Security

How Tascly protects data

Tascly is made for practical recurring data: personal IDs, vehicle plates, billing details, deadlines, family notes and admin info. The vault stays on the device: no account, no cloud sync and no advertising trackers.

No accountNo login or signup required.

No cloud syncYour vault is not uploaded to a Tascly server.

No advertising trackersNo analytics pixels or ads SDK inside the vault.

Manual encrypted backupYou export and keep the recovery file yourself.

Technical controls

Local encryption with the browser Web Crypto API.
AES-GCM encryption.
PBKDF2-SHA-256 key derivation with 600,000 iterations for the current vault format.
The raw password is not kept as a global app variable after unlock; the session keeps the derived CryptoKey.
Content Security Policy limits external scripts and embedding.
No external script is needed to run the vault.

Data flow

Vault cards are saved locally on the device.
Copied values go to the system clipboard.
Encrypted backups are created manually by the user.
Only feedback text is sent through Formspree when the user presses Send feedback.

Limits to know

If someone knows the password, they can open the vault.
If someone steals the encrypted vault or backup, they may try password guesses offline. A long, non-obvious password is important.
If the device, browser or operating system is already compromised, local protection may not be enough.
When you copy data, it leaves the vault and goes to the system clipboard.
Without both backup and password, the vault cannot be recovered.
For passwords, PINs and 2FA codes, use a dedicated password manager.

Recommended use

Good fit: personal IDs, vehicle plates, billing details, deadlines, admin notes and data you often copy.

Use care with IBANs, health card numbers and document details. Save number, expiry and notes first; avoid full document photos unless necessary.

Security wording is intentionally conservative: Tascly is not a certified vault or password manager.

Back to app Privacy

Italiano

Sicurezza in breve

Tascly salva la cassaforte sul dispositivo, cifrata con la password. Non usa account, cloud sync, analytics o tracker pubblicitari dentro la cassaforte.

Il backup è manuale e cifrato: per recuperare i dati servono sia file backup sia password.

Per password, PIN e codici 2FA usa un password manager dedicato.