Your data stays on your laptop. Always.
Sajag runs as a local app on your machine. Your bank statements, CAS, bureau reports, EPFO passbooks, and Form 16 PDFs are read, parsed, and stored on your disk — the same disk your photos and Word documents live on. No copy is ever uploaded to a Sajag server, because there is no Sajag server.
Pull the network cable. Board a long-haul flight with the Wi-Fi off. Sajag keeps working. The numbers are still there because they were never anywhere else.
One SQLite file. AES-256 backups. Financial data stays local.
Concretely, your household lives in a single file at backend/data/fire.db. That’s the database. Uploaded PDFs sit alongside in backend/data/uploads/. Both are git-ignored, OS-permissioned, and yours to delete with rm when you’re done.
When you export a backup, Sajag wraps the database in an AES-256-GCM encrypted .sajag file using a key derived from your passphrase. Drop it on iCloud, Dropbox, or a USB stick — cloud storage providers see opaque ciphertext, not your numbers.
The app sends anonymous diagnostics — screen names + button-click events + JavaScript errors — to Google Analytics 4 so we know which features get used. Your financial data never leaves your Mac. The only other outbound HTTP request, optional, is a daily fetch of AMFI’s public NAV file so your mutual-fund prices stay current.
Honest trade-offs.
Local-first costs friction. We refuse Account Aggregator integration because that means your data flows through a regulated third party, however briefly. So you upload PDFs once a month instead of getting live bank sync.
Phone apps, push notifications, and shared dashboards are also out — they all require a server somewhere holding your data. The desktop app is the entire product.
The trade we make: monthly friction in exchange for a guarantee that your finances cannot be subpoenaed from us, sold by us, hacked from our servers, or used to train a model, because we never had a copy. (A court can, of course, ask you for your own data — just like they can for the contents of any file on your laptop. We can’t insulate you from that; no one can.)
The traffic is the audit.
Trust is hard for a category that’s spent a decade monetising user data. Our answer is: don’t trust the marketing — watch the network. Run Sajag with Little Snitch, Lulu, or any packet inspector on macOS. The only outbound request you’ll see is the daily AMFI NAV fetch to portal.amfiindia.com, plus periodic requests to Google Analytics 4 carrying screen names + button-click events (never financial data). Both are disable-able at the network layer (Little Snitch, Lulu) and Sajag still works fully offline.
The DMG is Apple-notarised, so the binary that runs on your Mac is exactly the one we built — not a tampered copy. We publish SHA-256 hashes for every release on the pricing page so you can verify the download before you open it. Traffic transparency, signed binaries, AES-encrypted backups — three verifiable surfaces that don’t require you to read a single line of our code.
Sajag vs the rest.
| Question | Typical SaaS | Sajag |
|---|---|---|
| Where does my data live? | Their servers | Your laptop |
| Can the company read it? | Yes, by design | No, ever |
| What if they shut down? | Data exported or lost | App keeps working |
| What if they pivot? | Your data is the asset | Not their decision |
| Audit the privacy claims? | Their privacy page | Read the source |