Most finance apps copy your bank history into their cloud and ask you to trust them with it. Saldo is built so that trust isn't required — your financial data physically never reaches us.
Financial data only ever moves on the data plane — your device ↔ your bank. Our servers live on the control plane: they run the one-time consent and hand out short-lived keys, and have no endpoint that can receive a transaction.
Saldo has three parts, kept strictly separate:
Account and transaction data flow only on the hot path: your device ↔ the open-banking provider, directly. The broker is in the loop for consent and token-minting, never for data. There is no server endpoint — anywhere in the system — that can proxy or receive financial data. That's enforced in the code, not written in a privacy policy.
Saldo requests account-information consents only — the read-only half of open banking. Payment initiation is a separate consent type that Saldo never asks for and has no code for. The strongest guarantee in security is a capability that simply doesn't exist: nothing connected to Saldo — no assistant, no component — can move money.
The part that touches your financial data — the connector — is fully open source. You don't have to take our word for any of the above; you can read exactly what it does, and run it yourself with your own keys, no account with us required.
Only what's needed to keep your consent alive: your account identifiers and the encrypted consent tokens, so the broker can mint short-lived keys for your device. No balances. No transactions. If the broker were breached, there would be no financial history to take — and tokens can be revoked at your bank in one click.
Serving other people's accounts requires a licensed open-banking agreement; until then the managed broker runs against the operator's own accounts. See the architecture doc for the full technical detail and the honest open questions.