personal data · encrypted on this device

Your data stays with you.The apps come to it.

PrivyDB is a personal data vault that runs locally on your device. Apps ask questions about your records; the answers leave, the records don't. No accounts. No passwords. No server holding your life.

  • biometric only
  • AES-GCM 256
  • open spec
vault.privydb.mewallet · A1finance-coach.ai wants to connectChart 30 days of spending — computed in your vault.financetransactions · 30dhealth— not requestedcalendar— not requesteda logged consent receipt will be appended on approveApprove & AuthenticateCancel

why it matters

Every app you use is built to collect your data.

The modern internet runs on a quiet trade: you get an app, the company gets your data — and your data is worth far more to them, over time, than the app is to you. Privacy laws let you ask for it back. They don't stop it being collected, and they don't stop it leaking.

Collected by default

Sign up, and the meter starts. Apps gather everything they can reach — most of it you never knowingly handed over.

Stored out of reach

Your data lives on servers you don't control, copied to partners you can't see and can't audit.

Breached eventually

When the leak comes — and it does — you carry the cost for years. The company carries a one-off fine.

PrivyDB starts from the opposite question: what if your data never had to leave your device in the first place? Two shifts finally make that possible: AI good enough to run on your own phone, and a device that can guard the keys to your data with your fingerprint — no password, and no company account in the middle.

01 · encrypted on device

Your records are stored on your device. Only your biometric unlocks them.

Each area — finance, health, calendar — gets its own encryption key, held on your device. We never see your data. We never see your keys.

02 · the boundary verifies

Every request is checked before it ever touches a record.

Each app request is validated, permission-checked, and shown to you first. The vault is an active gatekeeper, not a passive pipe.

03 · no master key

No master key. No lock-in.

No master account, no admin override, no back door we could be compelled to open. Your keys stay on your device and your data is fully portable — yours to pick up and take with you at any time.

how it works

Three steps. One boundary.

The vault holds your records, runs the computation, and shows you the result inside a window the app can't see into — so your raw data never has to leave your device at all.

01

Import

Drop in a CSV from your bank, a calendar file, a workout export. The vault sorts it into the right area, encrypts it, and indexes it — all on your device. Nothing uploads.

02

Compute

An app opens a small window served by your vault and asks a question — "what was my 30-day spend?" Your vault unlocks the data and works out the answer, right here on your device.

03

Display

The answer is drawn inside that window — a sealed frame the app can place in its page but cannot read into. You see the result; the app can't, and your raw records never leave. Every access is written to a tamper-evident receipt log that's yours to review.

the boundary, in one picture

your data never crosses

THE BOUNDARYAPPfinance-coach.aia budgeting app you useVAULTon your devicedecrypts · computes1231A question goes in — checked, then allowed.2A sealed result comes back — only you can read it.3Your raw records never cross the boundary.

the ethics

Seven rules. No fine print.

These are non-negotiable. When a design decision trades one of these against convenience, feature count, or velocity, the principle wins. The architecture is built so that these aren't promises — they're properties.

  1. 01

    You own your data.

    Physically, on your device. Cryptographically, with keys only you hold. If you stop trusting us, you can leave with everything.

  2. 02

    No raw data leaves without informed consent.

    Every release is approved by you, bounded, and logged. You see what was accessed, what is being shared, and with whom — in plain terms, before anything crosses out.

  3. 03

    Flexible, not prescriptive.

    Store any data you choose, organised the way you choose. Apps ask open-ended questions — not from a fixed menu of canned commands.

  4. 04

    The boundary verifies, it does not trust.

    Every incoming request is treated as hostile until proven safe — validated, permission-checked, and sanitised before it touches a single decrypted byte.

  5. 05

    Authentication is biometric and device-native.

    No passwords. No email verification flows. No security questions. Your device and your biometric are the root of trust.

  6. 06

    Trust is verifiable, not declared.

    Code integrity, consent history, and data provenance are all auditable. Every meaningful action writes a signed receipt you can check.

  7. 07

    We are not the trust root.

    No master key. No custodial recovery. No data we hold that you couldn't leave with. Our advantage is execution, not captured data.

Set up takes about 30 seconds.

About 30 seconds. One biometric. No email. No password. No account.

best on chrome, edge, or safari 17+ with a biometric sensor