Privacy Policy
Last updated: 1 April 2026
Home8 respects your privacy. We only collect data that is necessary to provide our service. We do not sell your data, we do not use tracking or analytics, and we do not show advertisements. All personal data is encrypted at rest — even in the event of a database breach, your data remains unreadable.
Data controller
How we protect your data
We take data protection seriously. Here is exactly how we safeguard your information:
- Encryption at rest — All personal data (email, name, phone, address, company details, WiFi credentials, Home Assistant URLs and tokens, device API keys) is encrypted using AES-256-GCM before being stored in our database. Even if someone gains access to our database, they cannot read your data without the encryption key, which is stored separately and never in the database.
- No IP addresses stored by Home8 — We do not store your IP address in our database or log files. Not in login sessions, not in device heartbeats, nowhere. Our site is served through Cloudflare, which processes your IP address for CDN delivery and security protection (DDoS mitigation). Cloudflare acts as a data processor under their DPA and retains limited connection data according to their privacy policy.
- No browser fingerprinting — We do not store your browser type, operating system, screen resolution, or any other device fingerprint.
- Passwords are hashed — Your password is stored as a one-way bcrypt hash. We cannot see or recover your password.
- Session tokens are hashed — Login session identifiers are stored as SHA-256 hashes. Even database access does not allow session hijacking.
- Searchable fields use blind indexes — To allow email login lookups without storing your email in plaintext, we use HMAC-SHA256 blind indexes. These are one-way hashes that allow us to find your account but cannot be reversed to reveal your email.
- No tracking, no analytics — We do not use Google Analytics, Facebook Pixel, or any other tracking service. We use strictly functional cookies only.
What data we collect
| Data | Purpose | Protection |
|---|---|---|
| Email address | Account login, notifications | AES-256-GCM encrypted + blind index for login |
| Name, phone, address | Account profile, invoicing | AES-256-GCM encrypted |
| Company name, VAT number | B2B billing | AES-256-GCM encrypted |
| Password | Authentication | Bcrypt hash only — we cannot see your password |
| WiFi network name & password | Device firmware generation | AES-256-GCM encrypted |
| Home Assistant URL & token | Smart home integration | AES-256-GCM encrypted |
| Device API keys | Secure device communication | AES-256-GCM encrypted + blind index |
| Screen layouts | Design storage & compilation | Until screen deletion |
| Payment data | Billing | Processed by Stripe — we don't store card numbers |
We do not collect or store: IP addresses, browser fingerprints, user agents, location data, tracking identifiers, or any data not listed above.
Legal basis
- Contract performance (Art. 6(1)(b) GDPR) — to provide the Home8 service you signed up for
- Legitimate interest (Art. 6(1)(f) GDPR) — security, fraud prevention, service improvement
- Consent (Art. 6(1)(a) GDPR) — marketing communications (if any, opt-in only)
Cookies
We use strictly functional cookies only:
| Cookie | Purpose | Duration |
|---|---|---|
home8_session | Login session | 30 days |
home8_admin | Admin session | Session |
home8_lang | Language preference | 1 year |
home8_csrf | Form security | Session |
No tracking cookies. No third-party cookies. No analytics.
Third-party processors
| Service | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, DDoS protection, DNS | EU/US (DPA) |
| Stripe | Payment processing | EU/US (SCCs) |
| Migadu | Email delivery | Switzerland |
Data retention
Your data is stored for as long as your account is active. When you delete your account, all personal data is permanently removed within 30 days. Anonymised billing records may be retained for legal obligations (Belgian tax law: 7 years).
Your rights
Under the GDPR you have the right to:
- Access — request a copy of your data
- Rectification — correct inaccurate data
- Erasure — delete your account and all data
- Portability — export your data in a machine-readable format
- Restriction — limit how we process your data
- Objection — object to processing based on legitimate interest
- Complaint — file a complaint with the Belgian Data Protection Authority (GBA)
You can exercise these rights from your account settings or by emailing privacy@home8.eu.
Contact
For privacy-related questions, contact us at privacy@home8.eu.