← Back to RetIQ · Features · Manual · Validation
🛡

Privacy & Security Transparency

A complete, verifiable audit of what RetIQ does — and does not do — with your data, on every platform

0
Data Collected
0
Trackers
0
External Requests During Use
100%
Client-Side Math
CSP
Browser-Enforced

Core Privacy Principles

💻

Your Device Is the Engine

Every financial calculation — tax brackets, Social Security estimates, Roth conversion optimization, Monte Carlo simulation — runs locally on your device. On the web it runs in your browser; on iOS and macOS it runs inside the app's sandboxed environment. Nothing is sent to a server for processing. Your numbers never leave your device.

🔒

Your Data Stays on Your Device

All plan data is saved to local storage on your device — localStorage in your browser on the web, or the app's private sandboxed storage on iOS and macOS. RetIQ cannot read, retrieve, or access this data remotely. Neither can anyone else.

🚫

No Accounts. No Tracking. No Ads.

RetIQ has no user accounts, no login, no analytics, no tracking pixels, no cookies, no fingerprinting. On the web, the only personal information collected is the email address you provide at Stripe checkout, used solely for license key delivery. On iOS and macOS, purchases are handled entirely by Apple — we receive no personal information at all. There is no mechanism to correlate your usage across sessions.

🔌

Works Fully Offline

On the web, RetIQ installs as a Progressive Web App and works without any internet connection after the first load. On iOS and macOS, the app is fully self-contained from installation. This is structural proof that your financial data doesn't need to go anywhere — because it doesn't.

🔐

Browser-Enforced Lockdown

A strict Content-Security-Policy header tells your browser exactly which domains RetIQ is allowed to contact. Even if the code were somehow modified, your browser would block any unauthorized connections. This is a browser-enforced guarantee, not a promise.

📖

Verified & Inspectable

RetIQ is built as a single HTML file with all calculations running in your browser. You can inspect the running code at any time using your browser's View Page Source (Ctrl+U or Cmd+Opt+U) and DevTools. Every calculation is validated against authoritative sources — open the Validation tab to see 361 automated tests with IRS/SSA/CMS citations. Transparency isn't a feature — it's the foundation.

Complete Network Manifest

The table below is an exhaustive list of every external domain RetIQ contacts, when it contacts them, and exactly what data is transmitted. There are no hidden endpoints, no background beacons, no telemetry.

DomainWhenPurposeData SentFinancial Data?
*.workers.dev
Cloudflare Worker		Purchase & license onlyThree endpoints handle licensing:
/create-checkout-session — redirects to Stripe for payment
/start-trial — issues a trial token
/validate-license — confirms a license key is valid		License key only. No financial plan data, no account balances, no personal information is transmitted. The checkout session sends only a trial token (if applicable).No
checkout.stripe.comWeb purchase onlyStripe's payment page processes web purchases. You are redirected to Stripe's domain — RetIQ never sees your credit card number.Stripe collects payment information under Stripe's Privacy Policy. RetIQ receives only a license key in return.No
Apple StoreKit
iOS & macOS only		App purchase onlyIn-app purchases on iOS and macOS are verified on-device through Apple's StoreKit 2 framework. Purchase validation happens locally — no server round-trip to RetIQ.Nothing sent to RetIQ. Apple handles all payment processing. RetIQ receives only a purchase confirmation from StoreKit on-device.No
That's the complete list. During normal use (entering data, running projections, Monte Carlo simulations), RetIQ makes zero network requests on any platform. The only external contacts are for purchasing — via Stripe on the web, or via Apple's StoreKit on iOS/macOS — and none transmit financial data. There are no analytics services, no advertising networks, no social media trackers, no error-reporting services, no telemetry of any kind. Even fonts are self-hosted — no Google Fonts CDN.

Content Security Policy — Browser-Enforced Restrictions

RetIQ includes a strict Content Security Policy (CSP) in its HTML. This is not just a claim — it's a set of rules your browser actively enforces. Even if RetIQ's code were somehow modified, your browser would block any connection that violates these rules:

CSP DirectivePolicyWhat It Means
default-src'self'By default, only load resources from retirementiq.app itself
script-src'self' 'unsafe-inline'Only run scripts embedded in the page — no external JS files can be loaded from any domain
style-src'self' 'unsafe-inline'Styles from the page itself only — no external CSS from any domain
font-src'self'Font files from retirementiq.app only — self-hosted, no CDN
connect-src'self'
*.workers.dev		API calls restricted to the licensing worker — no other server can be contacted via fetch/XHR
img-src'self' data: blob:Images from the site itself and inline data (icons)
object-src'none'No plugins (Flash, Java, etc.) can run — ever
frame-src'none'No iframes — no third-party content can be embedded in the page
form-action'none'No form submissions — data cannot be POST-ed to any server via HTML forms
How to verify: View the page source (Ctrl+U or Cmd+Opt+U) and look for the <meta http-equiv="Content-Security-Policy"> tag near the top. Your browser reads this tag and blocks any request that violates it — you can see violations in the DevTools Console.

What's Stored on Your Device

RetIQ saves your settings and plan data locally on your device. On the web, this uses your browser's localStorage, sandboxed so that only retirementiq.app can read it. On iOS and macOS, the app uses its own private sandboxed storage, inaccessible to other apps. In all cases, data never leaves your device. Below is every key RetIQ writes (web key names shown — the iOS and macOS apps store equivalent data):

KeyContainsWhen Written
retiq_v1Your retirement plan inputs: ages, income, expenses, account balances, Social Security settings, Roth strategy, etc. This is the core of your financial plan.Every time you change an input (Pro users only)
retiq_themeYour color theme preference: "dawn" (default), "dark", or "light"When you toggle the theme
retiq_pro"true" or absent — whether Pro is activated on this deviceWhen you activate a license
retiq_licenseYour license key stringWhen you activate a license
retiq_trial_tokenA trial session token (no personal info)When you start a trial
retiq_trial_startTimestamp of when your trial beganWhen you start a trial
Important: Because your data lives only in your browser's localStorage, clearing your browser data or switching devices will erase your plan. Use the HTML Export feature to save a portable copy of your plan. The exported file is a self-contained HTML document stored on your computer — it is never uploaded anywhere.

What RetIQ Never Does

RetIQ does not:

• Send your financial data (income, balances, expenses, Social Security, tax info) to any server — ever
• Create user accounts or require login
• Collect your name, phone number, or personal identifiers (your email is collected by Stripe at checkout for license delivery and recovery only)
• Use cookies for tracking (RetIQ sets no cookies at all)
• Use browser fingerprinting or device identification
• Include analytics, telemetry, or error-reporting services
• Display advertisements or share data with ad networks
• Sell, rent, or monetize any data — there is no data to sell
• Use your data to train AI models or for any secondary purpose
• Phone home, ping servers, or send background requests while you use the app
• Access your clipboard, camera, microphone, contacts, or files (beyond the import feature you explicitly trigger)

Verify It Yourself

You don't have to trust these claims — you can confirm them in under two minutes using tools built into your browser. These same techniques are used by security professionals to audit web applications.

Open DevTools → Network tab. In Chrome or Edge, press F12 (or Cmd+Opt+I on Mac), then click the Network tab. In Firefox, press F12 and select Network. In Safari, enable the Develop menu in Preferences, then press Cmd+Opt+I.
Reload RetIQ and watch. You'll see requests only to retirementiq.app — the app itself, its fonts, and its icons. No external domains are contacted. Zero.
Use the app — change inputs, run projections, run Monte Carlo. Watch the Network tab. You will see zero new network requests. All calculations happen locally in your browser.
Check localStorage. In DevTools, go to Application (Chrome/Edge) or Storage (Firefox) → Local Storageretirementiq.app. You'll see exactly the keys listed above and nothing else.
Go offline. Turn off Wi-Fi or enable airplane mode. RetIQ continues to work perfectly — projections, charts, Monte Carlo — because nothing depends on a server connection.
Check the Content Security Policy. View page source (Ctrl+U) and find the Content-Security-Policy meta tag in the <head>. This tells your browser exactly which domains are allowed. In DevTools → Console, any CSP violation would appear as a red error — the browser will block any attempt to send data to an unauthorized domain.
For advanced users: RetIQ is a single HTML file with embedded JavaScript. Right-click and select View Page Source in your browser to read the running application. Every calculation, every network call, every localStorage write is visible. There is no minified or obfuscated code hiding additional behavior.

How RetIQ Compares

Most retirement planning tools store your financial data on their servers, require accounts, and use tracking. Here's how RetIQ's architecture differs:

Privacy FeatureRetIQTypical Cloud-Based
Planning Tools
Where calculations runYour browserTheir servers
Where data is storedYour device onlyTheir cloud database
Account / login requiredNoYes
Email requiredAt purchase only (license recovery)Yes (account required)
Analytics & trackingNoneGoogle Analytics, Mixpanel, etc.
Works offlineYes (PWA)No — requires server
Source code visibleYes — View Page Source in browserNo — server-side code
Content Security PolicyYes — browser-enforcedRare
Data survives if company shuts downYes — your files, your deviceNo — data locked in their servers
Vendor can be breachedNo financial data to breachYes — single point of failure

Frequently Asked Questions

If all data is local, what happens if I clear my browser data?
Your plan data will be erased. This is the tradeoff of true local-only storage: your data's safety depends on your device, not our servers. Use the HTML Export or JSON Export features to create backups on your computer. These files are self-contained and can be re-imported anytime.
Can RetIQ's developer access my financial data?
No. There is no technical mechanism for this. Your plan data is stored locally on your device — in your browser's localStorage on the web, or in the app's private sandboxed storage on iOS and macOS. On the web, the RetIQ server has three endpoints — all related to licensing — and none accept or return financial data. On iOS and macOS, the app contacts no RetIQ server at all. You can verify web behavior by watching the Network tab in DevTools while you use the app.
What if retirementiq.app gets hacked?
A compromised website is a serious concern for any web app. Here's what limits the risk with RetIQ: your financial data exists only in your browser's localStorage. An attacker who compromises the web server could serve malicious JavaScript that attempts to read localStorage and exfiltrate data. However, RetIQ works as a Progressive Web App — once installed, it runs from a local cache and doesn't re-download from the server on each visit. For maximum security, you can: (1) use RetIQ in offline/airplane mode after initial install, (2) save your plan as an HTML or JSON file and clear RetIQ's localStorage when you're done, or (3) review the source code in your browser before entering sensitive data.
What does Stripe or Apple know about me?
Web purchases (Stripe): If you purchase RetIQ on the web, Stripe processes your payment and collects standard payment information (name, card number, email for receipt) under Stripe's Privacy Policy. RetIQ receives your email address (for license recovery) and a license key — not your payment details or card number. Your email is stored solely for license recovery and is never used for marketing.

iOS/macOS purchases (Apple): If you purchase through the App Store, Apple processes your payment under Apple's Privacy Policy. RetIQ receives no personal information from Apple — your purchase is verified entirely on-device through StoreKit.
Why does RetIQ self-host its fonts?
Many web apps load typefaces from Google Fonts, which sends your IP address and browser information to Google on every page load. RetIQ instead bundles its fonts (DM Sans and JetBrains Mono) directly on the same server as the app. This means loading RetIQ never contacts Google or any other third party. The fonts are also cached by the service worker, so they load instantly on repeat visits and work fully offline.
Can I inspect the code myself?
Yes. RetIQ is a single HTML file with embedded JavaScript — there is no minified or obfuscated code. Right-click in the app and select View Page Source to inspect every calculation, network call, and storage operation directly in your browser. You can also open DevTools (F12) to monitor all network activity in real time. Additionally, the Validation tab inside the app displays 361 automated tests verified against IRS, SSA, CMS, SECURE 2.0, and OBBB Act 2025 sources.
How can I completely delete my data?
Web: Open your browser's Developer Tools → Application (or Storage) → Local Storage → retirementiq.app, and delete all entries. Alternatively, clear your browser's site data for retirementiq.app.

iOS/macOS: Delete the app from your device. All data stored by the app is removed when the app is deleted.

Because RetIQ never transmits your financial data to any server on any platform, deleting your local data is a complete and permanent deletion — there are no server-side copies, backups, or residual records to worry about.

Technical Details for Security Professionals

Architecture: RetIQ is a single-file client-side application (~9,900 lines of unminified HTML/CSS/JavaScript). All financial computations execute in the browser's main thread. Charts are rendered as inline SVG — no external charting library is loaded. The application registers a Service Worker for offline caching using a stale-while-revalidate strategy.
Content Security Policy (CSP): RetIQ ships with a strict Content-Security-Policy meta tag that tells your browser exactly which domains the app is allowed to contact. This is a browser-enforced guarantee — not just a promise from the developer. The policy restricts scripts to inline-only (no external JS), styles and fonts to 'self' only (self-hosted), API calls to the licensing worker only, and blocks all iframes, plugins, and form submissions. You can inspect it by viewing the page source — it's in the <head>.
Network surface: During normal use (data entry, projections, Monte Carlo), the app makes zero network requests. The only external origin ever contacted is a Cloudflare Worker endpoint for three licensing-related API calls (none of which transmit financial data), plus checkout.stripe.com via redirect during purchase. Fonts are self-hosted. No WebSocket connections, no Server-Sent Events, no background sync, no push notifications.
CSP details: The enforced policy restricts each resource type independently:

• connect-src restricts API calls to 'self' and the Cloudflare licensing worker only
• font-src 'self' restricts fonts to the app's own origin (self-hosted WOFF2 files)
• style-src 'self' 'unsafe-inline' — no external CSS can be loaded
• object-src 'none' blocks all plugins (Flash, Java, etc.)
• frame-src 'none' blocks all iframes
• form-action 'none' blocks all form submissions

If any code — including a compromised script — attempts to send data to an unauthorized domain, the browser itself will block the request. You can verify this in DevTools → Console, where any CSP violations are logged.
Storage: Six localStorage keys are used (see table above). No cookies are set. No IndexedDB databases are created. No sessionStorage is used. The Service Worker cache stores only static application assets (HTML, icon images, manifest, and self-hosted font files).
Data export: The HTML Export feature generates a self-contained file using window.open() and document.write(). The exported file is rendered locally and can be saved via the browser's Save dialog. No data is uploaded during export.
Third-party code: Zero third-party JavaScript libraries are loaded at runtime. No external CSS or font CDNs are used. The chart rendering, financial calculations, UI framework, and all application logic are implemented in inline JavaScript within the single HTML file. Fonts (DM Sans and JetBrains Mono) are self-hosted as WOFF2 files served from the same origin.
Content Security Policy: RetIQ enforces a strict Content-Security-Policy via a <meta> tag in the HTML head. This is a browser-enforced restriction — not just a promise — that prevents the app from contacting unauthorized domains, loading external scripts, or exfiltrating data. The policy restricts font-src and style-src to 'self', blocks all form submissions and object embeds, and limits connect-src to the app's own origin and the licensing endpoint. You can verify this by inspecting the page source or checking the Application → Security panel in DevTools.
RetIQ · Privacy Policy · Terms of Service · Validation Report
This document was last updated March 28, 2026. If you have security concerns, contact us via the information in our Privacy Policy.