Skip to content
Kontoo
Features Learn ENDE Get started free

Verify it yourself

Don't trust us — check it

Most apps ask you to believe their privacy promises. Kontoo lets you prove them. Everything below is something you can verify on your own device, with tools you already have — your browser, a text editor, a few lines of standard code. No account, no inside knowledge required. If any of this didn't hold, you'd see it immediately.

1. "No external requests" — watch the network tab

The strongest privacy claim is also the easiest to check: while you use Kontoo, nothing about your finances leaves your device. You can see this directly.

  1. Open web.kontoo.app in your browser.
  2. Open the developer tools (F12 or right-click → "Inspect") and switch to the Network tab.
  3. Use the app: create a household, add income and expenses, switch tabs.
  4. Watch the request list. You'll see the app's own files load once (HTML, JS, CSS, fonts — all from kontoo.app), and after that no requests carrying your data go anywhere. There is no analytics ping, no tracker, no "phone home".
The one honest exception: if you turn on the optional encrypted device sync (Settings → Device sync), the app talks to the sync server you configured — and even then it only ever sends ciphertext (see section 3). Ads, when shown, load only after you consent via the cookie banner and appear only on the marketing/knowledge pages and in the free app, never on this page. Leave sync off and the app makes no network requests at all after the initial load.

2. The Content-Security-Policy — read it per page

A network tab shows what did happen; the Content-Security-Policy (CSP) is the browser-enforced rule for what's even allowed to happen. Kontoo sets a CSP as a <meta> tag in every page — view the page source (Ctrl+U) and read the Content-Security-Policy line yourself. It differs by host, and we want to be precise rather than flattering:

Pageconnect-src (outbound connections)What it means
This site & the tools
(kontoo.app)
connect-src 'none' The browser blocks every outbound connection. The calculators and content pages literally cannot call home.
The app
(web.kontoo.app)
connect-src 'self' https: Here we're honest: the policy does allow HTTPS connections. That is only so the optional end-to-end-encrypted sync can reach the server you enter. Nothing in the app initiates a connection unless you set up sync — verifiable in section 1.

We call this out deliberately: it would be easy to write "the app allows no connections", but that would be false. The accurate statement is: the app's CSP permits HTTPS, and the only feature that uses it is the sync you opt into. The marketing and tool pages, by contrast, allow nothing — you can confirm both policies in the page source.

3. Zero-knowledge sync — the server only ever sees ciphertext

If you enable device sync, here's exactly what the server receives — and why it can't read a thing. This is the same crypto as the encrypted backup file, fully documented on the data-format page.

  1. Your data is encrypted on your device before anything is sent: PBKDF2-SHA-256 (600,000 iterations) derives a key from your passphrase, then AES-256-GCM encrypts the household. The server never sees the passphrase or the key.
  2. The blob is stored under an ID derived from your passphrase — a separate PBKDF2 hash. The server knows neither your name, nor an account, nor how to guess the ID.
  3. What the server actually stores is just this envelope — no plaintext whatsoever:
{ "ts": <timestamp>,
  "env": { "format": "hbk1", "iter": 600000,
           "salt": "<Base64>", "iv": "<Base64>", "ct": "<Base64>" } }

The whole sync server is a ~100-line Cloudflare Worker that does nothing but store and hand back that ciphertext blob by its ID. It has no database of users, no login, no way to read the content. You can run your own copy in about five minutes — then not even we are in the loop.

Best of all, you can decrypt your own data yourself, entirely without Kontoo, in any browser or in Node.js. The data-format page shows the exact ~8 lines of standard WebCrypto that turn an hbk1 envelope back into your readable JSON. If you can decrypt it and the server can't, the "zero-knowledge" claim isn't marketing — it's math you can run.

4. No lock-in — your data is readable without us

Verifiability wouldn't mean much if you were still trapped. You're not. Kontoo exports your household as plain JSON (any text editor), as CSV (any spreadsheet), or as an encrypted .hbk backup — and every one of those formats is openly documented so you (or any tool) can read it forever. See the full schema, the CSV columns and the decryption recipe on the data-format page. Even if Kontoo disappeared tomorrow, you could still open everything.

The short version: open the network tab (nothing leaks), read the CSP (the site blocks all connections; the app allows HTTPS only for the sync you choose), and decrypt your own backup (the server can't). Privacy you can check beats privacy you're asked to believe.

This page describes how Kontoo works and how to verify it. If anything here stops matching what you observe, that's a bug — please tell us.

Kontoo
Open the appVerify it yourselfData formatImprintPrivacyAccessibilityDeutsch

Kontoo only does the maths – no tax or financial advice. Your data stays on your device.