Privacy Policy
Effective date: March 23, 2026
Last updated: March 24, 2026
Your privacy is critically important to us. At Vulpo, we have a few fundamental principles:
- We don't ask you for personal information unless we truly need it.
- We don't share your personal information with anyone except to comply with the law, develop our products, or protect our rights.
- We don't store personal information on our servers unless required for the ongoing operation of one of our services.
- Your Home Assistant data stays between your device and your Home Assistant instance. We never see it, store it, or have access to it.
If you have questions about deleting or correcting your personal data, please contact us at [email protected].
1. Who We Are
Vulpo ("the App") is developed and operated by:
Joshua Dessol Design
Ehmannstr. 80-82
70191 Stuttgart, Germany
Email: [email protected]
We are the data controller responsible for the processing of your personal data as described in this policy.
2. What Data We Collect and Why
For each type of data we collect, we explain what it is, why we collect it, and on what legal basis under the EU General Data Protection Regulation (GDPR).
2.1 Home Assistant Connection
Legal basis: Contract performance (Art. 6(1)(b) GDPR).
Vulpo connects directly to your Home Assistant instance. All entity data, sensor readings, automations, camera feeds, and service calls travel between your device and your server. None of this data passes through our infrastructure.
Your Home Assistant authentication token is stored exclusively in your device's encrypted iOS Keychain. It is never synced to iCloud, never sent to our servers, and never shared with third parties.
2.2 Push Notifications
Legal basis: Contract performance (Art. 6(1)(b) GDPR).
When your Home Assistant instance sends a push notification, it is relayed through our Cloudflare Worker (push.vulpo.app) to Apple's Push Notification Service (APNs). The notification content (entity names, states) passes through our relay transiently and is not stored. Content values are redacted in our server logs (numbers are preserved, text is replaced with "***").
2.3 Crash Reports and Performance Monitoring
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in maintaining app stability and fixing bugs.
When the app crashes or encounters an error, an anonymous report is sent to Sentry (Functional Software GmbH, Germany). This includes:
- Stack trace, device model, OS version, and app version
- Performance traces (app launch time, slow operations)
What we explicitly prevent from being sent:
- No user identity is ever attached (we strip it in code)
- No IP address is stored (disabled via
sendDefaultPii = false) - No Home Assistant server URLs (HTTP breadcrumb URLs are redacted before transmission)
- No entity names or sensor data
Data is stored in Sentry's EU data center in Frankfurt, Germany, and transmitted through our first-party tunnel (sentry.vulpo.app) so it never touches third-party tracking infrastructure.
Opt-out:Settings > Privacy > Analytics & Diagnostics.
2.4 Anonymous Product Analytics
Legal basis:Consent (Art. 6(1)(a) GDPR), granted via Settings > Privacy > Analytics & Diagnostics.
We use PostHog (PostHog Inc, EU Cloud) to understand how features are used. For example, which card types are most popular or where users get stuck during onboarding. This includes:
- Event names with generic properties (e.g., "card_added" with type "climate")
- Device model and OS version
- App lifecycle events (opened, backgrounded)
What we explicitly do NOT collect:
- Entity names, IDs, or states
- Server URLs or IP addresses (IP discard is enabled on our PostHog project, meaning your IP address is never stored)
- Any data that could identify you or your home. We never call
identify(). PostHog generates an anonymous device identifier that is not linked to your identity.
Analytics are proxied through our first-party domain (analytics.vulpo.app) and stored on PostHog's EU infrastructure. Screen recording, autocapture, and element interaction tracking are all disabled.
Opt-out:Settings > Privacy > Analytics & Diagnostics.
2.5 Subscriptions
Legal basis: Contract performance (Art. 6(1)(b) GDPR).
In-app purchases and subscriptions are processed by RevenueCat (RevenueCat Inc, US). RevenueCat receives:
- An anonymous app user ID (generated by your device)
- Purchase receipts from the Apple App Store
- Subscription status and renewal information
RevenueCat does not receive your name, email, or any Home Assistant data. See RevenueCat's Privacy Policy.
2.6 AI Features
Legal basis: Contract performance (Art. 6(1)(b) GDPR). You initiate each AI request.
Optional AI features (plant insights, daily summaries, entity suggestions, dashboard organization) send requests to Anthropic (Anthropic PBC, US) through our Cloudflare AI Gateway proxy. The proxy validates your subscription status and enforces usage limits.
AI requests may include entity names and states that you choose to analyze. This data is processed in real time and is not stored by us or Anthropic after the response is generated.
Opt-out: Do not use AI features. Individual AI features can be disabled in Settings.
2.7 Dashboard Sync
Legal basis: Contract performance (Art. 6(1)(b) GDPR).
Your dashboard configurations (card layouts, settings) sync across your devices via Apple's CloudKit private database (iCloud). This data is governed by Apple's Privacy Policy. We do not have access to your iCloud data.
Opt-out:iOS Settings > [Your Name] > iCloud > Vulpo.
3. What We Do NOT Collect
To be clear, Vulpo does not collect:
- Your name, email address, or account credentials
- Your Home Assistant server URL or IP address
- Entity names, states, or sensor readings (except when you voluntarily use AI features)
- Camera feeds or media content
- Your location
- Browsing history or usage patterns outside the app
- Any data that could identify you personally or your household
We do not sell or share your personal information with anyone for advertising, marketing, or any other commercial purpose.
4. How We Anonymize Diagnostic Data
Even when you opt in to Share Diagnostics, we go to significant lengths to ensure no personally identifiable information leaves your device. Vulpo includes a dedicated anonymization layer (LogAnonymizer) that processes every diagnostic log entry before it is transmitted:
- Entity IDsare irreversibly hashed — only the domain is preserved (e.g.,
sensor.bedroom_tempbecomessensor.a3f8) - Display names (entity friendly names, monitor names, person names) are replaced with
***before transmission - Server URLs and IP addresses are stripped to scheme and port only (e.g.,
http://***:8123) - GPS coordinates and street addresses from location features are never included in logs
- Automation identifiers that embed entity names are redacted while preserving the type suffix needed for debugging
- Push notification contentis redacted server-side — numeric values are preserved for debugging, but all text is replaced with
***
This anonymization is applied consistently across both the iOS app and our server-side push relay. The system is designed so that even if a developer inspects the raw Sentry logs, they cannot determine your identity, home address, entity names, or server location.
5. Data Processors
We use the following third-party services to operate Vulpo. Each processes data only as described above and under appropriate contractual safeguards.
| Processor | Purpose | Data Region | Transfer Safeguard |
|---|---|---|---|
| Sentry (Functional Software GmbH) | Crash reports, performance | EU (Frankfurt) | EU processor |
| PostHog Inc | Anonymous analytics | EU | EU processor |
| RevenueCat Inc | Subscription management | US | DPF + SCCs |
| Cloudflare Inc | AI proxy, push relay, tunnels | Global (EU/US) | DPF + SCCs |
| Anthropic PBC | AI inference | US | DPF |
| Apple Inc | iCloud sync, push notifications | Per Apple policy | DPF + SCCs |
6. International Data Transfers
Sentry and PostHog process data exclusively within the European Union. For US-based processors (RevenueCat, Anthropic, Cloudflare, Apple), transfers are protected by the EU-US Data Privacy Framework (DPF) and, where applicable, Standard Contractual Clauses (SCCs) as approved by the European Commission.
7. How to Opt Out
You can independently control crash reports and analytics at any time:
- Open Vulpo and go to Settings > Privacy > Analytics & Diagnostics
- Toggle off "Crash Reports" to disable all Sentry data collection
- Toggle off "Product Analytics" to disable all PostHog data collection
When disabled, the respective SDK is fully shut down and no events leave your device. You can disable one, both, or neither.
The following services cannot be individually opted out of while using their features, because they are necessary for the feature to function:
- RevenueCat (required for subscriptions and in-app purchases)
- CloudKit (required for cross-device dashboard sync; can be disabled in iOS Settings)
- Push notifications (required for Home Assistant alerts; can be disabled in iOS notification settings)
- AI features (each feature can be individually disabled in Settings)
8. Your Rights
European Economic Area (GDPR)
If you are in the European Economic Area, you have the following rights regarding your personal data:
- Access - Request a copy of any data associated with your anonymous device identifier
- Rectification - Request correction of inaccurate data
- Erasure - Request deletion of your data from Sentry and PostHog
- Restriction - Request that we limit processing of your data
- Portability - Receive your data in a machine-readable format
- Objection - Object to processing based on legitimate interest (equivalent to using the opt-out toggle)
- Withdraw consent- You can withdraw your consent for analytics at any time via Settings > Privacy > Analytics & Diagnostics
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your local supervisory authority. Our supervisory authority is the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg.
California Residents (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of its sale or sharing. We do not sell or share your personal information. You can exercise your right to opt out of analytics by using the Share Diagnostics toggle in the app.
9. Data Retention
- Sentry: Error events are retained for 90 days, then automatically deleted.
- PostHog: Anonymous analytics events are retained for trend analysis. Since no personally identifiable information is collected, these events cannot be linked to any individual.
- RevenueCat: Purchase records are retained as required for subscription management and financial compliance.
- CloudKit: Dashboard data is retained until you delete it or disable iCloud sync for Vulpo.
10. Data Stored on Your Device
The Sentry and PostHog SDKs store small amounts of data on your device (anonymous session identifiers, queued events). This data is cleared when you disable the respective toggle in Settings > Privacy > Analytics & Diagnostics. Your Home Assistant authentication tokens are stored in the encrypted iOS Keychain and are never synced to iCloud or shared with third parties.
11. Children's Privacy
Vulpo is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided data to us, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this policy from time to time. Significant changes will be communicated through the App or on this page. The "Last updated" date at the top reflects the most recent revision. Your continued use of the App after changes constitutes acceptance of the updated policy.
13. Contact
For privacy questions, data requests, or concerns:
Joshua Dessol Design
Ehmannstr. 80-82
70191 Stuttgart, Germany
Email: [email protected]
Change Log
- March 24, 2026: Added section 4 (How We Anonymize Diagnostic Data) detailing our LogAnonymizer system.
- March 23, 2026: Initial version.