saldo.

Why we can't see your transactions.

Most finance apps copy your bank history into their cloud and ask you to trust them with it. Saldo is built so that trust isn't required — your financial data physically never reaches us.

Data plane
Your deviceSaldo engine + encrypted cache
balances,
transactions
Enable Banking→ your bank (BankID)
Control plane
Your deviceholds no key
consent +
tokens
Saldo brokerholds the key, mints tokens
the point

Financial data only ever moves on the data plane — your device ↔ your bank. Our servers live on the control plane: they run the one-time consent and hand out short-lived keys, and have no endpoint that can receive a transaction.

What runs where

Saldo has three parts, kept strictly separate:

The invariant

Account and transaction data flow only on the hot path: your device ↔ the open-banking provider, directly. The broker is in the loop for consent and token-minting, never for data. There is no server endpoint — anywhere in the system — that can proxy or receive financial data. That's enforced in the code, not written in a privacy policy.

Read-only, always

Saldo requests account-information consents only — the read-only half of open banking. Payment initiation is a separate consent type that Saldo never asks for and has no code for. The strongest guarantee in security is a capability that simply doesn't exist: nothing connected to Saldo — no assistant, no component — can move money.

Open source, so you don't have to trust us

The part that touches your financial data — the connector — is fully open source. You don't have to take our word for any of the above; you can read exactly what it does, and run it yourself with your own keys, no account with us required.

Read the code on GitHub →

What our servers do store (managed tier)

Only what's needed to keep your consent alive: your account identifiers and the encrypted consent tokens, so the broker can mint short-lived keys for your device. No balances. No transactions. If the broker were breached, there would be no financial history to take — and tokens can be revoked at your bank in one click.

Serving other people's accounts requires a licensed open-banking agreement; until then the managed broker runs against the operator's own accounts. See the architecture doc for the full technical detail and the honest open questions.