PicoPouch.
Products
Every household runs on hidden infrastructure: the mortgage portal login, the insurance policy number, the energy supplier account reference, the ISA provider phone number. That information typically lives in one person's head, one person's email, or one person's browser. PicoPouch exists to fix that. It is a practical everyday tool that happens to also solve the worst-case scenario.
PicoPouch is a zero-knowledge encrypted vault. Users store credentials and upload documents into twelve structured life-admin categories: home and property, banking and cards, insurance, health and care, tax and government, legal and estate, subscriptions, travel, education, suppliers and vendors, payroll and people, and client delivery.
Trusted co-owners can be invited with explicit access permissions. Sharing is built around zero-knowledge key exchange; co-owners receive wrapped encryption keys rather than raw access to a central data store.
Credentials and documents are encrypted in the browser using AES-256-GCM before they ever leave the device. The server never sees plaintext. The master passphrase derives a local key via PBKDF2 at 600,000 iterations, and the key never leaves the device.
Recovery is explicit and user-controlled. There is no server-side master key. There is no password reset that decrypts data. Every vault access, human or agent, is logged with actor, timestamp, and action type.
PicoPouch runs six purpose-built agents inside the zero-knowledge boundary. LEDGER connects to UK banks via Open Banking and detects recurring payments and anomalies. COURIER ingests financial emails and files policy numbers, renewal dates, and account references automatically. ANALYST classifies incoming data and matches it to existing vault records. CONTROLLER runs gap analysis across the vault and surfaces prioritised tasks. TELLER parses uploaded bank statements from six major UK banks plus a generic fallback. ORACLE provides cross-vault financial health insights.
Agents communicate via a GCP Pub/Sub event bus with per-vault ordering guarantees. Every agent write passes through an internal vault API that enforces audit logging and input validation. Agents handle encrypted payloads only; they never bypass the zero-knowledge boundary.
PicoPouch is hosted in GCP europe-west2 (London) for UK data residency throughout. Built on TypeScript end-to-end, Next.js for the web app, Firebase Cloud Functions for the agents and APIs. The product is live and ongoing. The full product, including pricing and the household and small-business tiers, is at picopouch.app.