Privacy Policy

Effective: March 24, 2026

The Short Version

Nemorith does not collect your data. Not some of it. None of it. There is no account to create, no email to enter, no usage data being sent anywhere. Your financial information stays on your device, encrypted, under your control. That is the entire privacy model.

Who We Are

Nemorith is developed and maintained by the Ninth Star Foundation. The source code is publicly available under the AGPL-3.0 license at codeberg.org/NinthStarFoundation/nemorith. Anyone can audit how the application works.

Data We Collect

None. Nemorith has no user accounts, no registration, no sign-up forms, no email collection, and no analytics. We do not know who uses the application, how many people use it, or what they do with it. That is by design.

Data Storage

All data you enter into Nemorith is stored locally on your device. On mobile, this uses the application's sandboxed storage. On the web version, this uses your browser's localStorage and IndexedDB.

Important distinction: the web version stores data in your browser, which is inherently less secure than the mobile app's sandboxed storage. If you clear your browser data, your Nemorith data goes with it. If someone has access to your browser, they could potentially access your stored data before the app's own encryption layer. For sensitive financial data, the mobile app provides stronger device-level isolation.

Documents stored in the encrypted vault use AES-256-GCM encryption. Encrypted backups use password-based key derivation with Argon2id. We cannot access, read, or recover your data or your encryption passwords.

Telemetry and Analytics

Nemorith contains zero telemetry. Zero analytics. Zero crash reporting. Zero usage tracking. Nothing is phoned home. The application does not make network requests unless you explicitly initiate one of the features described below.

Network Connections

Nemorith is offline-first. It works without any internet connection. The following features make network requests only when you choose to use them:

Market Data

When you view live stock, ETF, or cryptocurrency prices, the app sends ticker symbols to api.ninthstar.org, which proxies the request to third-party market data providers (Finnhub, Alpha Vantage). Only the ticker symbol is sent. No user data, device identifiers, or financial information is included in these requests.

Bank Sync via SimpleFIN

If you choose to connect bank accounts for automatic transaction import, this is handled through SimpleFIN, a third-party service. You sign up with SimpleFIN directly, pay them directly, and provide your SimpleFIN access token to Nemorith. We have no relationship with SimpleFIN beyond supporting their protocol. SimpleFIN has its own privacy policy and terms of service. Nemorith does not receive, store, or relay your bank credentials.

Device-to-Device Sync

Nemorith syncs directly between your devices on your local network. No server needed. Devices auto-discover each other on WiFi and sync encrypted data peer-to-peer. For sync across different networks, a signaling server at api.ninthstar.org brokers the initial introduction only. The signaling server is stateless and never sees your financial data. All sync traffic is encrypted with AES-256-GCM.

Cookies and Tracking

Nemorith does not use cookies. There are no tracking pixels. There are no third-party scripts loaded. The web application loads only its own code and Google Fonts for the landing site (not the app itself).

Third-Party Services

The Nemorith application itself loads no third-party services. The nemorith.com marketing site loads Google Fonts for typography. The app at app.nemorith.com does not load Google Fonts or any other external resource at runtime.

Optional integrations you may choose to enable:

Children

Nemorith does not collect data from anyone, including children. Since there is no data collection, there is no age-related data concern. That said, the application is a financial management tool designed for adults.

Data Retention

We retain nothing because we collect nothing. Your data lives on your device for as long as you keep it there. If you delete the app or clear your browser data, your data is gone. We cannot recover it. Encrypted backups that you export are your responsibility to store and protect.

Data Breach Notification

Since we do not collect or store user data on any server, a data breach of user financial information from our systems is not possible. The signaling server holds no data at rest. The market data proxy holds no data at rest. There is nothing to breach.

Your Rights

Under GDPR, CCPA, and similar regulations, you have rights regarding your personal data. Nemorith makes these rights trivially easy to exercise because we hold none of your data. There is nothing to request, nothing to delete, nothing to port. Your data is already entirely in your hands.

Open Source Verification

Every claim in this policy can be verified by reading the source code. Nemorith is licensed under AGPL-3.0 and the full source is available at codeberg.org/NinthStarFoundation/nemorith. If you find that the application behaves differently than what is described here, please open an issue.

Changes to This Policy

If this policy changes, the updated version will be posted here with a new effective date. The core commitment - zero data collection, zero telemetry, device-local storage - is foundational to the project and is not something we intend to change.

Contact

For questions about this privacy policy or the Nemorith project, please open an issue on our Codeberg repository.

Organization: Ninth Star Foundation