Privacy Policy

Effective date: 2026-05-07 Version: 0.1 (pre-lawyer-review draft)

Pending legal review. This document was drafted in good faith from Homaic's constitutional privacy commitments (homaic-charter v1.2 §6.1, homaic-foundation-standards v1.1 §2). It will be reviewed by counsel before Homaic's public launch. Until that review lands, treat this Policy as Homaic's stated intent, not a finished legal instrument.

0. The short version

  • Your home data is yours. You own it; you can export it; you can delete it.
  • Homaic does not sell your data. Ever. There is no third-party data sales product, planned or unplanned.
  • Homaic does not train AI models on your data, and does not let third-party AI providers train on your data, except where you have given explicit, separate, opt-in consent for a specific purpose. The default for any opt-in of this kind is OFF.
  • Homaic uses Anthropic, PBC for AI extractions you initiate, Stripe for payments, and Supabase for hosted database storage. There is no other third-party data sharing.
  • Privacy is structural at Homaic, not policy: row-level security on every table, classification metadata on every column, k-anonymity gates on any aggregation. See homaic-charter §6.1.

The detail is below.

1. What we collect

Homaic classifies data into three tiers, per homaic-foundation-standards §2.2. The classification determines what can be done with each piece of data.

1.1 Tier 1 — your personal data (never aggregated without explicit opt-in)

This is your account and your home data. It is visible only to you, accessible only by your authenticated session, and never aggregated without explicit, opt-in consent.

  • Account data: email address; account creation date; subscription tier and status; magic-link authentication events.
  • Property data: addresses, property details, assets, projects, service events, contractors, quotes, decisions, documents, warranties, briefs, configurator outputs, decision records, and any free-text notes you write.
  • Usage data tied to your account: configurator session content, Mode A AI extraction events you initiate, Mode B (MCP) agent activity logs scoped to your tenant.
  • AI cost log: a per-request log of token usage for quota enforcement. This log records the count of tokens, the model name, and the time of the request — not the content of the request or response. Retained 90 days, then purged.
  • Payment metadata: if you are on the Pro tier, Homaic stores a Stripe customer ID and subscription metadata (status, plan, period dates). Payment card numbers are stored by Stripe, not Homaic.

1.2 Tier 2 — pseudonymized analytics (no personally identifying information)

Tier 2 covers operational signals that help us run a reliable service. Pseudonymized means tied to a random opaque identifier, not your account or your email.

  • Aggregate page-view and feature-usage counts, where analytics are enabled. The MVP may ship with no third-party analytics at all; if analytics are introduced, this Policy will be updated and the analytics surface will be disclosed before activation.
  • Error logs (stack traces) scrubbed of personally identifying values before they reach the logging surface. We treat error logs as Tier 2 because they are a reliability requirement; we will never enrich them with your account data.

1.3 Tier 3 — public reference data (no user_id, system-wide)

Tier 3 is reference data Homaic publishes for everyone. This is not your data — it is system content.

  • The products catalog (e.g., asset categories, brand listings).
  • Expert content (articles, guides).
  • Brief templates.

If you contribute to Tier 3 (for example by submitting feedback that is incorporated into an expert-content article), Homaic does not include your name unless you have separately agreed to be credited.

2. How we use it

Homaic uses your Tier 1 data to provide the Service to you. Specifically:

  • To deliver the core Service: store and retrieve your home data, generate briefs you create, run share-token flows you initiate, render the dashboard you log into.
  • To run Mode A AI extractions you initiate: when you upload a photo or document for extraction, we send the input to Anthropic's API, return the structured suggestion to you, and let you review before saving. See §4.
  • To enforce quotas: the AI cost log (§1.1) tracks per-request token usage for the rate limits stated on the Pricing page.
  • To secure your account: detect and prevent fraud, abuse, and unauthorized access; investigate security incidents; respond to lawful legal process.
  • To bill you: if you are on the Pro tier, we use payment metadata (§1.1) to manage your subscription with Stripe.
  • To communicate with you about your account: account notices, billing notices, security alerts, and material changes to these Terms or this Privacy Policy. You cannot opt out of these because they relate to your active account; you can leave the Service if you do not want them (§5).
  • To improve the Service in aggregate, where consent is given: any cross-user aggregation falls under Tier 2 of homaic-foundation-standards §2.2 and is gated by a k-anonymity threshold of k≥10. The MVP ships the consent and aggregation infrastructure but does not surface aggregated-insight features; when those features land, they will be opt-in and disclosed at the surface.

Homaic does not use your data to:

  • target you with third-party advertising;
  • sell, license, or otherwise transfer your data to a third party for that third party's commercial purposes;
  • train Homaic's AI models or third-party AI models, except under §4.3 (explicit, separate, opt-in consent that defaults OFF);
  • influence ranking or recommendations to other users in a way that benefits a paying party other than you.

3. Where your data lives

  • Primary storage: PostgreSQL on Supabase, hosted in AWS. Region defaults to a U.S. region. EU data-residency support is on the v1.x roadmap; if you need EU residency for compliance reasons before then, contact privacy@homaic.io and we will tell you whether self-hosting on your own infrastructure is the right path for now.
  • Encryption at rest: Database storage is encrypted at rest by Supabase/AWS using AES-256.
  • Encryption in transit: All Service traffic uses TLS 1.2 or higher.
  • Row-level security: Every table that holds Tier 1 data carries a user_id column and a row-level security policy that gates access to your authenticated session. This is constitutional, per homaic-foundation-standards §5.1 Habit 1; it is not a feature that can be turned off.
  • Backups: Daily automated backups via Supabase point-in-time recovery, with a weekly export to S3 for offsite redundancy. Backups are encrypted and access-controlled. Backup retention does not exceed 90 days.

4. Who we share with

Homaic uses a small number of third-party processors to operate the Service. Each is listed below with the data they receive and why. The full Data Processing Agreement, including sub-processor terms, is at /dpa.

4.1 Anthropic, PBC — AI extraction (Mode A)

When you initiate a Mode A AI extraction, the input you provided (a photo, document, or text query) is sent to Anthropic's API for processing. The output is returned to you for review.

  • Data sent: the input you provided for that specific extraction.
  • Data not sent: your account email, your other home data, your other users' data.
  • Anthropic's commitment, per Anthropic's API terms: API inputs and outputs are not used to train Anthropic's foundation models.
  • Anthropic's Privacy Policy: anthropic.com/privacy.

4.2 Stripe, Inc. — Payments

If you are on the Pro tier, Stripe processes your payment. Stripe receives the payment information you submit at checkout. Homaic receives a Stripe customer ID and subscription status — not your card number.

  • Stripe's Privacy Policy: stripe.com/privacy.

4.3 Supabase, Inc. — Database hosting

Supabase hosts the PostgreSQL database that stores Tier 1 data. Supabase processes your data only to provide hosting; Supabase does not access the contents of your data except as necessary for support requests you initiate.

  • Supabase's Privacy Policy: supabase.com/privacy.

4.4 Vercel, Inc. — Application hosting

Vercel hosts the Homaic application surfaces (homaic.io and product subdomains). Vercel sees request metadata necessary to route traffic. Vercel does not have access to your stored data.

  • Vercel's Privacy Policy: vercel.com/legal/privacy-policy.

4.5 No other sharing

Homaic does not share your data with any third party other than the processors above and any successor processor whose addition is disclosed in an updated version of this Policy under §9.

Homaic does not sell your data, license it for revenue, or trade it for services. There is no third-party data sales product, planned or unplanned. This is constitutional, per homaic-charter §6.1.

4.6 Legal process

Homaic will disclose your data only when compelled by valid legal process, and only the minimum scope required. Where the law permits, Homaic will notify you before disclosure so you may seek a protective order or other remedy.

4.7 No AI training without explicit opt-in

Homaic does not train its own AI models on your data. Homaic does not allow Anthropic or any other third-party AI provider to train models on your data. The only exception is where you have given explicit, separate, opt-in consent for a specific purpose, and the default for any opt-in of this kind is OFF. This is constitutional, per homaic-foundation-standards §2.2 and §2.6.

5. How long we keep your data

  • Active accounts: retained for the lifetime of the account.
  • Deleted accounts: purged from primary storage within 30 days. Backups age out on the standard 90-day backup-retention schedule.
  • AI cost logs: 90 days, then purged. Used solely for quota enforcement.
  • Audit logs (security and legal-compliance): 90 days, then purged. Used solely for security investigations and lawful disclosures.
  • Backups generally: 90 days maximum.

See homaic-foundation-standards §2.5 (account deletion data purge) for the implementing specification.

6. Your rights

The following user rights are first-class features of the Service, not just policy commitments. Per homaic-foundation-standards §2.5:

  • Access. You can download a full export of your data at any time from the Settings page. The export is in standard, machine-readable formats. No exit fee, no rate gate.
  • Correction. You can edit any data in the Service from the dashboard. If a piece of data is not editable from the UI in a given release, contact privacy@homaic.io and we will fix it.
  • Deletion. You can delete your account from the Settings page. Deletion triggers the purge described in §5.
  • Portability. Your export is portable. The AGPL license on the software guarantees you can run a self-hosted Homaic instance and import your export. Homaic-hosted is convenience; self-hosted is sovereignty. You choose.
  • Object. You can opt out of any non-essential processing (aggregation, recommendations, opt-in AI uses) at any time from the Settings page. Opt-outs take effect immediately for new processing and are honored on the next aggregation cycle for existing computed surfaces.
  • Withdraw consent. You can withdraw any consent you previously gave (for example, a previous opt-in to a Tier 2 aggregation feature). Withdrawal does not affect lawful processing that occurred before withdrawal.

7. GDPR and CCPA

7.1 GDPR (EU/UK users)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in §6, plus the following:

  • Lawful basis. Homaic processes your Tier 1 data on the basis of contract performance (delivering the Service you signed up for) and legitimate interests (security, fraud prevention, billing). Where Homaic processes data on the basis of consent (opt-in aggregation, opt-in AI uses), you can withdraw consent at any time.
  • International transfers. Tier 1 data is hosted in the United States. Where Homaic transfers data from the EEA, UK, or Switzerland to the U.S., the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) [LAWYER REVIEW NEEDED] and supplementary technical measures (encryption in transit and at rest).
  • Data Protection Officer. Contact dpo@homaic.io for any GDPR question. [LAWYER REVIEW NEEDED — confirm whether DPO appointment is required at MVP scale.]
  • Data Processing Agreement. A standalone DPA is published at /dpa. It is also available by request to legal@homaic.io.
  • Supervisory authority. You have the right to lodge a complaint with your local data protection authority.

7.2 CCPA (California users)

If you are a California resident, you have the rights described in §6 (the CCPA labels them: Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale/Sharing, Right to Limit Use of Sensitive Information, Right to Non-Discrimination). Specifically:

  • No sale or sharing. Homaic does not sell or share (in the CCPA sense) your personal information. There is no opt-out flow because there is nothing to opt out of.
  • Sensitive personal information. Homaic limits its use of sensitive personal information (which under the CCPA can include precise geolocation and account credentials) to providing the Service you requested.
  • Authorized agent. You may submit requests through an authorized agent; Homaic will verify the authorization.
  • No discrimination. Homaic does not discriminate against you for exercising any CCPA right.

8. Cookies and similar technologies

Homaic uses the minimum cookies required to keep you signed in:

  • Authentication session cookies (essential): track your authenticated session. Without these, you cannot log in.
  • CSRF protection tokens (essential): prevent cross-site request forgery.

Homaic does not use third-party advertising cookies, tracking pixels, or fingerprinting techniques. If a future analytics cookie is introduced (see §1.2), it will be disclosed in this Policy and the analytics surface will be disclosed before activation. [LAWYER REVIEW NEEDED] — GDPR-style cookie consent banner is on the v1.x roadmap; until then, the only cookies set are the strictly-necessary set above.

9. Changes to this Policy

Homaic may update this Privacy Policy from time to time. For material changes, Homaic will give you at least 30 days' notice by email and in-product notice before the change takes effect. The version history is maintained at /privacy and in the source repository.

If a material change affects how Homaic processes your existing data, the change does not take retroactive effect on data already collected without your consent. If you do not accept a material change, your remedy is to terminate your account before the change takes effect (Terms §3.5).

10. Contact

  • Privacy questions: privacy@homaic.io
  • GDPR / DPO: dpo@homaic.io
  • Legal notices: legal@homaic.io
  • Security disclosures: security@homaic.io

Mailing address: [LAWYER REVIEW NEEDED] — Homaic, Inc., registered address in Colorado, USA, to be inserted at incorporation.

Version history

  • 0.1 — 2026-05-07 — Initial pre-lawyer-review draft, authored as part of Phase 5 Sub-Session 5B.psi. Reflects homaic-charter v1.2 §6.1 (privacy is structural) and homaic-foundation-standards v1.1 §2 (data classification + user rights). Pending counsel review before public launch.