Privacy Policy
Homebro processes data to provide the application and this website. This policy details the data collected, their purposes, retention periods, recipients, transfers, and your rights.
Data controller
| Information | Details |
|---|---|
| Entity | AMProd (represented by Axel Michel) |
| Address | 15 Rue du Mény, 44350 Guérande, France |
| Contact | [email protected] |
| DPO (if applicable) | Not appointed |
Processed data & purposes
| Data category | Examples | Purposes |
|---|---|---|
| Account & authentication | First name, last name, email, username, hashed password, language, Apple/Google SSO | Account creation and management, secure login, household management |
| Optional profile data | Birthday, phone number | Internal social features (birthday reminders, contact sharing) |
| Household data | Household address, preferences (language, currency), members | Mapping, organization, and sharing within the household |
| Notifications | Push token (APNs/FCM), notification preferences | Service notifications, reminders, and alerts |
| Sensors & biometrics (device) | Biometrics for local lock, gyroscope for animations | Local security and UX improvements (not stored server-side) |
| User-generated content (UGC) | Map points, recipes, contacts, access accounts, tasks, expenses, messages, stories, photos, documents | Providing core features within the household group |
| Internal mailbox | Automatically generated address, received messages | Internal sharing; members are responsible for received content |
| Subscriptions & billing | Subscription identifiers, receipts, status (RevenueCat / App Store / Google Play) | Premium management (monthly/yearly), access control, anti-fraud |
| Support & contact | Emails, attachments, technical metadata | Responding to requests and follow-up |
| Technical data | Server logs, IP addresses, device identifiers, error events | Security, diagnostics, abuse prevention |
Legal bases
- Contract performance: providing the app and household-related features (Terms / Sales Conditions).
- Legitimate interest: security, fraud prevention, service improvement, support.
- Legal obligation: accounting and tax obligations.
- Consent: optional data (e.g. birthday), non-essential trackers, notifications where required by the platform.
Retention periods
| Category | Duration |
|---|---|
| User account | Until account deletion + backups (30–90 days). |
| Household data | Lifetime of the household + 30–90 days (backups). |
| UGC (messages, files, stories…) | Until deletion by members or household deletion. |
| Subscriptions & billing | 10 years (accounting obligations – FR). |
| Support | Up to 24 months after closure (unless dispute). |
| Logs & security | 3 to 12 months depending on purpose. |
| Push tokens | Until device unsubscribes or token is revoked. |
Retention periods may vary depending on legal obligations and evidentiary needs in case of disputes.
Recipients / processors
We rely on service providers for hosting, media storage, subscriptions, and security.
| Provider | Service | Location | Safeguards |
|---|---|---|---|
| OVH SAS | Strapi backend, database, business email | EU (France) | EU processing, technical and organizational measures |
| Cloudinary Ltd | Media storage (photos, videos, documents) | USA/Global | Standard Contractual Clauses (SCC), security |
| Cloudflare, Inc. | Marketing site (Pages), CDN, security (Turnstile) | EU/USA | SCC and technical safeguards |
| RevenueCat | In-app subscription management (Apple/Google) | USA/Global | SCC + contractual controls |
| Apple (Sign in / APNs) | Apple SSO, iOS notifications | EU/USA | Apple rules + SCC where applicable |
| Google (Sign-In / FCM) | Google SSO, Android notifications | EU/USA | SCC + Google controls |
Transfers outside the EU
Some providers may process data outside the EU/EEA (e.g. USA): Cloudinary, Cloudflare, RevenueCat, Apple/Google. These transfers are governed by appropriate safeguards (Standard Contractual Clauses) and technical and organizational measures (encryption, access control).
Security
We apply reasonable measures: encryption in transit (TLS), access control, logging, environment separation. Biometrics are handled locally on your device and are not transmitted to our servers. In case of a major incident, we will notify as required by law.
Your rights
- Access, rectification, erasure
- Objection and restriction
- Data portability
- Post-mortem directives (France)
- Withdrawal of consent (non-essential trackers)
Exercise your rights: [email protected]
If you believe your rights are not respected, you may contact the competent authority (in France: CNIL).
Updates
We may update this policy due to legal or functional changes. In case of significant changes, appropriate notice will be provided (banner, email, etc.).