KUYAN is a privacy-focused, local-only financial tracking application. Security and privacy are core principles of this project.

• All financial data is stored locally in SQLite database files
• No cloud synchronization or external data transmission (except currency exchange rates)
• No telemetry or analytics collection
• No third-party tracking

KUYAN only makes external requests to:

• frankfurter.app - Free currency exchange rate API (no authentication required)
• No other external services are contacted

We support the latest stable release. Security updates will be provided for the current major version.

If you discover a security vulnerability in KUYAN, please report it responsibly:

• Open a public GitHub issue for security vulnerabilities
• Disclose the vulnerability publicly before it's fixed

1. Create a GitHub Security Advisory

   • Go to the "Security" tab in the repository
   • Click "Report a vulnerability"
   • Provide detailed information about the vulnerability

2. Or contact privately

   • Email the maintainer (check GitHub profile for contact)
   • Include detailed steps to reproduce
   • Allow time for a fix before public disclosure

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

• Keep your kuyan.db file secure
• Set appropriate file permissions (read/write for owner only)

  chmod 600 kuyan.db

• Don't share your database file publicly
• Use encrypted backups when storing in cloud services

• Encrypt backups before uploading to cloud storage
• Use strong passwords for encrypted archives
• Store backups in multiple secure locations
• Regularly test backup restoration

• Keep Docker Desktop updated
• Use named volumes for data persistence
• Don't expose port 8501 to the internet
• Review container permissions

• Keep your operating system updated
• Use strong passwords/encryption for your computer
• Enable firewall protection
• Use antivirus software

• Public internet deployment - KUYAN has no authentication system
• Multi-tenant use - Designed for single-user or trusted family use
• High-security environments - Database is not encrypted at rest

• ❌ User authentication
• ❌ Database encryption
• ❌ Access control/permissions
• ❌ Audit logging
• ❌ Two-factor authentication

• ✅ Data sent to cloud services (no cloud sync)
• ✅ Minimal external dependencies (only exchange rates API, no authentication required)
• ✅ Telemetry and tracking

• ❌ Physical access to your computer
• ❌ Malware on your system
• ❌ Unauthorized network access (if exposed)
• ❌ Database file theft (not encrypted)

• Dependencies are regularly reviewed for vulnerabilities
• Consider using pip-audit to check for known vulnerabilities:

  pip install pip-audit
  pip-audit -r requirements.txt

KUYAN uses minimal, well-maintained dependencies:

• streamlit - Web UI framework
• pandas - Data processing
• plotly - Visualization
• requests - HTTP client
• python-dateutil - Date handling

Security updates will be released as:

• Patch versions (1.0.x) for minor security fixes
• Minor versions (1.x.0) for significant security improvements

Users are encouraged to:

• Watch the repository for updates
• Subscribe to release notifications
• Update regularly

KUYAN is provided "as is" without warranty of any kind. Users are responsible for:

• Securing their own systems
• Backing up their data
• Evaluating security risks for their use case

Important: KUYAN is designed for personal/family use in trusted environments. It is NOT designed for:

• Production enterprise use
• Public internet deployment
• Untrusted multi-user environments

Last Updated: 2025-01-25