Why Privacy Matters for Your Financial Planning and How We Do It at Segmio
If there is one thing not worth compromising on, it is your financial data, and everything it reveals about what you plan to do with your money. It deserves real care, and it should never land in the wrong hands.
And by “wrong hands” we do not only mean an attacker, though that is one of the worst outcomes. We mean anyone who takes that data, or a fingerprint of it, and uses it for their own benefit instead of yours. Someone who profiles you to sell you a product, the way many social networks already do and some AI companies have recently started to. Someone who packages your behavior into a dataset. Someone who decides what offers you see because they know what you earn, what you owe, and what you are saving for. Your net worth and your plans are some of the most revealing things about you. They say where you have been, where you are, and where you are trying to go.
This is not a feature we added. It is one of the core values Segmio is built around, and it is the same foundation under every spreadsheet template we make at FinancialAha.
Why most financial tools struggle with this
A lot of personal finance tools are free or close to free, and that means your data is their business. The tool connects to your bank accounts, watches every transaction, and the value it sends back upstream is a detailed picture of your financial life: what you like, where you live, where you go on holiday, and the list goes on. That picture gets used to recommend credit cards, loans, and investment products the tool earns a referral on.
At Segmio we do not want to be part of that model, the one that treats people as numbers instead of trying to give them something genuinely useful. If the way a company makes money depends on knowing your finances, then your privacy and the company’s incentives pull in opposite directions. We are not designing our products around that tension, and we have made that choice from day one, in every decision we take.
Where this started: a file on your own computer
Before Segmio was an app, our financial planning lived in spreadsheets we had been refining since 2018. When we started sharing them through FinancialAha, we kept the thing that turned out to matter the most: a spreadsheet is a file that lives on your computer.
There is no account to create. No cloud to sync to. No connection to your bank. We do not see your numbers, because they never reach us. You buy the template once, you open it, and your data stays with you. Privacy here is not a policy we ask you to trust. It is just where the file is. Yes, you enter the data by hand and nothing syncs automatically. In return, nothing about your money ever leaves your machine, and the few minutes it takes each month are minutes spent actually looking at your finances.
That is the purest version of the value, and it set the bar for everything else. We’ve been evolving Segmio around this question: how much of that can we keep when the tool is no longer a static file but an app that calculates projections, models scenarios, and updates as your life changes?
Translating that value into an app
An app cannot work exactly like a spreadsheet, and it earns its place by doing what a spreadsheet cannot. Projections, scenario modeling, and a history of your net worth over time need computation and storage that a single file cannot do well. To get past what a spreadsheet can do, we had to make a few compromises, and we kept asking the same question about each one: would I trust an app that does this?
Everything stays on one network. Segmio runs on a single infrastructure provider. Your data is not passed through a chain of analytics companies, ad networks, or data brokers. There is no resale pipeline because there is nowhere for the data to go. We chose Cloudflare for this, because it provides all the infrastructure we need in one place and has, so far, been a reasonable ally on privacy.
The AI never sees your full financial picture, and it is never an outside company. Segmio uses AI to turn “what if I take a year off in 2028” into a real projection. That AI runs inside the same network as the rest of the app. We deliberately chose not to route your finances through an external AI provider, even though that would have been easier and faster to get the product live. And when Segmio’s AI reasons about your situation, it works from an abstracted profile built fresh each time: ranges and categories, not your account names or exact balances. Enough to model a scenario, not enough to identify you.
The AI learns from synthetic data, not from you. We trained our model on generated examples, not real customer finances. Any improvement from real usage is opt-in, not the default.
No bank connection by default. Segmio does not link to your bank accounts to pull a live transaction feed. You decide what to enter. The most sensitive raw stream of data simply never enters the system unless you choose a path that requires it.
Our revenue is the product, not your data. People pay for Segmio, and that is the entire business model. There are no ads, no referral kickbacks for steering you toward a loan, no dataset on the side. When the thing you pay for is the tool, the incentive is to make the tool as good as it can be for the people using it, not to learn more about you. You pay us to keep your data private, and we will protect it as well as we can while building something genuinely useful.
Our initial debate about how to protect data in the cloud
In the early days of building Segmio we went through every realistic, technically possible way to encrypt financial data and looked hard at the drawbacks of every single one. None of them is free, and the word “encrypted” that many financial planning apps put on their website hides which trade-off they quietly made. Here is our honest read of each option, with its ups and downs.
End-to-end encryption, where only you hold the key. Your data is encrypted on your device with a key derived from your password, and the server only ever stores ciphertext it cannot open. This is the strongest guarantee on the list: a breach exposes nothing readable, and we could not look even if we were compelled to. It also breaks the actual job. Projections, scenario modeling, and a net worth history that updates over time all need the data to be computed on, and a server that holds only ciphertext can run none of it. On top of that, lose your password and you can lose your data for good, and planning with a partner or an advisor becomes a hard key-sharing problem.
Field-level encryption, where we hold the keys. Here the sensitive columns sit encrypted in the database and the application decrypts them only when it needs them. That genuinely shuts the door on a stolen database file or a leaked backup. What it does not solve is the running service itself: it still decrypts everything to do its work, so anyone who compromises it sees plaintext anyway, and encrypted columns can no longer be queried or aggregated, which is exactly what fast projections rely on. Set against a provider that already encrypts storage, like Cloudflare, what this adds is narrower than the word suggests.
Computing on encrypted data without decrypting it. Homomorphic and property-preserving encryption promise math on ciphertext, which in theory would let us run the numbers without ever seeing them. In practice the variants fast enough to ship leak structure and weaken the very guarantee that is the point, and the ones that hold up are far too slow for the kind of modeling Segmio does and the speed people expect from it. For this workload it is not a real option today.
Per-user keys in a managed key service. Each workspace gets its own keys, rotated and audited centrally, which shrinks the blast radius and leaves a clear trail of what was accessed and when. It does not change the fundamental thing, though: the service still decrypts to compute, so this is hardening, not a promise that we cannot read your data. You would still be trusting us to do exactly what we say and nothing more. Worth doing, and we do think it is worth doing, but it is not zero-knowledge and we will not dress it up as if it were.
Provider encryption at rest, plus encrypted transport. The database is encrypted at the storage layer and every connection is encrypted in transit. This is the one that defends against the failures that actually happen most often, stolen disks and leaked backups, with no password-recovery trap for you, while keeping the data computable, which is the only reason the projections, the scenario AI, and shared planning can work at all. The honest cost is plain: the service can read your data, because it has to in order to compute on it. It protects you against the common real-world exposure, not against a fully compromised application layer.
The pattern across all of this is the same: the stronger the cryptographic guarantee, the less a financial planning tool can actually do for you, up to the point where it does nothing. We chose the last option deliberately, paired with the single-network design and the data choices above, and we would rather explain that trade-off than hide behind the word “encrypted.” We believe a good company is built on a relationship of trust between the company and the people who use what it makes.
What privacy here is not
Segmio is not end-to-end encrypted, and we do not claim to be a system where we could never read your data. The calculations and projections that make Segmio useful run on the server, which means the server works with your data to produce them. What protects it is encryption in transit, encryption at rest, strict access controls, and the single-network design above. It is not a mathematical guarantee that no one at Segmio could ever look. We would rather tell you that plainly than imply a property we do not have.
There is also a detail worth knowing if you plan with a partner or an advisor. In Segmio, data belongs to a shared workspace. If you invite a partner or a financial advisor in, they see the financial picture in that workspace by design. That is the point of collaboration, but it is your decision to open it, and worth being deliberate about.
The version we want for people who trust no server
We know that, for some of you, the honest answer above is still not good enough. If a server can read your data at all, you would rather it never reach a server in the first place. We understand that completely. It is the same instinct that made the spreadsheet feel right in the first place.
So the direction we believe in, and want to be clear it is a direction rather than a dated promise, is a version of Segmio that runs entirely on your own computer. No cloud, no account, nothing to reach us. By its nature it would be more limited: shared workspaces, partner access, and advisor collaboration only make sense when something is shared, so a fully local version would not have them. The trade is deliberate. You give up collaboration and you get an app where the data simply never leaves your machine.
Think of it as the spreadsheet idea taken further: a file that stays with you, but with the projections and scenario modeling a spreadsheet cannot do well. We are not announcing a date or mechanics we have not built. We are telling you which way we want to go, because a privacy value you only honor when it is convenient is not a value.
Why we hold this line
Financial planning only works if you are honest in it. You cannot model where you are going if you are hedging what you put in because you are unsure who else is reading. The whole value of a tool like this depends on you being able to write down the real numbers and the real plans.
That only happens if you trust that the data, and what it says about your intentions, is not being used by anyone for anything other than helping you. Keeping that true is not a marketing position for us. It is the reason the spreadsheet stays on your computer, the reason the AI runs where it does, and the reason we sell a product instead of the people who use it.
Privacy is not a feature on the page. It is the architecture, the business model, and the reason the rest of it is worth building.