How we protect your data.
Last updated: 11 June 2026
Architecture
Bullio is local-first. Your portfolio is stored in a SQLite database on your device. Bullio's backend never receives your holdings, transactions, portfolio values, or purchase prices.
The backend has two responsibilities: caching spot price data from Metals.Dev, and validating premium subscriptions. Neither function requires any knowledge of your portfolio.
Encryption at rest
The on-device database is encrypted by default using SQLCipher (AES-256). No setup is required — encryption is on from the first launch.
The encryption key is a 256-bit random key stored in the device's hardware-backed secure storage (iOS Keychain / Android Keystore), marked device-only so it never syncs to the cloud. The key never leaves the device.
Optional app passphrase
You can add a second layer of protection in Settings → Privacy & Security → Require passphrase. When enabled, your passphrase is stretched using Argon2id and used to seal the data key with XChaCha20-Poly1305 (libsodium). The raw data key is then removed from storage.
This means the app cannot be opened after a cold start without entering the passphrase. There is no backdoor and no recovery path — only your passphrase can unlock the data. The strength of this protection depends entirely on the passphrase you choose.
Data in transit
All communication between the app and api.getbullio.app is over HTTPS (TLS 1.2+). Cloudflare sits in front of the backend for DDoS protection, CDN caching, and TLS termination.
Backups
Backup files are encrypted on your device before they are written to iCloud Drive (iOS) or Google Drive (Android). Bullio's servers are not involved in this process and cannot read the contents of a backup.
You choose a passphrase when creating a backup. That passphrase is stretched using Argon2id and used to encrypt the backup with XChaCha20-Poly1305 (libsodium). This is authenticated encryption — a wrong passphrase or a tampered file is rejected before any data is decrypted.
The backup format is self-describing and does not require Bullio's servers to restore. Your passphrase is the only thing that can decrypt your backup. Bullio does not store it.
Biometric lock
Bullio supports Face ID and Touch ID (iOS) and fingerprint / face authentication (Android). When app lock is enabled, the app requires biometric authentication each time it returns from the background. If biometric authentication is unavailable, the app falls back to your device credentials (PIN / password / pattern).
If the optional app passphrase is also enabled, it is required on cold start (a full app launch from scratch) before the database can be opened — biometric lock handles subsequent background-to-foreground transitions.
Screenshot-safe mode can be enabled in Settings to prevent the operating system from capturing screen content when the app is backgrounded or during screen recording.
API keys
The Metals.Dev API key is stored on our server only. Your app never receives it. If you prefer to use your own Metals.Dev key, you can enter it in Settings — the app will use it directly, bypassing our backend entirely.
Crash reporting
Bullio uses Sentry for anonymised crash reporting. The integration is configured to strip personally identifiable information before any report is sent. Reports contain error type, file name, and line number only — no portfolio values, no identifiers.
Third-party services
The following third-party services are used by Bullio:
Responsible disclosure
If you discover a security vulnerability in Bullio, please email support@getbullio.app with a description of the issue. We aim to respond within 5 business days.
Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.