Your data never leaves your browser
CattoExpense processes everything locally. No servers, no databases, no cloud storage. Here's exactly how it works.
How Your Data Flows
You select a file
PDF, CSV, or XLSX — read by the browser's FileReader API. The file never touches any server.
Parsed in-browser
Our parser extracts transactions using JavaScript running entirely in your browser tab.
Analyzed locally
Categorization, charts, and insights are computed on your device. Zero network requests.
Gone when you close
Close the tab and all data vanishes. Nothing is stored anywhere.
Security Features
No Server, No Database
CattoExpense is a static site hosted on GitHub Pages. There is no backend server, no API, no database. We have nowhere to store your data even if we wanted to.
PII Masking for AI
When you opt into AI features, card numbers, account numbers, names, and addresses are stripped before anything leaves your browser. The AI only sees masked descriptions and aggregated totals.
Fully Stateless
No accounts, no login, no sessions, no localStorage. The app holds data only in memory while you use it. Close the tab and everything is gone.
Encrypted Export
Optionally export your analysis as an encrypted .catto file. Uses PBKDF2 key derivation (100,000 iterations) + AES-256-GCM encryption. The file stays on your device.
Content Security Policy
Strict CSP headers block unauthorized scripts, prevent clickjacking, and restrict connections to only the AI API endpoint you opt into.
Open Source
Every claim on this page can be verified by reading the source code. No hidden tracking, no obfuscated data collection.
What We Don't Do
Architecture
Everything inside the dashed border runs in your browser. Nothing crosses the line.
This is the only network request the app ever makes — and only when you explicitly ask for AI features.
CattoExpense is open source. You can verify every claim above by reading the code yourself.