More implementation details for folks skimming:

- Stack: Laravel 12 + React 19 + Inertia v2 + TypeScript + MySQL/Redis.

- Encryption code lives under src/lib/crypto (happy to point to specific files).

- Import is CSV/XLS; encryption happens before upload.

- Hosting/deploy: Docker + docker-compose, includes a production compose and a Coolify template.

If anyone has experience with audits / threat modeling for E2E apps, I’d appreciate pointers on what to formalize first.

Hi HN — I’m Victor. I built Whisper Money, a personal finance tracker where your financial data is end-to-end encrypted client-side before it ever reaches the server (zero-knowledge style: the server stores ciphertext and shouldn’t see plaintext transactions/accounts/budgets).

It’s aimed at people who want to track spending/budgets without giving a SaaS provider access to raw financial data. There are no bank connections and no AI processing — you can import transactions via CSV/XLS and everything is encrypted locally before upload/sync.

You can self-host it via Docker/docker-compose: https://github.com/whisper-money/whisper-money

There’s also a hosted version at https://whisper.money (paid).

Source is available under CC BY-NC 4.0 (non-commercial).

What I’d love feedback on from the HN crowd:

- Threat model review: what am I missing in the E2EE/“zero-knowledge” claims?

- Backup/restore expectations when encryption keys live only on clients

- What features you’d require before trusting it for real finances (e.g., OIDC/SSO, 2FA, audit logs, export formats)

Happy to answer technical questions about the architecture and encryption flow.

Looks promising, but what does it actually do? Could you share some screenshots of the actual product?

there are some screenshots on the landing page https://whisper.money/

You have to manually upload all your balances? Or how does it work? Wouldn't keeping it up to date a hastle?

Because of privacy, there is no direct connection with banks.

You can upload all your transactions and balances with a single CSV/XLS file that you get on your bank. It take seconds.

MetricsWave is a web analytics solution designed to help you understand and improve your online presence. With intuitive dashboards and real-time insights, you can track visitors, monitor trends, and make data-driven decisions—all without relying on third-party services.

> What he replied is that he couldn't block the script alone if he was serving it from the same domain, so I proposed to move it to a subdomain, and he was fine with that. I have been lucky.

Doubly so, since hosting the tracking script on the same domain as your website was a decision that was inevitably going to come back to haunt you at some point.

You can find me at @victoor (spanish) or @falcon_maker (english)

This is the easiest way to receive feedback from your users. No SMTP, no emails, no nothing. Just a single line of code.

And what could be a killer feature?

Unfortunately, I probably couldn't tell you, sorry

Hey Hacker News community, I'm curious to know your thoughts on whether open-source code is crucial for a privacy-focused personal finance app.

As someone who values privacy and security, I've been working on Monse, a privacy-friendly and automated personal finance application.

While Monse does an excellent job of keeping my data private, I wonder if open-sourcing their code would bring even more value to the platform.

So, what do you think? As a community, do you value open-source code in a privacy-focused personal finance app like Monse?

I'm interested in hearing your thoughts.

I am tired of all the applications to manage my expenses and income that are selling my financial data or offering me credit cards or loans. That's why I created this.