HomesRun holds the keys to your home. We treat them that way.
A complete home record means alarm codes, gate codes, lockbox combinations, and when a house sits empty. That is sensitive by any measure. This page states plainly how that information is protected, and is limited to controls HomesRun actually has in place today.
How your data is protected
An encrypted vault
Access codes, alarm, gate, lockbox, and similar credentials, are encrypted at rest with AES-256-GCM, an authenticated encryption standard. They are stored as ciphertext, not as readable text, and a tampered value fails to decrypt rather than returning corrupted data. The encryption key is held separately from the database.
Row-level tenant isolation
HomesRun is multi-tenant, and every account's data is fenced off in the database itself. Postgres row-level security is enforced on every tenant table, not only enabled but FORCED, so it applies even to privileged roles, and the application connects through a dedicated non-owner database role. One account cannot read another's rows.
Off-site backups
The production database is backed up daily: an automated dump is encrypted in transit and stored off-site in Cloudflare R2, separate from the primary database host, alongside the host provider's own volume snapshots. The restore procedure is documented so a recovery is a known, tested path rather than an improvisation.
Everyday security practices
Encrypted connections
All traffic between your browser or app and HomesRun travels over encrypted (TLS) connections.
Hashed passwords
Passwords are never stored in readable form. They are kept only as salted hashes, so a password cannot be recovered from our systems.
Account lockout
Repeated failed sign-in attempts on an email trigger a temporary lockout, blunting brute-force guessing.
Session revocation
Changing your password signs out every other device, so a password change locks out anything that should not be there.
Role-based access
Within an account, what each member, vendor, or guest can see and do is governed by their role, the housekeeper does not see what the house manager does.
Your data, exportable
You can export your account's data from inside the app, and delete individual records or your whole account. HomesRun does not hold your data hostage.
No system is perfectly secure, and HomesRun does not claim to be. What this page describes are the controls actually in force. We will keep it accurate as the product’s security posture changes.
We do not sell your data. Ever.
HomesRun has no data-resale business and never will. We do not sell, rent, or trade your personal information or your homes’ data to advertisers, data brokers, or anyone else. Whether you are on the free Home Record tier or a paid Home Agent plan, the deal is the same: you pay with a subscription, not with your data. For a product that holds your alarm codes, that is not a feature, it is the only acceptable arrangement.
Who else touches your data
Running HomesRun depends on a small set of trusted infrastructure providers (“sub-processors”). Each is bound by contract to protect your data and to use it only to deliver the Service. This is the current list; it is kept in step with the Privacy Policy.
- Fly.ioApplication hosting and the managed Postgres database that runs the Service.
- CloudflareContent delivery, object storage for uploaded files, off-site database backups, and protection against attacks.
- AnthropicAI processing. When you use the Home Agent, the prompt and the home data needed to answer it are sent to Anthropic to generate a response.
- ResendTransactional email, verification links, password resets, and notifications.
- TwilioText-message delivery for reminders and alerts, when you enable them.
- SentryError monitoring, receives technical error reports so problems are caught and fixed.
Reporting a security issue
If you believe you have found a security vulnerability in HomesRun, we want to hear about it. Email security@homesrun.com with the details. Please give us a reasonable window to investigate and address the issue before disclosing it publicly. We will not pursue action against good-faith research that respects user privacy and avoids degrading the Service.
Built to be trusted with the whole house.
Read the full legal detail, or start with the free Home Record tier.