Privacy · Finance · June 2026

Why your financial data shouldn't live on someone else's server

Every major finance app stores your net worth, salary, account balances, and spending history on their servers. There is a better model — and it already exists inside your Google account.

The standard model: your money, their database

When you sign up for Finary, YNAB, Copilot, or Monarch Money, your financial data goes into their database. That is not a bug — it is the architecture. Their server aggregates your accounts, runs their analytics, and serves the results back to you. It works, and the apps are good.

But there is a cost beyond the subscription fee. Your net worth, your income, your debt balances, your spending by category — all of it lives on infrastructure you do not control, operated by a company whose business model depends on you staying subscribed.

Two things follow from that architecture. First, when their server is breached — and fintech data is a high-value target — your financial profile leaks. Second, if you stop paying or the company shuts down, your historical data is locked behind their export tools, in whatever format they choose to offer.

The drive.file scope: Google's smallest possible permission

Google OAuth has a permission called drive.file. It is the most restrictive Drive scope available: an app with this scope can only read and write files that it created itself. It cannot list your Drive, cannot open documents you made, cannot see anything else you have stored there.

Compass uses drive.file — and nothing else. When you connect Compass, it creates one Google Sheet in your Drive. Every transaction, every balance, every budget you enter goes into that Sheet. Compass reads it back to build the dashboard. That is the entire data flow.

There is no Compass database holding your numbers. The Sheet is in your Drive. It belongs to you.

What this means in practice

• Compass cannot be breached to expose your data — there is no Compass store to breach. The financial data never leaves your Google account.
• If Compass shuts down tomorrow, your Sheet keeps working. All the formulas, FX conversions, and FIRE projections live inside it as native spreadsheet logic. You can open it in Google Sheets and keep using it without us.
• Revoking access takes two clicks at myaccount.google.com/permissions. Or just delete the Sheet. Compass is designed so leaving is trivial — because you were never really storing data with us.
• Your encrypted OAuth token is stored on Cloudflare's infrastructure, not ours. Even that layer is encrypted: we derive the AES-GCM key from a secret that never leaves Cloudflare Workers.

The five-year math

The subscription model makes the data-centralisation cost feel free because it is bundled into the monthly fee. Run the numbers over five years:

The difference is not subtle. But the pricing gap is a downstream consequence of the architecture — not the reason for it. The reason is that a finance tracker does not need a server-side database. All the computation can happen in the browser against a Sheet the buyer already owns. No server means no server costs, no data breach surface, and no reason for a subscription.

Multi-currency, FIRE planning, AI — without sending your data anywhere

The common assumption is that rich features require a backend. Compass Pro's AI statement parsing does use our Worker — but only to call Claude on raw text you upload, not to read your Sheet. The financial data in your Sheet never goes to any AI model. The AI reads a PDF or CSV you explicitly paste in, extracts the transactions, and writes them back to your Sheet via the same drive.file path.

Multi-currency tracking across 62 currencies, FIRE projections, net worth snapshots, budget tracking — all of that runs in your browser against your Sheet. The architecture scales to everything the tracker needs without ever needing your data to leave Google's infrastructure.

Who this is for

Compass is the right tool if you care about where your financial data lives, if you are tired of paying $100–200/year for a tracker, or if you want a setup that survives any vendor going under. It is not the right tool if you need automatic bank connection syncing — that requires read access to your accounts, which requires a backend that can hold credentials. Compass does not do automatic syncing; you enter or import transactions manually or via statement upload.

That tradeoff is intentional. The privacy model and the sync model are in direct tension. Compass chose the privacy model.