Yes, we're not interested in your data. You can choose to encrypt it on your device, which means that our servers or databases never see or record it.
The core concept of Capitally is that all of your data is kept on your device. Our servers only store a copy of your project for syncing between devices and it's completely fine if you block those requests.
The only thing that we “see” is which market symbols you interacted with - searched for, or fetched prices, but we don't tie it to your account.
By encrypting your data, we aim to protect it from:
unauthorized access to data stored in our databases, either by employees, hackers or government agencies
unauthorized access on your device, but only as long as you protect your browser's profile from direct access, or you don't choose “remember me“ option when logging in
We cannot protect it from:
supply-chain/man-in-the-middle attacks where attackers replace our source code
unauthorized writes or deletes made in our databases or on client device
detecting project activity - project metadata, like operation type and timestamps are not encrypted
When creating a project you have a choice to encrypt it with:
User Password - when you log-in, we use PBKDF2
to derive two passwords from the one you enter, using two separate salts. First password is used to authenticate you - this way our auth servers (Google Identity Platform) never receive the password you typed, so it’s not possible to derive the second password from that. That second password is used to encrypt (with AES-GCM
) a set of private keys that will be used in project encryption. There's an option to securely store that encryption key in your browser, so you don't have to type it again.
Project Password - the same as above, just you'll be asked for a separate project password that will be used to derive the encryption key.
Remote Key - once you log-in, application retrieves an encryption key from the server. The key is not stored in the database, instead it's derived from a combination of user credentials, salt and our own private key. The endpoint is segregated from other endpoints and it's the only one that has access to the key.
Every project’s user (currently there can be only one, but system is ready to introduce project sharing) has a set of private & public keys (RSA-OAEP
). The private key is encrypted with the already mentioned main encryption key. It's used to decrypt a share key (another AES-GCM
) which in turn is used to encrypt/decrypt project data. There can be multiple share keys per project (eg. for each set of data shared between same users).
The public key is used to encrypt share keys issued to the user, and sign messages generated by the backend (eg new transactions from a broker) - so that only the user can read them.
It’s worth noting, that once you enter a password, it’s not stored nor sent anywhere. The encryption keys can be stored, but are not exportable, meaning, they can be used to decrypt the data, but the key itself cannot be read - the application literally doesn't have access to it.
We use webcrypto for all encryption-related tasks, including generating random numbers
Capitally is a closed-sourced project, but the client app is written in TypeScript, and all the source maps are freely available. All the network communication is also easily verifiable in the browser's dev tools.
Like with every piece of software it all comes down to trust. You need to trust us, that we (or a hacker) won’t covertly change that code and steal the encryption keys or passwords.
Not sure if it changes anything, but we use Capitally ourselves, and we chose to implement end-to-end encryption because we want to keep that data private. We're taking the utmost care to keep it that way.
We don't want to know your financial details, but in order to improve the app and help you in case of issues, we collect some usage data if you allow us to. Specifically we currently gather:
your user ID
page URL which may contain the asset ID
URLs of network requests (which will contain market asset IDs)
elements you click (their system ID only)
system log messages (which may contain market asset IDs)
If you don't allow us to identify you, we won't be storing any of the IDs mentioned above. In such case we just log errors and some very minimal feature usage, in a completely anonymous way, without IDs or detailed logs.
Things we never gather:
size or value of your investments
names, notes or any text you create yourself
custom quote sources