Titanium Hut

Vault
🇪🇸 En Español

Security & Privacy

How Almstins protects your data and why its architecture—not just promises—makes it safe.

The Core Promise

Almstins never connects to your wallet, never requests your private keys, and never touches your signing authority. It reads your holdings from the public blockchain by address—the same way anyone on the internet can look up what's in a wallet. The difference is that Almstins organizes that data into one place, tracks its history, and helps you verify addresses before you send funds.

This isn't a promise we make. It's an architectural constraint we built in. You can verify it yourself: Almstins has no wallet connection mechanism in the code, no signing interface, and no way to request permissions from your wallet.

What Data We Store

When you use Almstins, we store:

  • Your email address — only for account login. Want maximum privacy? Use a dedicated email address that isn't tied to your real name — only that address lives in our database. You can also sign in with Google or GitHub.
  • Wallet addresses you add — the blockchain addresses you own (e.g., 0x1234...). These are public data; anyone can already see what's in these addresses on the blockchain.
  • Transaction history — imported from CSVs you upload (from exchanges like Coinbase, Kraken, Gemini, etc.) or read directly from the blockchain. We store the date, amount, price, and your notes about each transaction.
  • Cost basis records — the price you paid for each asset, calculated from your transaction history.
  • Settings and preferences — labels you create, alerts you set, and other configuration.

We do not store:

  • Your private keys, seed phrases, or recovery words (we have no way to access these).
  • Your payment information — Stripe handles all billing, and we never see your credit card details.
  • Your real name (unless you volunteer it in notes).
  • Your IP address or browsing behavior beyond standard server logs.

The Lucia Question: "If you're breached, does someone have a map of who owns what?"

Yes, if breached, an attacker would learn: which blockchain addresses you own, how much is in them, and your transaction history (dates, amounts, assets). This is sensitive financial data. But it's not the same as your private keys—they can't move your funds. They can't trade on your behalf. They can't sign anything.

To minimize this risk, we encrypt all sensitive data at rest (see below), and we recommend adding a dedicated email address for Almstins (not your primary email) so your identity isn't automatically tied to your holdings data.

Encryption & Data Security

Encryption at rest: Sensitive data (wallet addresses, transaction history, cost basis) is encrypted in our database using industry-standard AES-256 encryption. If someone gains database access, they get ciphertext, not plaintext holdings data.

Encryption in transit: All communication between your browser and Almstins uses HTTPS/TLS 1.3. Your data is encrypted while traveling over the network.

Secure infrastructure: Almstins is hosted on Render with automatic SSL certificates, DDoS protection, and regular security updates. We don't manage our own servers.

Billing & Payment

Almstins uses Stripe to handle all billing. We never see, store, or process your credit card details. Stripe is a PCI-DSS Level 1 service provider, the highest certification level for payment security.

What we store: whether your account has a paid subscription, your subscription tier, and when your subscription renews. Stripe stores the rest (card details, billing address, etc.).

Authentication Options

You have three ways to sign in to Almstins:

  • Email address (most private) — Create a dedicated email address just for Almstins — one that isn't tied to your real name. Only that address is stored in our database, and you control the password. This is the simplest way to keep your identity separate from your holdings — no technical setup.
  • Google Sign-In — Google handles authentication. We receive only your email address from Google, and we never store your Google password.
  • GitHub Sign-In — Sign in with an existing GitHub account. We receive only your GitHub account identifier and never store a password.

In all cases, your login credentials are never shared with third parties, and we never use them to access any external service on your behalf (like your exchange account or blockchain).

Data Deletion & Export

Export your data: You can request a complete export of your Almstins data (transactions, addresses, notes, settings) in JSON format. Email hello@almstins.com to request it.

Delete your account: You can delete your account and all associated data at any time. Once deleted, we have no way to recover it. Deletion takes effect immediately. Email hello@almstins.com or delete it directly from your account settings.

Third-Party Services

Almstins uses a small set of external services:

  • Stripe (payments) — PCI-DSS Level 1. Handles all billing and card processing. We never see your card details.
  • CoinGecko (historical prices) — Public API. We request historical cryptocurrency prices; CoinGecko doesn't know which assets you own, only that we asked for a price on a given date.
  • Etherscan / Snowtrace / Blockstream (blockchain data) — Public explorers. We query transaction details using your wallet addresses. These services don't know you're Almstins; they see an API request for public data.
  • Google / GitHub (authentication) — Only if you sign in via these providers. They know you signed into Almstins; we know only your email or ID from them.

None of these services can access your private keys, move your funds, or see anything except the specific requests we make.

Regulatory Compliance

Almstins is a bookkeeping and verification tool, not a financial service, custodian, or investment advisor. As such, it's not regulated as a bank or money transmitter in most jurisdictions. However, we take compliance seriously:

  • We follow GDPR (European privacy) and CCPA (California privacy) requirements.
  • We do not knowingly serve users in countries with comprehensive sanctions (e.g., Cuba, Iran, North Korea, Syria).
  • We do not process transactions or hold funds; we only track and organize data you provide.

Frequently Asked Questions

Can Almstins move my funds or trade on my behalf?
No. Almstins has no private keys, no signing authority, and no connection to your wallets or exchanges. It can only read and organize data that's already public on the blockchain or that you import from a CSV.
What if Almstins is hacked?
An attacker would gain access to: your wallet addresses, transaction history, and cost basis records (all encrypted, but decryptable with a stolen database key). They would not gain access to your private keys, card details, or Stripe data. Your funds are safe because they're on the blockchain, not in Almstins. To minimize risk, use a dedicated email address for Almstins that isn't tied to your real name — so even the encrypted holdings data isn't linked to your identity.
Why does Almstins need my wallet addresses?
To track what you own. Almstins reads the public blockchain by address (anyone can do this) to fetch your current holdings and historical transactions. The addresses themselves are public; your identity is not—unless you link them manually or the blockchain analysis proves otherwise.
Does Almstins track me across the internet?
No. We don't use tracking pixels, cookies for tracking, or third-party analytics platforms. We log standard server metrics (IP address, request time, response code) for security and debugging, but we don't sell or share this data.
Can I use Almstins if I'm worried about privacy?
Yes. The most privacy-conscious approach: use a dedicated email address that isn't tied to your real name, and (for maximum separation) track a dedicated blockchain address that isn't publicly linked to your identity. That way, only you know the connection between your identity and your holdings.
Is Almstins open source?
Not yet, but we're considering it. The core logic (address verification, transaction parsing, cost basis calculation) could be audited by the community if published. For now, you can verify the no-wallet-connection claim by reading the client-side code in your browser's developer tools.
Who should I contact with security concerns?
Email security@almstins.com with any security concerns, vulnerability reports, or questions about data handling. Please do not publicly disclose vulnerabilities; give us time to fix them.

Last updated: June 5, 2026. This page is the source of truth for Almstins' security and privacy practices. Practices may change; we will update this page and notify affected users of material changes.

Not financial or legal advice. This page describes technical and operational practices. For questions about whether Almstins is right for your specific situation, consult a financial advisor, tax professional, or attorney.