HomeHQ

Privacy

HomeHQ Privacy Policy

Last updated: May 17, 2026

Summary

  • We never sell your data and never use it for advertising.
  • We never train AI models on your household's content. Our AI processors operate under zero-retention agreements.
  • Email and inbox scanning is opt-in per inbox and scoped to domains you choose. GroupMe is opt-in per group — never your direct messages. We never request SMS or iMessage access.
  • You can export or delete everything at any time.

Who we are

HomeHQ ("HomeHQ," "we," "us") is the service available at homehqapp.com. Contact us any time at hello@homehqapp.com.

Information we collect

  • Account info. Your email address (required for sign-in via magic link), display name, and — if you opt into SMS — a phone number you provide. We do not use passwords.
  • Household content. Tasks, lists, list items, calendar events, house manual entries, medical records, and photos you upload. Members you add (partner, kids, caregivers) including the display name and color you set for each.
  • Connected accounts. When you connect Google Calendar, Gmail, Apple iCloud, Microsoft Outlook, or GroupMe, we store an encrypted access token so we can sync on your behalf. We only request the scopes strictly needed (calendar events, narrowly-scoped email read access, or per-group message read access).
  • Voice recordings. Audio you record in the "Voice task" tool is sent to OpenAI's Whisper API for transcription, then discarded. We do not retain the audio after transcription.
  • Photos. Photos you attach to tasks, manual entries, or medical records are stored with unguessable URLs in Vercel Blob. They are not indexed publicly.
  • Payment info. Billing is handled by Stripe. We never see or store your card number; we only store the Stripe customer and subscription identifiers so we can match a payment to your household.
  • Operational logs. Standard request logs (IP, user agent, timestamp), used for security and debugging. Retained ~30 days.
  • Cookies. A single session cookie that keeps you signed in. No third-party advertising or tracking cookies.

How we use it

Everything we collect is used only to run HomeHQ for you — to show your tasks and calendar, sync to your connected accounts, generate the daily brief, extract tasks from inputs you voluntarily provide (a photo, a voice memo, an email in an inbox you connected), deliver notifications you opted into, and process your subscription. We do not use household content for advertising, marketing, or training third-party models.

AI processing

HomeHQ uses two AI providers to power features you trigger: Anthropic (Claude) for extracting tasks from photos and emails and for composing daily briefs, and OpenAI (Whisper) for voice transcription. Both providers process content under zero-data-retention terms — they do not retain your inputs after the response is returned, and your content is not used to train their models. Every AI suggestion is shown to you as a draft you confirm before it touches your calendar or task list.

Email scanning is opt-in and scoped

If you connect an inbox (Gmail or Outlook), HomeHQ only reads email from sender domains you add to your scope filter — for example your school, doctor, sports league, or daycare. We never read marital, financial, or therapeutic correspondence, and we never scan email outside the domains you authorized. You can disconnect an inbox at any time in /settings/inbox.

We never request SMS or iMessage access on any platform.

GroupMe scanning is per-group opt-in

If you connect GroupMe, HomeHQ only scans the specific groups you check (e.g., the school class group, your kids' sports team chat). All groups are off by default. We never scan your DMs, and we never scan groups you didn't explicitly authorize. You can disconnect GroupMe entirely or revoke specific group access at any time from /settings/groupme.

Google user data (Gmail & Google Calendar)

HomeHQ's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

  • What we access. With the Gmail scope (gmail.readonly), HomeHQ reads messages only from the specific sender domains you add to your scope filter — never your whole mailbox. With the Calendar scope (calendar.events), HomeHQ reads your events to show them in your brief and writes the events you confirm to the calendar you choose.
  • How we use it. Solely to provide user-facing features you enabled: extracting tasks/reminders from in-scope email and two-way calendar sync. Nothing else.
  • Limited Use. We do not use Google user data for advertising, do not sell it, do not transfer it except as needed to provide these features (to our AI subprocessor under zero-retention terms), and do not use it to train generalized AI/ML models. Humans do not read it except with your explicit consent, for security, or as required by law.
  • Control. Disconnect Gmail at /settings/inbox or Google Calendar at /settings/calendars at any time; you can also revoke access from your Google Account. On disconnect we delete the stored Google token.

Mobile information (SMS)

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subprocessors below excludes mobile opt-in data — phone numbers and SMS consent records are used solely to deliver the daily brief you opted in to receive, and are never shared, sold, rented, or otherwise transferred to any third party for marketing, advertising, or any unrelated purpose. SMS opt-in is optional and can be revoked at any time by replying STOP to any HomeHQ SMS or toggling SMS off in /account.

Subprocessors

These vendors process small slices of your data on our behalf, each under their own contractual privacy commitments:

  • Vercel — application hosting and photo storage (Vercel Blob).
  • Neon — managed Postgres database (US region).
  • Resend — transactional email delivery (sign-in links, daily brief, invitations).
  • Twilio — SMS delivery for the morning brief (only if you opt in).
  • Anthropic — AI task extraction and brief composition. Zero data retention.
  • OpenAI — voice transcription (Whisper) only, no chat or image models.
  • Stripe — payment processing for paid subscriptions.
  • Google — only if you connect Google Calendar or Gmail. Scopes limited to what each feature needs.
  • Apple iCloud — only if you connect Apple Calendar (CalDAV).
  • Microsoft Graph — only if you connect Outlook.
  • GroupMe(a Microsoft service) — only if you connect GroupMe. We only read messages from the specific groups you authorize. We never read DMs or messages from groups you haven't toggled on.
  • Amazon Alexa — only if you enable the HomeHQ skill. Linked accounts receive an opaque access token; Amazon never sees your household content directly — it sends voice intents that our servers fulfill.

Security

Traffic is encrypted in transit (TLS). Sensitive fields — OAuth refresh tokens, SMS subscriber details — are encrypted at rest with AES-256-GCM using a key stored separately from the database. We use magic-link sign-in only; we do not store passwords, which removes the largest class of breach risk.

Data breach notification

No system is perfectly secure. If we discover a data breach affecting your personal information, we will notify affected users without undue delay and, where the breach is likely to create a risk to you, within 72 hours of discovery, in accordance with applicable law. The notice will describe what happened, what data was involved, and the steps we are taking in response.

Data retention

We keep your data as long as your account exists. When you delete your account from /account, your household, tasks, lists, calendar events, manual entries, medical records, photos, members, and connected-integration tokens are deleted within 30 days. Stripe retains billing records as required by US tax law. Operational logs roll off automatically after ~30 days.

Your rights

  • Access & export. Email us and we will provide a copy of your household's content in JSON within 30 days.
  • Correction. You can edit any field directly in the app.
  • Deletion. Delete your account from /account. Or email us to request deletion.
  • Opt-out. Disable any notification channel in /account → Notifications. Disconnect any integration in /settings.

Depending on your state of residence — including California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, and other states with comprehensive consumer-privacy laws — you may have additional rights to access, correct, delete, or port your personal information, and to opt out of its sale or sharing. We do not sell or share personal information and do not use it for targeted advertising, so there is nothing to opt out of. We nonetheless treat any Global Privacy Control (GPC) signal as a valid opt-out request.

If you live in the EU or UK, the GDPR rights of access, rectification, erasure, restriction, portability, and objection apply. To exercise any state- or country-specific right, contact us at hello@homehqapp.com and we will respond within the timeframe your law requires.

Children

HomeHQ accounts are for adults (13+). You can add children as members of your household — but a child member without their own login is purely a label (name, color, age if you provide it) that the adult account holder controls. We don't collect data from children directly. Parents and guardians are responsible for any information they add about their kids.

HomeHQ does not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, contact us at hello@homehqapp.com and we will delete it promptly.

Changes to this policy

If we make material changes, we'll email everyone with an active account and post the change here with an updated date.

Contact

HomeHQ · hello@homehqapp.com · homehqapp.com