Security & encryption
Your data, and why we can't see it
How ThreeScoreAndOn protects your plan.
Last updated: 17 June 2026
The short version
ThreeScoreAndOn helps you plan your retirement, which means you trust it with some of the most personal numbers you have — your pensions, savings, property, salary and what you hope to leave your family.
We designed the app so that we can't read any of it. Your plan is encrypted on your own device, with a key only you hold. What we store is an unreadable scrambled blob — not even we, and not even the company that hosts our database, can turn it back into your numbers.
This isn't a promise to be careful with your data. It's an arrangement where being careless wouldn't expose it either, because the readable version never reaches us.
What "zero visibility" actually means
- Encrypted on your device. Before your plan ever leaves your browser, it's encrypted using strong, industry-standard encryption (AES-256-GCM).
- The key is yours alone. The key that unlocks your plan is created on your device from your secret, using a deliberately slow key-derivation step (PBKDF2, 600,000 iterations). It is never sent to us and we never store it.
- We store only ciphertext. On our servers your plan exists only as scrambled data. Without your key it's meaningless — to us, to our hosting provider, to anyone who ever obtained a copy of the database.
- No one at ThreeScoreAndOn can look up your plan. There's no admin screen, no support tool, and no database query that would reveal your numbers. We genuinely cannot see them.
What we do store
To run your account we hold a small amount of information that is not part of the encrypted plan:
- The email address you sign up with, so you can log in.
- The encrypted (unreadable) blob of your plan.
- Basic timestamps (when the plan was last saved).
- Anonymous, aggregated usage statistics that are not tied to your identity and contain none of your financial data.
We don't sell data, and we don't show ads.
Your key, and what happens if you forget your password
Because only you hold the key, there's an important trade-off: if you forget your password, we cannot recover your plan for you — there's no master key on our side to fall back on. That's the same property that stops anyone else getting in.
To protect you against that, when you first secure your account we give you a one-time recovery code. Keep it somewhere safe — a password manager, or printed and put away. If you ever reset your password, that code lets you unlock your plan again. Lose both your password and your recovery code, and the plan can't be recovered — by anyone.
The honest limits
We'd rather tell you the edges of this than oversell it:
- Your device matters. End-to-end encryption protects your plan on our servers and in transit. It can't protect you from malware on your own computer, or from someone using your already-unlocked device. Keep your device and browser up to date.
- Your secret matters. Your encryption is only as strong as the password (or passphrase) behind it. Use a strong, unique one.
- About your password, honestly. By default your login password does two separate jobs: it signs you in (handled by our login provider over an encrypted connection), and — independently, on your device — it derives the key that unlocks your plan. The unlock key itself never leaves your device. If you'd prefer your unlock secret never to touch our servers at all, you can set a separate passphrase in the app's Security settings; that passphrase is never transmitted anywhere, not even to log you in.
- This is planning, not advice. ThreeScoreAndOn is an education and planning tool, not regulated financial advice. For decisions about your money, speak to a qualified adviser.
In plain terms
We built this the way we'd want our own retirement numbers handled: encrypted before they leave your hands, with a key we never see, stored as data we can't read. The trade is that the responsibility for your key sits with you — and we give you a recovery code to make that manageable.