Security
Security, explained.
The short version: your financial data never leaves your computer. We couldn’t hand it over if subpoenaed, sold, or breached — because we don’t have it. Everything below is the architecture that makes that true.
Last updated: May 26, 2026
Local-first is the foundation
Every transaction, balance, holding, account name, and budget category lives in plain
files on your computer — by default at %LocalAppData%/GlidePath Money/.
The desktop app reads and writes those files directly. There is no central server
with a copy. No aggregator with credentials. No cloud database mirroring your data.
This is the deliberate cost and benefit of local-first: you carry the responsibility of backing up your DataFolder, and in exchange you carry the freedom of knowing exactly where your data is and who can see it. (Nobody but you.)
What’s encrypted, and how
| Surface | Protection | Why |
|---|---|---|
| License file on your disk | Encrypted with Windows DPAPI (per-machine, per-user) | License credentials can’t be lifted from your disk by another user on the same machine or by a stolen drive |
| App lock password (if enabled) | Argon2id-hashed; DPAPI-encrypted at rest | Argon2id is the modern KDF (memory-hard, resistant to GPU/ASIC cracking); DPAPI binds the hash to your Windows account |
| Tunnel traffic (phone access via your subdomain) | TLS to Cloudflare’s edge, then encrypted tunnel back to your PC; decrypted only on your PC | Cloudflare sees encrypted traffic in transit. The decrypted contents of the tunnel are never readable by Cloudflare or by us. |
| Browser-extension uploads (bank CSVs) | HTTPS direct from your browser to your PC’s loopback (or your tunnel, if you initiated from your phone) | The bank CSV is captured by the extension on your machine and posted straight to your local app; it doesn’t go through our servers |
| Customer record (license key, email, subdomain, Cloudflare IDs) | Stored in Cloudflare D1 with access scoped to our provisioning Worker | The minimum needed to issue and revoke your license + clean up your private subdomain when you cancel |
App lock
The app supports an optional password lock with auto-lock on idle. Set in
License > Lock. The password is hashed with Argon2id (memory cost,
time cost, and parallelism tuned for desktop hardware) and the resulting hash is
DPAPI-encrypted on your disk. Auto-lock kicks in after a configurable idle period; a
background heartbeat from active sessions keeps you signed in while you’re using
the app.
The Glide AI helper is sandboxed from your data
Glide AI is an optional Q&A panel powered by Claude Haiku (Anthropic). When you ask Glide a question, the request goes to our Worker proxy, which forwards it to Anthropic. We send Anthropic your question text and minimal context (the page you’re on, the current section). We do not send your transactions, balances, holdings, or any data from your DataFolder — the data isn’t available to the Worker; it lives on your computer.
Anthropic processes commercial API traffic per their privacy commitments and does not train on it. See the subprocessors page for full data flow details.
Holdings price refresh
When you refresh prices on the Holdings page, we proxy the lookup through a Cloudflare Worker we run. The Worker calls Yahoo Finance with the ticker symbols you hold and returns the prices. The benefit: Yahoo never sees your IP address, and you don’t need to install any third-party SDK. Only ticker symbols leave your box — never quantities, account names, or your identity.
Backups are your responsibility
Because your data is on your PC and not in our cloud, you carry backup responsibility. The app ships with an opt-in local auto-backup to a folder you choose; you should also keep an external or cloud backup of your DataFolder (any cloud sync tool you already use works — Dropbox, OneDrive, iCloud, a NAS, etc.). If your PC fails, your data goes with it; we don’t have a copy.
Open-source dependencies and update cadence
GlidePath Money is built on a small, audited set of open-source libraries: ClosedXML, CsvHelper, Argon2 (Konscious), Markdig, PdfPig, and the standard .NET runtime. Full list at /third-party-notices. Library updates ship with each app update during your maintenance window; we monitor disclosed CVEs and patch promptly when one affects a library we use.
Vulnerability disclosure
Found something? Please email security@glidepathmoney.com. We aim to acknowledge reports within two business days and to publish a fix or a remediation plan within 30 days for confirmed issues (longer for complex problems, with regular updates). We do not currently run a paid bug bounty program, but we will publicly credit researchers who report meaningful issues. See /.well-known/security.txt for the machine-readable disclosure policy.
What this page doesn’t cover
This is an overview, not a complete threat model. We do not publish penetration-test reports; we do not hold SOC 2 or ISO 27001 attestations (those frameworks are designed for enterprises that hold customer data — we don’t). For specific security questions before purchase, email security@glidepathmoney.com and we will answer directly.
Related pages
- Privacy Policy — what we do and don’t collect
- Subprocessors — vendors we use and what they touch
- Third-Party Notices — open-source attributions
- security.txt — machine-readable disclosure policy