Privacy & Transparency
At AsaHome, we believe you should have complete control over your smart home data. This page explains exactly how our cloud relay service works and what data we handle.
Our Privacy Commitment
AsaHome Cloud is a pass-through relay service. We do not collect, store, analyze, or sell your personal data or smart home activity.
What We DO NOT Collect
| Data Type | Collected? | Explanation |
|---|---|---|
| Smart home commands | No | Commands pass through encrypted, we don't log them |
| Device states | No | Your light/sensor/thermostat data is never stored |
| Usage patterns | No | We don't track when you're home or your routines |
| Location data | No | We don't know or store where you live |
| Device contents | No | Your automations and configurations stay on your device |
What We DO Store (Minimal)
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account authentication | Until account deletion |
| Hashed password | Secure login | Until account deletion |
| Device registration | Route commands to your device | Until you unlink |
| Connection metadata | Know if device is online | Real-time only, not logged |
How the Tunnel Works
The Relay is a Pipe, Not a Bucket
- Your command (e.g., "turn on living room light") is encrypted on your phone
- The relay receives the encrypted packet and forwards it to your device
- Your device receives and executes the command
- We never see the actual command content - it's end-to-end encrypted
Security Architecture
Encryption Everywhere
| Layer | Protection |
|---|---|
| Transport | TLS 1.3 encryption for all connections |
| WebSocket | WSS (WebSocket Secure) protocol |
| Tokens | JWT with short expiration (15 min) |
| Passwords | bcrypt hashing (12 rounds) |
| Storage | Refresh tokens hashed with SHA-256 |
No Backdoors
- We cannot access your device remotely
- We cannot see your commands or device states
- We cannot control your smart home
- Admin access requires your explicit authorization
Open Architecture
What You Can Verify
- Connection endpoints: All traffic goes through
cloud.asahome.io - No analytics: We don't include tracking SDKs
- No third-party sharing: Your data never leaves our relay
- Minimal permissions: The app only requests necessary permissions
Self-Hosting Option
For maximum privacy, you can self-host the AsaHome Cloud backend:
- Full source code access
- Run on your own infrastructure
- Complete control over your data
- No dependency on our servers
Data Sovereignty
Your Data, Your Control
- Export: Request a full export of your account data anytime
- Delete: Complete account deletion removes all your data
- No lock-in: Switch services without losing your smart home setup
GDPR Compliance
We comply with GDPR and similar privacy regulations:
- Right to access your data
- Right to rectification
- Right to erasure
- Right to data portability
- Right to object to processing
Transparency Log
We believe in radical transparency. Here's what our servers log:
[2024-01-15 10:30:00] Connection: device_uuid=xxx connected
[2024-01-15 10:30:01] Connection: user_id=xxx connected
[2024-01-15 10:30:05] Relay: message forwarded (size: 128 bytes)
[2024-01-15 10:30:05] Relay: response forwarded (size: 64 bytes)
Notice: We log connection events and byte sizes, but never the actual message content.
Security Certifications
Our infrastructure follows industry best practices:
- SOC 2 Type II compliance principles
- ISO 27001 aligned security controls
- Regular third-party security audits
- Penetration testing by independent researchers
Reporting Security Issues
Found a vulnerability? We appreciate responsible disclosure:
- Email: security@asahome.io
- Include detailed reproduction steps
- Allow 90 days for remediation
- We credit all valid reports
Frequently Asked Questions
Can AsaHome see my smart home data?
No. Commands are encrypted end-to-end. We relay encrypted packets without decrypting them.
Do you sell data to advertisers?
Absolutely not. We have no advertising business. Your data is not our product.
What happens if AsaHome shuts down?
Your local smart home continues working. You only lose remote access through our relay. Self-hosting ensures continuity.
Can law enforcement access my data?
We can only provide what we have: email, account creation date, and connection logs (without command content). We cannot provide data we don't collect.
How do I delete my account?
Contact support or use the app settings. Deletion is permanent and removes all associated data within 30 days.
Contact
Questions about our privacy practices?
- Email: privacy@asahome.io
- Documentation: You're reading it
- Security: security@asahome.io
Last updated: January 2026