The short version
- We never connect to your bank. ACMAN does not ask for your banking credentials — not even through third-party aggregators.
- Your movements are encrypted per user with AES-256-GCM. Date, concept, amount and category are stored encrypted.
- Concept classification runs without external AI. Your spending descriptions are never sent to any AI provider.
- Community statistics are anonymous, aggregated and opt-in.
1. No bank connection, by design
Most finance apps connect to your bank through aggregators, which means your account credentials or access tokens pass through additional infrastructure. ACMAN works differently: you download your statement from your bank and upload the file (CSV or Excel). Your banking credentials never touch our servers because we never ask for them. There is nothing to leak.
2. Per-user encryption at rest
Every movement you import is encrypted before being stored: date, concept, amount and category are encrypted with AES-256-GCM (an authenticated encryption mode that also detects tampering), using a key derived per user(PBKDF2-HMAC). This means a hypothetical attacker with database access would see only ciphertext, and data from one user cannot be decrypted with another user's key.
Passwords are hashed with bcrypt — never stored in plain text, not even encrypted: hashed, which is irreversible.
3. Classification without external AI
ACMAN auto-classifies your spending concepts using lexical similarity algorithms (Jaccard and Dice coefficients) computed in the application itself. Your concepts are not sent to OpenAI, Google or any other AI provider. The community concept suggestions are built from anonymous, aggregated contributions.
4. Anonymous community, opt-in
The Community feature (comparisons, statistics) is disabled by default. If you enable it, your data is aggregated anonymously and irreversibly: other users see averages and percentages of groups, never individual movements, names or exact amounts tied to you. You can disable it at any time.
5. In transit
All communication between your browser and ACMAN travels over HTTPS (TLS). Sessions use signed JWT tokens with a 24-hour expiry.
6. Your data is yours (GDPR)
- Portability: you can export all your movements from your profile at any time.
- Erasure: deleting your account removes your data.
- Access and rectification: write to team@acman.app.
Full details in our Privacy Policy.
7. Found a vulnerability?
Write to team@acman.app with the details. We take every report seriously and will respond as quickly as possible.