Security

Flousi is designed as a local-first finance tracker. This page explains the security model and user responsibilities.

Local-first storage

The review-safe version stores app data on your device or browser by default. Protect your device, browser profile, and device passcode because local app data may be accessible to anyone who can access your device session.

PIN lock

If you enable the app PIN, it helps reduce casual access inside the app. It is not a replacement for your device passcode, biometric lock, password manager, or bank security controls.

Optional sync status

Public Website/PWA V1 is local-first by default. If optional encrypted sync is later enabled, Flousi will provide clear in-app setup and deletion instructions. Flousi should not ask for your bank login password, card PIN, or one-time banking codes.

External services

Optional providers such as OCR, exchange rates, or market data should be used only when configured. If a provider is unavailable, Flousi should show a clear unavailable state instead of inventing data.

Responsible reports

Send security reports to [email protected]. Please do not include passwords, card PINs, or full card numbers in reports.