Privacy Policy
1. TL;DR
iKasa is an end-to-end (E2E) encrypted personal finance tool. Your data is encrypted on your device before being uploaded; the server only stores ciphertext. No one — including the iKasa team — can read your data.
2. What we collect
Information you provide
An email address and password for account creation (the password is hashed locally with Argon2id before leaving your device — the server never sees plaintext). Optional nickname.
Minimal automatic technical info
To operate the service and detect abuse, we record:
- Device fingerprint (platform, OS, app version, model, UA, language, timezone)
- IP address at login time (for anomalous-login detection, anonymized after 30 days)
- Server request logs (no financial content; rotated after 7 days)
3. What we do NOT collect
iKasa intentionally does not collect:
- Plaintext entries — amounts, categories, notes are all end-to-end encrypted
- Plaintext passwords — server keeps only a bcrypt hash; we cannot recover or read your password
- Third-party trackers / ad IDs — no Google Analytics, no Facebook Pixel, no analytics SDK
4. Encryption details
On signup, the client derives a Master Key from your password (Argon2id KDF, ~250ms) and uses it with XChaCha20-Poly1305 to encrypt all entries and notes. Ciphertext goes to the server; plaintext never leaves your device.
We additionally provide a 12-word BIP39 recovery phrase. Even if you forget your password, the phrase lets you decrypt your data back from the server. This is the only technical recovery path; losing both means losing data.
5. Storage & location
Server is hosted on a Tokyo VPS (XServer) and served over HTTPS with auto-renewing Let's Encrypt certificates. All transport uses TLS 1.2+.
Local data is stored encrypted in IndexedDB (web/desktop) or SQLite (mobile). Uninstalling the app removes everything.
6. Your rights
Anytime you can:
- Export all entries as CSV (one-click in app)
- Delete individual records, clear the account, or fully delete the account (server purges ciphertext within 7 days)
- Sign out a specific device (Settings → Devices → Sign out)
- Email hello@ikasa.me to request a data copy or deletion (under GDPR / Japan APPI)
7. Cookies & local storage
We use only essential local storage: JWT token for staying signed in, encryption config, language preference. No third-party cookies, no behavioral tracking.
8. Policy updates
Material changes are announced in-app at least 30 days before taking effect. Historical versions are kept in our changelog.
9. Contact
Privacy questions: