Most privacy policies are a promise: we could read your data, but we promise we won't. We decided that's the wrong shape for a tool that holds your client list, your deal values, and your private notes. So we locked a different architecture — one where your business content is scrambled on your own device before it ever reaches our servers, and what we store is unreadable to us. Not a promise not to look. An inability to.
When you write a client note or a deal value, it's encrypted in your browser first. What travels to us, and what sits in our storage, is meaningless scrambled data. We can't read it. We can't be compelled to hand a readable copy to anyone, because we don't have one. And if our infrastructure were ever breached, the attacker would walk away with the same scrambled blob we hold — useless without the key. This is the model ProtonMail uses for email and Bitwarden uses for passwords: security by mathematics, not by policy.
The key that unlocks your data is derived from your password and never leaves your device. That has a hard consequence we won't paper over: if you lose your password and your recovery phrase, your data is gone — permanently, by design. So at sign-up we show you a short recovery phrase to write down, the same way a password manager or a crypto wallet does. It's the trade you make for a vault that even the people who built it can't open. We think it's the right trade for the people whose livelihood is in the box.
Principles get tested by edge cases, and one bit us in the open. A contract we generated went out signed "Personal Workspace" instead of the user's company name — because the company name was encrypted, and the server that builds the document couldn't read it to print it. Encrypting that field protected almost nothing and broke something real. So we carved out a small, deliberate exception: your public business identity — the legal and trading name, tax ID, address, and the email and bank details that already appear on every invoice you send — is readable by the server so it can render your documents. It's the information that already sits in the public company register. Everything else — clients, amounts, notes, the actual content of your work — stays zero-knowledge. We'd rather name the exception out loud than pretend the principle is absolute when it isn't.
The strongest privacy claim isn't "we won't look." It's "we can't." The honest version adds: "…except for the handful of things we told you about, and here's why."
It can see what it needs to run: your login email, your plan, the numbers and dates that make overdue reminders and dashboard totals work, status flags like paid or unpaid, and the public business identity above. It can't see your client list, your invoice descriptions, your deal values, or your private notes. That line is where we drew it, it's written down, and when we move it — as we just did, once — we'll tell you where and why.