Legal
Privacy Policy
Last updated: April 17, 2026
Welcome to Homia ("App"), operated by Argonaut Studios LLC ("we," "us," or "our"). This Privacy Policy explains how we collect, use, share, and protect information when you use our mobile application.
We respect your privacy and are committed to complying with applicable privacy laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, Brazil's Lei Geral de Proteção de Dados (LGPD), the California Consumer Privacy Act as amended by the CPRA (CCPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Privacy Act.
Data Controller: Argonaut Studios LLC, contact@argonautstudios.co
2. Information We Collect
2.1 Account Information
Homia uses anonymous sign-ins by default. We do not require your name or email address to create an account. Your account is identified by an anonymous identifier generated at sign-in. If you later link an email for account recovery, we store that email address.
2.2 User-Uploaded Images
When you use photo analysis or AI generation features, your uploaded images are stored in a private, access-controlled storage bucket. Photos may contain embedded metadata (such as location or device information); we do not strip this metadata before storage or processing.
2.3 Usage and Analytics Data
Depending on your region and consent preferences, we collect event data about how you interact with the App (e.g., features used, screens viewed, button taps). When you consent to analytics, this data may be associated with your account identifier.
2.4 Device and Technical Information
We collect standard technical information such as device type, operating system version, app version, and timezone for analytics and crash reporting purposes.
2.5 Crash and Error Data
With your consent (or by default in opt-out regions), we collect crash reports and error logs to identify and fix bugs. These reports include device type, OS version, app state at the time of the crash, and stack traces. We do not collect personally identifiable information in crash reports.
2.6 Advertising and Device Identifiers
With your consent (via Apple's App Tracking Transparency prompt), we may collect your device's Identifier for Advertisers (IDFA) to measure advertising campaign effectiveness. We also collect the Identifier for Vendors (IDFV) for analytics and subscription management. You can withdraw tracking consent at any time in your device's Settings.
2.7 Purchase and Subscription Data
When you make in-app purchases or subscribe, we process transaction data through Apple's StoreKit and RevenueCat. We do not collect or store your payment card details.
3. How We Use Your Information
| Purpose | Data Used | Legal Basis (GDPR/LGPD) | Legal Basis (CCPA) |
|---|---|---|---|
| Provide core app features | Account ID, uploaded images | Performance of contract | Business purpose |
| Manage subscriptions | Account ID, purchase data | Performance of contract | Business purpose |
| Authenticate your account | Account ID, email (if linked) | Performance of contract | Business purpose |
| Deliver app updates | Device info, app version | Performance of contract | Business purpose |
| Analytics and product improvement | Account ID, usage data | Consent | Business purpose (opt-out right) |
| Crash reporting and bug fixes | Device info, crash data | Consent | Business purpose (opt-out right) |
| Advertising attribution | IDFA, IDFV, install data | Consent | Business purpose (opt-out right) |
| Comply with legal obligations | As required | Legal obligation | Legal obligation |
4. Consent and Your Choices
4.1 How We Obtain Consent
Your consent experience depends on your region:
Opt-in regions (EU/EEA, UK, Brazil, South America, Canada, Mexico, Japan): Before any non-essential data processing begins, we present a consent screen during onboarding. You can accept all, decline all, or customize your choices for each category (analytics, crash reporting, attribution). No non-essential services are activated until you make a choice.
Opt-out regions (United States, Australia, New Zealand): Non-essential services are active by default. You can opt out at any time through Settings > Privacy & Data.
Unknown regions: Treated as opt-in (most protective).
4.2 What You Can Control
You can independently enable or disable:
- Analytics (PostHog) — usage tracking and product analytics
- Crash Reporting (Sentry) — error and crash data collection
- Attribution (Singular) — advertising measurement
These choices are available at any time in Settings > Privacy & Data.
4.3 Withdrawing Consent
You can change your consent choices at any time in Settings > Privacy & Data. Changes take effect immediately. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
5. How We Share Your Information
5.1 We Do Not Sell Your Personal Information
We do not sell your personal information as defined under the CCPA. However, sharing data with our attribution partner (Singular) for advertising measurement may constitute "sharing" under the CCPA's definition. You can opt out of this sharing — see Section 10.
5.2 Third-Party Service Providers (Sub-Processors)
We share information with the following service providers, solely to operate the App:
| Provider | Purpose | Data Shared | Consent Required |
|---|---|---|---|
| Supabase | Authentication, database, image storage | Account ID, images, consent records | No (essential) |
| OpenAI | AI-powered image analysis | Uploaded images (via temporary signed URLs) | No (essential) |
| Azure AI Foundry | AI image generation | Design prompts and parameters | No (essential) |
| SearchAPI.io | Product search (Google Lens API) | Uploaded images (via temporary signed URLs) | No (essential) |
| RevenueCat | Subscription and purchase management | Account ID, purchase data, IDFV | No (essential) |
| PostHog | Product analytics | Usage events, device info, account ID | Yes |
| Sentry | Crash reporting and error tracking | Crash data, device info, app state | Yes |
| Singular | Advertising attribution | IDFA (with ATT consent), IDFV, install data | Yes |
| Expo | Over-the-air app updates | Device info, app version | No (essential) |
| Apple | App distribution, StoreKit, SKAN | Purchase data, SKAN conversion values | No (essential) |
5.3 Temporary Signed URLs
To enable AI processing of your images, we generate short-lived, temporary signed URLs that grant time-limited access to your stored images. These URLs are shared only with OpenAI, Azure AI Foundry, and SearchAPI.io for the sole purpose of processing your request and expire shortly after use.
5.4 Other Disclosures
We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of our users or the public.
6. International Data Transfers
Your data may be transferred to and processed in the United States and other countries where our service providers operate. For users in the EU/EEA, UK, Brazil, and Canada, we ensure appropriate safeguards are in place:
- EU/UK: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to sub-processors in countries without an adequacy decision.
- Brazil (LGPD): Transfers are based on SCCs or equivalent contractual guarantees under LGPD Art. 33.
- Canada (PIPEDA): We ensure a comparable level of protection through contractual obligations with our service providers.
- Australia: Data may be transferred to the US. We take reasonable steps to ensure overseas recipients comply with the Australian Privacy Principles.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account, plus 30 days for processing |
| Uploaded images | Until you delete them or your account |
| Analytics data | 24 months from collection |
| Crash reports | 90 days |
| Consent records | 5 years (to demonstrate compliance with GDPR Art. 7) |
| Purchase and subscription records | 7 years (tax and legal obligations) |
| Attribution data | In accordance with Singular's retention policy |
When you delete your account, we delete or anonymize all associated data within 30 days, except where retention is required by law.
8. Automated Decision-Making
Homia uses AI services (OpenAI, Azure AI Foundry) to analyze your uploaded photos and generate design suggestions. This processing is automated but does not produce legal or similarly significant effects on you. The AI analysis is a core feature you actively request each time you use it.
Under GDPR Art. 22 and LGPD Art. 20, you have the right to request information about the logic involved in automated processing. Contact us at contact@myhomia.com for details.
9. Security
We implement industry-standard security measures to protect your information, including:
- Private, access-controlled storage buckets for user images.
- Short-lived signed URLs to limit exposure of image data.
- Encrypted data transmission (HTTPS/TLS).
- No personally identifiable information collected in crash reports.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.
10. Your Rights by Region
10.1 European Economic Area, UK, and Switzerland (GDPR / UK GDPR)
You have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time without affecting prior processing (Art. 7)
- Lodge a complaint with your local Data Protection Authority
10.2 United States (CCPA / CPRA)
California residents and residents of states with comparable privacy laws have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information
- Limit use of sensitive personal information
- Non-discrimination for exercising your rights
Do Not Sell or Share My Personal Information: We do not sell personal information. Sharing data with Singular for advertising attribution may constitute "sharing" under the CCPA. To opt out, go to Settings > Privacy & Data and disable Attribution. We will honor your preference immediately.
Categories of personal information collected in the prior 12 months: Identifiers (anonymous account ID, IDFV, IDFA with consent), internet/electronic activity (usage data, crash data), and commercial information (purchase history).
10.3 Brazil (LGPD)
You have the right to:
- Confirmation of the existence of processing (Art. 18(I))
- Access your data (Art. 18(II))
- Correction of incomplete or inaccurate data (Art. 18(III))
- Anonymization, blocking, or deletion of unnecessary data (Art. 18(IV))
- Data portability (Art. 18(V))
- Deletion of data processed with consent (Art. 18(VI))
- Information about who we share data with (Art. 18(VII))
- Withdraw consent (Art. 18(IX))
- Review of automated decisions (Art. 20)
10.4 Canada (PIPEDA / Quebec Law 25)
You have the right to:
- Access your personal information
- Correct inaccurate information
- Withdraw consent (subject to legal or contractual restrictions)
- File a complaint with the Office of the Privacy Commissioner of Canada
10.5 Australia (Privacy Act)
You have the right to:
- Access your personal information (APP 12)
- Correct inaccurate information (APP 13)
- Complain to the Office of the Australian Information Commissioner (OAIC)
10.6 How to Exercise Your Rights
- In-app: Settings > Privacy & Data (consent changes), Settings > Delete Account (data deletion)
- Email: contact@myhomia.com
- Response time: We will respond within 30 days (GDPR, PIPEDA, LGPD) or 45 days (CCPA).
Because accounts are anonymous by default, we may ask you to verify account ownership before fulfilling a request.
11. Children's Privacy
Homia is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 (or under 16 in the EU where required by member state law). If you believe a child has provided us with information, please contact us at contact@myhomia.com and we will promptly delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this document and, where appropriate, notify you through the App. We review this policy at least annually. Continued use of Homia after changes are posted constitutes your acceptance of the updated policy.
13. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices:
General support: contact@myhomia.com
Company: contact@argonautstudios.co
Argonaut Studios LLC