Skip to early access

How your money is held

Even we can’t touch what’s yours.

Most money apps hold your money for you. Zend! works the other way around. Here’s the plain-English account of why that’s true, and how we built it without making you learn a new vocabulary to use the app.

The wallet is created on your phone.

When you finish signing up, Zend! generates a key on your device. Your phone never sends that key anywhere. We never see it. The signup screen finishes, the key exists, and it lives only in the secure storage area your operating system reserves for sensitive data — the same place your other apps keep tokens, passwords, and biometrics.

That key is what proves money belongs to you. Anyone with the key can move your money. No one else can. Including us.

Your PIN locks it.

We don’t leave the key sitting around in plain sight. The PIN you set during signup is run through a slow password-stretching function (PBKDF2 with 100,000 rounds, if you’re curious) to derive an encryption key, and that encryption key seals the wallet using AES-256 in authenticated mode.

Translation: even if someone copied the encrypted file off your phone, they couldn’t open it without your PIN. And the PIN can’t be guessed quickly — the slow stretching is deliberate. Each guess takes long enough to make brute-forcing impractical.

We never see the PIN. It’s only used on your phone, only by your phone, and only to unlock your own wallet.

An encrypted backup, in case you lose your phone.

People lose phones. We don’t want that to mean you lose access to your money. So when you set your PIN, we also store an encrypted copy of your wallet on our servers — encrypted with the key derived from your PIN, on your phone, before it ever leaves.

What that means in practice: the file we hold is useless without your PIN. We can’t open it. We can’t sign anything with it. We can’t move your money. We can give the encrypted file back to you on a new device, and your PIN unlocks it the same way it did before.

What we can do, and what we can’t.

We can route a payment for you, settle to your local bank, convert one currency to another, and tell you what your balance is. We do that work in our infrastructure. Those are the parts that let Zend! feel like a familiar app.

We can’t move money out of your wallet on our own. We can’t freeze your funds. We can’t spend them. Every action that touches your wallet is signed by your phone, with your key, after you confirm with your PIN. There is no override.

What this is not.

We’re honest about the parts that aren’t magic. If you forget your PIN and lose your phone at the same time, no one can recover your wallet for you. The encrypted backup needs your PIN to open. Self-custody cuts both ways: it means we can’t lock you out, and it also means we can’t let you back in.

We’ll keep building safer recovery paths over time — trusted devices, social recovery, optional biometric unlock. None of those will ever require us to see your key. That’s the line.