Your data during private beta

DomusHQ is in private beta. This page is the plain-English version of how I (Jake, the developer) think about your data while the app is being tested by friends, family and a small group of early users. The formal policy lives at /privacy; this page is the trust note that sits next to it.

You don’t need to use real data to try it

Household admin can include sensitive things — bills, mortgage details, income estimates, insurance documents, forwarded provider emails. You should only add information you’re comfortable testing with. Three options, in order of comfort:

• Sample household. Explore the app using a realistic fake household — provider names, renewal dates, expected costs, maintenance tasks. Nothing real, no commitment. Pick from four UK shapes (first-time buyer, family with kids, renter, shared house) on /setup/sample.
• Light real data. Add provider names, renewal dates and rough monthly costs. Skip documents and income. The setup template picker is built for this — pick a template, fill in dates as you confirm them.
• Full real data.Upload documents, forward real bills, track exact costs. This is where the app is most useful. The technical controls below cover this case; only do it if you’re comfortable.

Rough numbers are fine. The app doesn’t need exact figures to be useful.

Founder access — the honest version

During private beta, I have technical access to the production database, the document storage bucket, server logs, inbound email payloads, and feedback rows. That is normal for an early-stage app and unavoidable while I’m the only person who can debug a production incident or honour a deletion request.

What I commit to in writing:

• I only open user data when investigating a reported issue, honouring an export or deletion request, or fixing a security or data-integrity problem.
• I do not casually browse household data.
• I do not download user files locally unless essential to fix a bug.
• I do not paste user data into AI tools (Claude, ChatGPT, etc.).
• DomusHQ does not sell personal data, share it with advertisers, or use it for marketing.

The full internal version of this rule lives in docs/BETA_PRIVACY_TRUST.md in the repo, kept in step with this page.

What we don’t claim

I won’t tell you DomusHQ is zero-knowledge encrypted, bank-grade secure, or that nobody can see your data. None of those would be true today. They would also be the wrong things to optimise for at this stage — the actual blocker for early testers is honest disclosure plus a sensible way to test without real data, not cryptography.

Technical controls that are real

• Row-Level Security on every household-scoped table. One household cannot read another household’s records via the database API.
• Documents stored in a private bucket; access via short-lived signed URLs. Object paths are random, not derived from your name or provider.
• Authenticated, household-scoped access on every request.
• HTTPS everywhere; no service-role keys in client code.
• AI extraction (Anthropic / OpenAI) only runs when you click Analyse with AI or approve an inbound email; providers are contractually committed not to train on your data. Document contents are not stored in our AI logs.
• Server-side monthly AI cap (20 / household) so a runaway process can’t silently chew through your documents.

You can leave at any time

• Export a JSON copy of everything in your household from Settings.
• Delete your household data from Settings → Danger Zone. This removes uploaded documents from storage and cascades the database rows. Supabase backups are purged within 30 days under their standard policy. Server logs are kept up to 30 days for operational reasons.

Email forwarding and AI extraction are optional

You can use DomusHQ without ever forwarding an email or uploading a document. The Review queue is opt-in: forward a bill to your household alias and the app shows the parsed result for you to approve before any record is created. Nothing is auto-imported. You can delete the inbound email and its parsed fields together at any point.

What changes if this stops being beta

Some controls in this list are placeholders for what comes next: a written admin access audit log; user-granted temporary support access; household roles so partners and housemates can have different visibility on income and documents. None of those are urgent at this size. They become urgent the moment there is more than one developer or the app starts charging.

Questions

If anything here feels off, or you want to know exactly what data is held for your household, email me at jakewillis0@gmail.com. The bottom-right Feedback button works for shorter notes.