• data/.encryption-key — a 32-byte random key generated on first run.

Both files are local. Spent never uploads them. There is no “Spent cloud.”

How credentials are encrypted

Bank passwords (and your Claude API key, if you use one) are encrypted with AES-256-GCM before being written to the database. The 32-byte key in data/.encryption-key is the one used to encrypt and decrypt.

This means:

• If someone copies just data/spent.db off your computer, they cannot read your passwords.
• If you delete data/.encryption-key, your saved credentials are unrecoverable — the next sync will fail until you re-enter passwords.

Heads up

For backups: copy both files together and treat the encryption key like a password.

What goes over the network

Three kinds of traffic happen during a sync:

1. Bank logins — Spent opens a headless Chromium tab and logs into your bank’s website using the credentials you provided. This traffic goes directly between your computer and your bank.
2. AI categorization — if you chose Claude, only the merchant name and amount of each new transaction are sent to Anthropic’s API in batches of 50. Your bank credentials are never sent. If you chose Ollama, this traffic stays on your machine.
3. No analytics, no telemetry, no crash reports. Spent does not phone home. Ever.

The threat model

Note

Protects against: a casual attacker who reads your database file (without the key, passwords stay encrypted). An attacker with the key alone but no DB. Network eavesdroppers (all traffic is HTTPS).

Heads up

Does NOT protect against: an attacker with full control of your computer. A malicious npm dependency. These are true of every local app.

The bank-side risk

Logging into your bank’s website with an automation tool is not the same as using the official app. Banks may, in principle:

• Lock your account temporarily if fraud detection sees something unusual.
• Terminate your relationship with them if they consider it a breach of terms.

In practice, this is rare for read-only scraping that happens infrequently. But it’s a real risk and you should know about it. Read the Disclaimer for the full version.

Reporting a vulnerability

If you find a security issue, please don’t open a public issue. Email the maintainer (address in SECURITY.md in the repo). We’ll respond within 72 hours.

For non-security bugs, GitHub Issues is the right place.

Auditing the code yourself

Spent is open source. Relevant files:

• src/server/lib/encryption.ts — the AES-256-GCM helpers.
• src/server/scrapers/index.ts — the bank scraping wrapper.
• src/server/ai/prompts.ts — the exact prompt sent to AI providers.

You are encouraged to read it, and to fork it.

Next Disclaimer →