Privacy Policy

Introduction

Homer is a privacy-first home automation system. This privacy policy describes how we handle your data, both on the central server (myhomer.nl) and on your local Homer server. Homer is a product of Homer B.V., based in the Netherlands.

Core principle: Your data stays with you. The Homer server runs on your own hardware and all your personal data is stored locally. Our central server acts exclusively as a connection broker.

1. What data do we process?

Central server (myhomer.nl)

We store only what is necessary for the system to function:

  • Your username
  • Your Homer installation's unique ID
  • Technical connection data (temporary, for establishing connections)
  • License information (Homer Identity Token)
  • Payment details for module purchases (via Mollie, see section 6)

We store no passwords, personal files, home automation data, financial data, or other content.

Your Homer server (local)

All operational data stays on your own hardware:

  • Home automation data (temperature, energy, devices)
  • User accounts and passwords
  • Financial data and bank transactions
  • Documents, notes, and calendar
  • All other personal data

We have no access to this data, unless you explicitly allow it.

2. Bank data and Open Banking (PSD2)

Homer offers the ability to link bank accounts via Enable Banking, a licensed Account Information Service Provider (AISP) under the European PSD2 directive. Below we explain how this works and how your financial data is protected.

What is retrieved?

  • Account information (IBAN, name, currency)
  • Account balances
  • Transaction history (debit/credit, amount, description, date)

Homer has read-only access. No payments can be made or changes to your bank account.

How is it stored?

  • All bank data is stored exclusively locally on your Homer server
  • Data is stored in an encrypted SQLite database
  • The central server (myhomer.nl) stores no bank data
  • The central server only acts as OAuth redirect during the authorization procedure

Authorization and consent

  • You give explicit consent at your bank via the PSD2 Strong Customer Authentication (SCA) process
  • Consent is valid for a maximum of 90 days and can be revoked at any time
  • You choose which accounts to link
  • You can remove a connection at any time from Homer

Enable Banking as service provider

  • Enable Banking Oy is registered as AISP with the Finnish Financial Supervisory Authority (FIN-FSA)
  • Enable Banking processes your bank data exclusively as intermediary to request data from your bank
  • Enable Banking does not store transaction data after forwarding
  • More information: enablebanking.com/privacy

3. How do we use your data?

The data on the central server is used exclusively for:

  • Connection management: establishing the connection between you and your Homer server
  • License verification: validating your Homer Identity Token
  • Updates: making software updates available
  • Payments: processing module purchases via Mollie
  • OAuth redirect: forwarding bank authorizations to your Homer server

We do not use your data for profiling, advertising, or sale to third parties.

4. Sharing with third parties

We do not share your data with third parties, with the exception of:

  • Mollie B.V. — for processing payments for module purchases. Mollie processes your payment data in accordance with their own privacy policy.
  • Enable Banking Oy — as technical intermediary for retrieving bank data via PSD2. Enable Banking processes your data in accordance with their own privacy policy.

In both cases, the third party acts as processor, not as recipient of your data. The central server does not store financial data.

5. Security

  • All connections between your browser, Homer server, and central server use HTTPS/WSS (encrypted)
  • The central server uses Helmet.js security headers and HSTS
  • License tokens are signed with Ed25519 cryptography
  • Passwords are stored exclusively locally and are never visible to the central server
  • Bank connections use RS256 JWT for authentication with Enable Banking
  • OAuth state tokens are single-use and expire after 10 minutes

6. Payments

When purchasing Homer modules, we process payments via Mollie. The following applies:

  • We do not store credit card numbers or bank details
  • Mollie processes the payment and only sends us a confirmation
  • Payment status is temporarily stored (maximum 24 hours) for idempotency

7. Your rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

Access and correction

You can request access to the data we store on the central server at any time, and have it corrected.

Deletion

You can request deletion of your data on the central server. Data on your local Homer server is managed by you.

Withdrawal of consent

Bank connections can be removed from Homer at any time. Consent for data processing can be withdrawn at any time.

To exercise your rights, contact us at privacy@myhomer.nl.

8. Cookies

The central server (myhomer.nl) uses exclusively functional cookies:

  • adminToken: authentication cookie for administrators (session)
  • homerToken: authentication cookie for Homer connections (session)

We do not use tracking cookies, third-party analytics cookies, or advertising cookies.

9. Retention periods

  • Central server: registration data is retained as long as your account is active
  • OAuth state tokens: maximum 10 minutes (automatically deleted)
  • Payment data: maximum 24 hours for in-transit payments, then only purchase confirmations
  • Local Homer data: up to 10 years by default, configurable by you

10. Changes

We may update this privacy policy to reflect changes in our practices or legal requirements. We will inform you of material changes.

Contact

Questions about this privacy policy? Contact us:

Last updated: February 2026