Short answers first. Technical details below — read only if you want to.
Page last reviewed: May 27, 2026
Your data is locked. Without your PIN, the records on your phone are unreadable — even if someone connects the phone to a computer and copies the database file. There is no way to open the data without the PIN. Not by us, not by the police, not by any technical means.
No. Your data never leaves your phone. There is no cloud, no server, no backup we hold. We physically cannot read your records because we never receive them. This is not a policy choice — it is built into how the app works.
A second PIN you set up. When entered, it opens a completely separate empty vault. The app behaves normally — same screens, same colors — but shows safe or fake records. Useful in situations where you are pressured to unlock the app and want to show something harmless.
Your data is permanently lost. We cannot recover it. There is no "forgot password" link, no reset email, no master key. This is the price of true privacy — and we have made it the default. Write your PIN down somewhere safe (not on your phone).
No. The app does not require an internet connection at all. We do not collect analytics about your business data. We do not share or sell information. The only thing the app talks to the internet for is to check your subscription status with the Play Store or App Store.
For most situations, yes. A notebook can be read by anyone who finds it. The app requires your PIN to open and the data inside is mathematically scrambled. The Decoy PIN gives you an option that a notebook cannot offer — a "second book" that opens with a different key.
Written for developers, security auditors, and curious shop owners. Skip this section if the answers above are enough.
The local SQLite database is encrypted with SQLCipher using AES-256 in CBC mode. Without your PIN, the database file is mathematical noise — unreadable even if someone copies it off your device.
Your 4–6 digit PIN is never stored. Instead, it goes through PBKDF2 with 100,000 iterations and a random salt to derive the database key. This makes brute-force guessing impractical on commodity hardware: even with a fast GPU, trying every 6-digit PIN against the derived key would take months per device.
Two PINs, two separate encrypted databases (owner_vault.db, decoy_vault.db). Each PIN derives a different key with its own salt. From the file system, both files look identical — random bytes — and there is no way to tell which one is which. Entering one PIN opens one database; entering the other PIN opens the other.
Fingerprint or Face unlock is supported via the platform secure enclave (Android Keystore / iOS Secure Enclave). Biometric unlocks only the real PIN. The decoy PIN must always be typed — this is intentional so biometric authentication cannot accidentally reveal the existence of a second vault.
If we could reset your PIN, anyone who controlled our servers (or compelled us via legal process) could recover your data. The only way to make "no one can read this without your PIN" a true statement is to make it impossible to recover the PIN. So we did.
Privacy claims should be auditable. We are happy to explain any of this in more detail or share the relevant source files.
Contact us