1. Who We Are
HomeOS is operated by The Good Design Practice Ltd ("we", "us", "our"), a company registered in England and Wales. We are the data controller responsible for your personal data.
Contact: privacy@ourhomeos.app
2. What Data We Collect
We collect the following categories of personal data:
Account Information
- Email address — used for authentication, account recovery, and essential service communications
- Display name — shown to other members of your household
- Authentication tokens — for Apple Sign-In, Google Sign-In, or email OTP verification
Financial Data
- Bank account balances and transactions — retrieved via read-only Open Banking APIs (TrueLayer, Tink, Salt Edge, Finverse). We never see or store your bank login credentials.
- Budget settings — category limits and targets you set within the app
Calendar Data
- Calendar events — synced from Google Calendar or Microsoft Outlook when you choose to connect your calendar. OAuth tokens are stored locally on your device in encrypted storage (Keychain).
Household Data
- Tasks, events, and household settings — created by you and your household members within the app
Device Information
- Push notification token — an anonymous device identifier used solely to deliver push notifications you have opted into
- Notification preferences — your per-category notification settings and quiet hours
3. How We Use Your Data
We use your data exclusively to provide and improve the HomeOS service:
- Provide the service — displaying financial summaries, budgets, calendars, and tasks to you and your household members (subject to your visibility settings)
- Transaction categorisation — we use Ntropy (a third-party AI service) to automatically categorise your transactions with merchant names, logos, and spending categories. Transaction data sent to Ntropy is processed in accordance with their privacy policy and is not used to train AI models.
- Notifications — sending push notifications you have opted into (daily agendas, task reminders, spending alerts, budget warnings)
- Security — protecting your account and detecting fraudulent activity
4. What We Do NOT Do
- We do not sell your personal data to any third party
- We do not use your data for advertising or ad targeting
- We do not share your data with third parties for their marketing purposes
- We do not track you across other apps or websites
- We do not store your bank login credentials — all bank authentication happens directly with your bank
5. Third-Party Services
We use the following third-party services to operate HomeOS:
| Service | Purpose | Data Shared |
|---|
| Supabase | Database, authentication, and backend infrastructure | All account and household data (hosted in AWS ap-northeast-2) |
| TrueLayer | UK/Ireland Open Banking | Bank account access tokens (we never see your bank password) |
| Tink | EU/Nordic Open Banking | Bank account access tokens |
| Salt Edge | Global Open Banking | Bank account access tokens |
| Finverse | Asia-Pacific Open Banking | Bank account access tokens |
| Ntropy | Transaction categorisation and enrichment | Transaction descriptions and amounts (anonymised — no account identifiers) |
| Apple Push Notification service | Push notifications | Anonymous device token and notification content |
| Pexels | Lifestyle background images for onboarding | No personal data |
6. Data Sharing Within Your Household
HomeOS is designed for shared household use. When you join a household, other members can see:
- Your display name
- Tasks assigned to you or created by you
- Calendar events you create
- Financial data from your linked accounts — subject to your visibility settings:
- Full — other members see your account balance and all transactions
- Summary Only — other members see your account balance but not individual transactions
- Private — the account is completely hidden from other members
You can change your visibility settings at any time in Profile → Linked Accounts.
7. Data Security
- All network communications use TLS 1.2/1.3 encryption
- Bank access tokens are stored in Supabase Vault (encrypted at rest)
- Calendar OAuth tokens are stored locally on your device using iOS Keychain (via Expo SecureStore)
- Biometric authentication (Face ID / Touch ID) is available to protect app access
- Row-Level Security (RLS) is enabled on all database tables, ensuring you can only access data belonging to your household
8. Data Retention
- Account data — retained while your account is active. Deleted within 30 days of account deletion.
- Transaction data — retained while your bank account is linked. Removed when you unlink the account or delete your account.
- Push notification tokens — automatically marked inactive when you sign out or uninstall the app.
- Deferred deep links — automatically deleted after 48 hours via scheduled cleanup.
9. Your Rights (UK GDPR)
Under UK data protection law, you have the right to:
- Access your personal data — request a copy of the data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Restrict processing — limit how we use your data in certain circumstances
- Object — object to processing of your data
- Withdraw consent — where processing is based on consent, you can withdraw it at any time
To exercise any of these rights, email privacy@ourhomeos.app. We will respond within 30 days.
10. Children's Privacy
HomeOS is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at privacy@ourhomeos.app and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of HomeOS after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have any questions about this Privacy Policy or our data practices, contact us at: