Heimro
Get started

Heimro · Legal

Security & Data Protection

How Heimro protects your home and property data, from infrastructure and encryption to monitoring and responsible disclosure.

Our Security Approach

Heimro is designed with a security-first mindset. We combine secure infrastructure, strong encryption, application-level controls, and continuous monitoring to protect your data and maintain platform integrity.

  • Infrastructure hardening — modern hosting providers, secure baselines, and isolated environments.
  • Encryption & access control — encryption in transit and at rest, with strict least-privilege access.
  • Monitoring & observability — centralized logging and alerting for unusual behavior and incidents.

Infrastructure & Data Hosting

Heimro runs on modern cloud infrastructure with a focus on isolation, resilience, and providers that maintain strong security and compliance practices.

  • Supabase (Database & Auth): Core application data (accounts, properties, rooms, items, jobs) is stored in Supabase-hosted Postgres with built-in encryption at rest and regional hosting options. Supabase also provides our authentication and row-level security capabilities.
  • Cloudflare R2 (File Storage): All images and files (room photos, receipts, AI-generated visuals, floor plans) are stored in Cloudflare R2 object storage. Supabase stores only metadata — URLs, ownership, and timestamps — never the file binaries themselves. Uploads are performed through short-lived signed URLs issued by our backend.
  • Trigger.dev (Background Jobs): Scheduled and event-driven workflows — including daily price tracking, external data enrichment, and AI summarization — run on Trigger.dev. Trigger.dev does not store independent state; all results are persisted back to Supabase, and jobs are designed to be idempotent.
  • Lovable (App Platform & Hosting): The Heimro application is built and deployed using Lovable's platform. Lovable provides a managed environment for hosting frontend assets and coordinating deployments. According to Lovable's published security information, the platform is SOC 2 Type II and ISO 27001:2022 certified. These certifications relate to Lovable's platform and infrastructure, not a certification of Feynn AS itself.
  • Redundancy & Backups: Databases are configured with managed backups and replication capabilities via Supabase to support recovery in the event of an infrastructure failure.

Application Security Controls

Authentication & Access Control

  • Secure Authentication: Account login is managed through Supabase Auth with modern cryptographic password hashing and optional social login providers.
  • Session Security: Short-lived JWTs and refresh tokens are used with appropriate expiration and revocation.
  • Least Privilege: Internal tools and services are granted the minimum necessary access to databases and secrets.

Multi-tenancy & Row Level Security

  • Tenant Isolation: Every record in Heimro is scoped to a tenant, and Postgres Row Level Security is enforced on all tables to ensure users can only access data belonging to tenants they are members of.
  • Policy-Backed Access: RLS policies are explicitly defined and reviewed to ensure correct partitioning between households.
  • Service Role Separation: Sensitive operations are restricted to secure server functions with service-role credentials, never exposed to the client.

Secure Development Practices

  • Environment Separation: Development and production environments are separated with distinct credentials and configurations.
  • Configuration Management: Secrets are stored in secure environment variables and access-controlled systems, and we work to prevent accidental inclusion of secrets in source control.
  • Input Validation: Server functions and APIs validate inputs and apply rate limits to reduce abuse and injection risks.

Data Encryption & Protection

  • In Transit: All traffic between your browser and our services is protected using HTTPS with TLS 1.2+ / 1.3.
  • At Rest: Data stored in Supabase Postgres and Cloudflare R2 is encrypted at rest using strong industry-standard algorithms (e.g., AES-256) as provided by the underlying infrastructure.
  • Credentials & Secrets: Passwords are hashed using secure, modern algorithms. API keys and other secrets are stored only in secured environment variables and key stores.

AI Model Providers & Data Handling

Heimro combines multiple AI providers (such as OpenAI, Google Gemini, and Anthropic) to deliver home intelligence. We design our integrations to minimize unnecessary exposure of data.

  • Scoped Inputs: We send only the data necessary to generate the requested AI Output. You should avoid including sensitive personal data in prompts where possible.
  • Provider Terms: We configure providers under data processing terms designed to prevent your data from being used to train public foundation models, where such controls are available.
  • Logging & Redaction: AI interaction logs may be stored for a limited time for debugging and product improvement, in line with our Privacy Policy.

Monitoring & Incident Response

  • Centralized Logging: Application and server function logs are collected for troubleshooting, performance, and security review.
  • Error Tracking: Error monitoring tools help us quickly identify and address application-level issues.
  • Security Incidents: In the event of a confirmed security incident affecting your data, we will investigate promptly, mitigate impact, and notify affected users in accordance with legal obligations.

Responsible Disclosure

We value the work of security researchers who help us keep Heimro secure. If you believe you have found a vulnerability or security issue, please report it responsibly.

How to report: Email security@heimro.com with a detailed description of the issue, including steps to reproduce and any relevant technical information.

Our commitment: We will acknowledge receipt of your report in a reasonable time, investigate and assess impact, work to remediate confirmed vulnerabilities as quickly as practical, and keep you updated where appropriate.

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and address them.

Bug Bounty Program

Feynn AS does not currently operate a public or private bug bounty program. Security reports are appreciated and will be reviewed, but submission does not guarantee a monetary reward.