BETA — Open to testers. Tell us what to fix on @vomehome or via a tester code.

Privacy Policy

Last reviewed: May 2026 · Effective immediately for the soft-launch period.

This policy describes what personal data VomeHome collects when you use the service at portal.vome.io and the hosted Home Assistant instances we provide, why we collect it, how long we keep it, and the rights you have under UK GDPR (and the equivalent EEA GDPR).

1. Who we are

VomeHome is operated by Konhas Ltd ("we", "us"), a UK-registered company. If you have any questions about this policy or the data we hold about you, contact privacy@vome.io.

2. What we collect

GitHub profile data (when you sign in)
Your numeric GitHub user id, username, display name, primary email address, and the date your GitHub account was created. The creation date is used to apply the soft-launch trial gate.
Account & service data
The servers you create, their tier, status, container assignment, HomeLink subnets and peer keys, custom domain settings, trial end timestamp, and any promo codes you have redeemed.
Audit & abuse data
Activity log entries (which routes you triggered, which servers you logged into, when promos were redeemed). The IP address used at sign-in and at promo-code redemption.
Operational data on your HAOS VM
Each Home Assistant instance is your own VM. The configuration, automations, history, recordings, and device data inside it are your data. We do not copy them out for our own use; we retain disk images while your service is active and during the grace window after a trial expires.
Billing data (when payments go live)
Once paid plans launch, your billing provider (likely Stripe) processes payment details directly. We store only the subscription identifier, plan tier, and renewal status — never full card numbers.
Optional contact data
If you ask us to email you when paid plans launch, we store the email address you provide for that one purpose, with consent.

3. Why we collect it & legal basis

PurposeLawful basis
Provide the hosted HA serviceContract performance
Bill you (when payments are live)Contract performance
Detect abuse, prevent fraud, run audit logsLegitimate interest
Apply the GitHub-age trial gateLegitimate interest (preventing throwaway-account abuse during soft launch)
Send "paid plans launching" notificationConsent
Comply with legal obligations (e.g. tax records)Legal obligation

4. How long we keep it

  • Account records — for as long as your account exists, plus a short retention window after closure for fraud prevention.
  • Suspended HAOS disks — retained for the configured grace period (currently 14 days) after a trial expires, then purged.
  • Activity / audit logs — up to 12 months.
  • Backups you opt to take — follow your server's configured retention settings; you can delete them at any time.
  • Billing records — kept for the period required by tax / accounting law (typically up to 7 years).

5. Who we share it with

We do not sell your data. The sub-processors we may share specific data with:

  • GitHub — handles authentication when you sign in.
  • Hosting providers — operate the physical hardware our portal and HA hosts run on (within the UK / EEA where possible).
  • Stripe (when payments go live) — processes card/SEPA payments. Stripe acts as an independent data controller for payment details.
  • Email transactional provider — sends service and security emails (e.g. login notifications, scheduled maintenance notices) when configured.

We may disclose data when legally required to do so (court order, lawful request from a regulator). We will tell you when this happens unless legally prevented from doing so.

6. International transfers

The portal and HA host servers are operated within the UK / EEA where possible. GitHub, Stripe, and similar providers may process data in the US — these transfers rely on the UK International Data Transfer Agreement / EU Standard Contractual Clauses as appropriate.

7. Your rights

Under UK GDPR you can:

  • Access the personal data we hold about you ("right of access").
  • Ask us to correct inaccurate data.
  • Ask us to delete your account and personal data ("right to erasure"). Some records (e.g. billing) may be retained under legal obligation.
  • Object to processing based on legitimate interest.
  • Withdraw any consent-based processing at any time, without affecting prior lawful processing.
  • Request a portable export of your data.
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EEA supervisory authority.

To exercise any of these, email privacy@vome.io. We aim to respond within one calendar month.

8. Cookies

We use a small number of strictly-necessary cookies for sign-in (session cookie) and CSRF protection. We do not use advertising or cross-site tracking cookies. If we ever introduce optional analytics, you'll see a consent prompt first.

9. Security

The technical controls we apply (TLS, isolated VMs, HomeLink encryption, audit logs, rate limiting, etc.) are summarised on our Security page. No system is impervious; if you discover a vulnerability, please email security@vome.io rather than posting it publicly.

10. Changes to this policy

We'll update this page as the service evolves. Significant changes will be highlighted on the dashboard. The date at the top of this page is always current.