Is my data safe?

Data lives on your device

The core concept of Capitally is that all of your data is kept on your device. Our servers only store a copy of your project for syncing between devices and it's completely fine if you block those requests.

The only thing that we “see” is which market symbols you interacted with - searched for, or fetched prices, but we don't tie it to your account.

Projects are encrypted by default

By encrypting your data, we aim to protect it from:

  • unauthorized access to data stored in our databases, either by employees, hackers or government agencies

  • unauthorized access on your device, but only as long as you protect your browser's profile from direct access, or you don't choose “remember me“ option when logging in

We cannot protect it from:

  • supply-chain/man-in-the-middle attacks where attackers replace our source code

  • unauthorized writes or deletes made in our databases or on client device

  • detecting project activity - project metadata, like operation type and timestamps are not encrypted

Modes of encryption

When creating a project you have a choice to encrypt it with:

  1. User Password - when you log-in, we use PBKDF2 to derive two passwords from the one you enter, using two separate salts. First password is used to authenticate you - this way our auth servers (Google Identity Platform) never receive the password you typed, so it’s not possible to derive the second password from that. That second password is used to encrypt (with AES-GCM) a set of private keys that will be used in project encryption. There's an option to securely store that encryption key in your browser, so you don't have to type it again.

  2. Project Password - the same as above, just you'll be asked for a separate project password that will be used to derive the encryption key.

  3. Remote Key - once you log-in, application retrieves an encryption key from the server. The key is not stored in the database, instead it's derived from a combination of user credentials, salt and our own private key. The endpoint is segregated from other endpoints and it's the only one that has access to the key.

Every project’s user (currently there can be only one, but system is ready to introduce project sharing) has a set of private & public keys (RSA-OAEP). The private key is encrypted with the already mentioned main encryption key. It's used to decrypt a share key (another AES-GCM) which in turn is used to encrypt/decrypt project data. There can be multiple share keys per project (eg. for each set of data shared between same users).

The public key is used to encrypt share keys issued to the user, and sign messages generated by the backend (eg new transactions from a broker) - so that only the user can read them.

It’s worth noting, that once you enter a password, it’s not stored nor sent anywhere. The encryption keys can be stored, but are not exportable, meaning, they can be used to decrypt the data, but the key itself cannot be read - the application literally doesn't have access to it.

Is the code open-sourced and verified?

Capitally is a closed-sourced project, but the client app is written in TypeScript, and all the source maps are freely available. All the network communication is also easily verifiable in the browser's dev tools.

Like with every piece of software it all comes down to trust. You need to trust us, that we (or a hacker) won’t covertly change that code and steal the encryption keys or passwords.

Not sure if it changes anything, but we use Capitally ourselves, and we chose to implement end-to-end encryption because we want to keep that data private. We're taking the utmost care to keep it that way.

Analytics & error tracking

We don't want to know your financial details, but in order to improve the app and help you in case of issues, we collect some usage data if you allow us to. Specifically we currently gather:

  • your user ID

  • page URL which may contain the asset ID

  • URLs of network requests (which will contain market asset IDs)

  • elements you click (their system ID only)

  • system log messages (which may contain market asset IDs)

If you don't allow us to identify you, we won't be storing any of the IDs mentioned above. In such case we just log errors and some very minimal feature usage, in a completely anonymous way, without IDs or detailed logs.

Things we never gather:

  • size or value of your investments

  • names, notes or any text you create yourself

  • custom quote sources