Privacy Policy

1. Who we are

Hommie ("Hommie", "we", "us", "our") operates the website at usehommie.com and the Hommie mortgage-readiness platform. We are the data controller for the personal data described in this policy.

We are registered with the Information Commissioner's Office (ICO) as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our ICO registration number is [ZB######].

Data Controller contact:
Hommie
[Registered address — to be added]
Email: privacy@usehommie.com
Data Protection Officer: dpo@usehommie.com

2. What personal data we collect

2.1 Account & identity data

Full name	Provided by you on signup or from your Google account
Email address	Provided by you or from your Google account
Salted password hash (one-way, irreversible — we cannot retrieve your original password)	Created by you (email signup only — Supabase bcrypt-hashes and salts passwords before storage)
Google OAuth tokens	Used solely to authenticate you; not stored beyond the session
Account creation date and last sign-in time	Automatically recorded by our authentication provider

2.2 Mortgage readiness questionnaire data

Collected during onboarding and stored in your profile. All fields are optional — you can skip or update them at any time.

First-time buyer status	Whether you have owned a home before
Purchase timeline & journey stage	How soon you intend to buy and where you are in the process
Employment status	Employed, self-employed, contractor, student, or not working
Employment length	How long you have been in your current role
Self-employment details	Legal structure, years trading, income type (Ltd directors and sole traders only)
Monthly net income	Your take-home pay after tax
Target property price	The approximate value of the property you wish to buy
Current deposit amount	How much you have saved toward a deposit
Monthly savings amount	How much you save each month
Deposit source	Origin of your deposit funds (savings, gift, inheritance, Help to Buy ISA, sale of assets)
Monthly rent	What you currently pay in rent
Monthly debt repayments	Total existing credit card, loan, or finance repayments
Missed payment history (self-reported)	Whether you have missed payments in the last 3 years
Overdraft frequency	How often you use an overdraft
Buy Now Pay Later (BNPL) usage	How frequently you use services such as Klarna or Clearpay
Budget tracking	Whether you actively track your spending
Electoral roll registration	Whether you are registered to vote at your current address
Address tenure	How long you have lived at your current address
Photo ID availability	Whether you hold a valid passport or driving licence

2.3 Open Banking data (optional)

If you choose to connect your bank account via our Open Banking provider TrueLayer (FCA authorised), we collect and store:

Bank account metadata	Account type, display name, currency, IBAN, last 4 digits of account number, sort code — stored in your profile
Bank connection tokens	Encrypted OAuth access and refresh tokens (AES-256 encrypted at rest; never stored in plain text)
Transaction history	Date, amount, merchant name, category, and description of transactions — retrieved from TrueLayer and processed transiently to calculate your readiness score. Individual transaction records are not stored persistently in our database after the score is calculated.
Account balances	Current balance at time of connection

Connecting your bank is entirely voluntary. You can disconnect at any time from your account settings, which immediately revokes our access and deletes your stored bank connection data.

2.4 Derived & computed data

Mortgage readiness score	A 0–100 score calculated from your questionnaire and/or bank data
Score pillar breakdown	Six sub-scores covering deposit, income, credit, commitments, behaviour, and identity
Recommended actions	Personalised steps derived from your score
Score history	An immutable audit trail of every score version (required for advisor integrity)
Score edit log	A timestamped record of every change you make to your profile answers that triggers a recalculation

2.5 Usage & analytics data

Product analytics events	Page views, button clicks, feature interactions — collected via PostHog (pseudonymised; no raw PII in event properties)
Google Analytics 4	Aggregated website traffic and behaviour metrics — IP addresses are anonymised before processing
Session cookies	Authentication cookies set by Supabase to maintain your logged-in session
IP address	Collected by our hosting infrastructure for security and rate-limiting purposes; not used for profiling

3. Lawful basis for processing

We process your personal data under the following lawful bases under UK GDPR Article 6:

Processing activity	Lawful basis
Creating and maintaining your account	Contract performance (Art. 6(1)(b)) — necessary to provide the Hommie service
Calculating your mortgage readiness score	Contract performance (Art. 6(1)(b))
Storing your questionnaire answers	Contract performance (Art. 6(1)(b))
Processing Open Banking data	Explicit consent (Art. 6(1)(a)) — you must actively connect your bank; you can withdraw consent at any time
Score history and edit log (audit trail)	Legitimate interests (Art. 6(1)(f)) — preventing score manipulation and enabling advisor review of changes over time. Our legitimate interest: maintaining score integrity for users who consult mortgage advisors. Balanced against your interests: this data is never shared with third parties, is accessible only to you, and is deleted permanently when you delete your account. The processing is proportionate to the purpose.
Authentication and security logs (IP address, sign-in timestamps)	Legitimate interests (Art. 6(1)(f)) — protecting the service and users from unauthorised access. Retained for 90 days.
Product analytics (PostHog)	Consent (Art. 6(1)(a)) — collected via cookie consent banner; you can opt out at any time
Google Analytics	Consent (Art. 6(1)(a)) — collected via cookie consent banner
Security, fraud prevention, and rate-limiting	Legitimate interests (Art. 6(1)(f))
Responding to your deletion requests	Legal obligation (Art. 6(1)(c)) — UK GDPR Article 17 right to erasure
Complying with regulatory requests	Legal obligation (Art. 6(1)(c))

Automated score calculation (UK GDPR Article 22): Your mortgage readiness score is calculated solely by our algorithm without human involvement. The six pillars and their weights are: credit profile 30%, affordability 25%, deposit and LTV 20%, employment and income 15%, committed outgoings 7%, and identity and admin 3%. Hard stops apply if you report missed payments in the last 12 months, have no current employment, or have a deposit below 5% of your target property price — these cap your score and a specific note will appear in your score breakdown. This score affects the guidance and recommendations you receive, but does not constitute a formal lending decision or credit assessment, and is never shared with lenders or third parties. You have the right to request a human review of your score by emailing dpo@usehommie.com. You may also update your answers at any time to trigger a recalculation. We will respond to review requests within one calendar month.

4. How we use your data

We use your personal data exclusively for the following purposes:

Providing, maintaining, and improving the Hommie mortgage readiness platform
Calculating and updating your mortgage readiness score
Generating personalised recommendations and action plans
Authenticating your identity and securing your account
Communicating with you about your account (transactional emails only)
Detecting and preventing fraud, abuse, or security threats
Complying with our legal and regulatory obligations
Conducting anonymised product analytics to improve the service (subject to your consent)

Financially vulnerable users: If you are experiencing financial difficulty or vulnerability, you should seek guidance from a free, impartial debt advice service such as the Money and Pensions Service (MoneyHelper), Citizens Advice, or StepChange before making any financial decisions based on your Hommie score.

We do not:

Sell your personal data to any third party
Share your financial data with lenders, brokers, or credit reference agencies
Use your data for targeted advertising
Transfer your data outside the UK/EEA without appropriate safeguards under UK GDPR Chapter V
Use your bank transaction data for any purpose other than your score calculation

5. Data sharing and third-party processors

We share your data only with the following sub-processors, each bound by a Data Processing Agreement (DPA) with us and compliant with UK GDPR:

Processor / Controller	Purpose	Location	Safeguard
Supabase Inc.	Database, authentication, and session management	EU (AWS eu-west-1)	Standard Contractual Clauses (SCCs) + UK IDTA Addendum
TrueLayer Ltd. (independent data controller)	Account Information Service Provider (AISP) — Open Banking data retrieval. TrueLayer acts as an independent data controller for data it processes under its own FCA PSD2 authorisation (FRN 763008). Hommie receives account data from TrueLayer and acts as a separate data controller for its own processing. TrueLayer's Privacy Policy governs their processing.	UK (FCA authorised)	Independent UK GDPR controller; FCA regulated under PSR 2017
PostHog Inc.	Product analytics (pseudonymised event data)	EU (self-hosted option)	SCCs + UK IDTA Addendum; data pseudonymised before transmission
Google LLC (Analytics)	Aggregated website analytics	US	SCCs + UK IDTA Addendum; IP anonymisation enabled
Google LLC (OAuth)	Authentication via Google Sign-In	US	SCCs + UK IDTA Addendum; no additional data shared
Vercel Inc.	Website hosting and serverless function execution	EU (edge network)	SCCs + UK IDTA Addendum

We do not use any other sub-processors without updating this policy and, where required, notifying you. We will never sell your data to data brokers, advertisers, or financial institutions.

6. International data transfers

Some of our sub-processors (Google, PostHog, Vercel) process data in the United States. Where this occurs, we ensure appropriate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) addendum approved by the ICO
Supplementary technical measures including encryption in transit (TLS 1.2+) and at rest (AES-256)
IP anonymisation for Google Analytics before any data is transferred

Your core financial and profile data is stored in the EU (Supabase on AWS eu-west-1) and does not leave the UK/EEA.

7. Data retention

Data category	Retention period	Reason
Account and profile data	Duration of your account; deleted immediately upon account deletion request	Contractual obligation; erasure right under UK GDPR Art. 17
Open Banking tokens (active consent)	Revoked immediately on disconnection or account deletion; deleted within 24 hours	Minimisation; no longer required after consent withdrawal
Open Banking tokens (naturally expired, 90-day window elapsed)	Deleted within 24 hours of expiry date via automated cleanup	Data minimisation — expired tokens serve no purpose
Bank account metadata and connection details	Deleted immediately on disconnection or account deletion request	Minimisation; data no longer needed once connection removed
Transaction data	Processed transiently at time of bank connection; not stored persistently	Data minimisation — only the derived score is retained
Score history	Duration of your account; deleted with account	Advisor audit trail integrity
Score edit log	Duration of your account; deleted with account	Anti-gamification; advisor transparency
Product analytics events	13 months (PostHog project setting)	Aggregate trend analysis
Google Analytics data	14 months (GA4 project setting)	Website performance monitoring
Account deletion request records	3 years after erasure completion	ICO accountability principle — retained for the ICO's typical investigation timeframe
Authentication logs	90 days	Security monitoring

When your account is deleted, your personal data is permanently deleted from our live systems immediately. We will request deletion from sub-processor systems within 30 days of your request. A deletion record is retained for 3 years for ICO accountability purposes; this record contains only your user ID, the date of the request, and its status — not your personal data.

8. Security measures

We implement the following technical and organisational measures to protect your data:

Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher
Encryption at rest: All database data is encrypted at rest (AES-256) by Supabase/AWS
Bank token encryption: Open Banking access and refresh tokens are encrypted with AES-256 before being written to the database — the database never stores plaintext tokens
Row-level security (RLS): Database policies ensure that every user can only read and write their own data — no user can access another user's records
Authentication: Passwords are hashed using bcrypt via Supabase Auth; we never store or transmit plaintext passwords
Access control: Only authorised Hommie engineers can access production infrastructure, and only where necessary
Audit logging: All significant data changes (score recalculations, profile edits) are logged with timestamps

If you discover a security vulnerability, please report it responsibly to privacy@usehommie.com before public disclosure.

9. Data breach notification

Despite our security measures, no system is entirely immune from breach. In the event of a personal data breach, we will:

Assess the breach and its likely risk to your rights and freedoms within 24 hours of discovery
Where the breach is likely to result in a high risk to your rights and freedoms, notify you directly without undue delay — and in any event within 72 hours of us becoming aware
Report qualifying breaches to the Information Commissioner's Office (ICO) within 72 hours of becoming aware, as required by UK GDPR Article 33
Take immediate remediation steps to contain and prevent recurrence

Breach notifications to you will be sent to the email address registered on your account and will include: the nature of the breach, the categories and approximate number of records affected, likely consequences, and the steps we have taken or propose to take to address the breach.

If you suspect your Hommie account has been compromised, contact us immediately at privacy@usehommie.com. We will investigate and respond within 24 hours.

10. Your rights under UK GDPR

You have the following rights regarding your personal data. To exercise any of them, contact privacy@usehommie.com. We will respond within one calendar month (extendable by two further months for complex requests, with notice).

Right	What it means	How to exercise it
Right of access (Art. 15)	Receive a copy of all personal data we hold about you	Contact us at privacy@usehommie.com — we will provide your data in JSON format within one calendar month of your request
Right to rectification (Art. 16)	Correct inaccurate or incomplete data	Update your profile directly in the app, or contact us
Right to erasure (Art. 17)	Have your account and all associated personal data permanently deleted	Use the Delete Account option in your account settings, or contact us
Right to restrict processing (Art. 18)	Ask us to pause processing your data while a dispute is resolved	Contact us at privacy@usehommie.com
Right to data portability (Art. 20)	Receive your data in a machine-readable format (JSON)	Contact us at privacy@usehommie.com
Right to object (Art. 21)	Object to processing based on legitimate interests (e.g. analytics)	Contact us or withdraw consent via cookie preferences
Right not to be subject to automated decisions (Art. 22)	Request human review of your score calculation	Contact us at privacy@usehommie.com
Right to withdraw consent	Withdraw consent for Open Banking or analytics at any time, without affecting the lawfulness of prior processing	Use the Disconnect Bank option in account settings, or contact us

How to complain: If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/. We encourage you to contact us first so we can attempt to resolve your concern directly.

11. Cookies and tracking technologies

Cookie / technology	Type	Purpose	Consent required
Supabase auth session cookie	Strictly necessary	Keeps you logged in to your account	No — essential for the service to function
PostHog analytics	Analytics	Pseudonymised product usage events (e.g. which features are used)	Yes — consent banner (opt-out available at any time)
Google Analytics 4 (_ga, _gid)	Analytics	Aggregated website traffic metrics; IP anonymised	Yes — consent banner

You can withdraw consent for PostHog and Google Analytics at any time via our cookie consent banner. You can also block Google Analytics by installing the Google Analytics Opt-out Browser Add-on. Withdrawing analytics consent does not affect your ability to use Hommie.

12. Children's data

Hommie is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@usehommie.com and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material — for example, if we add a new data category, change our lawful basis, add a new sub-processor, or change how we use your data in a way that requires new consent — we will notify you by email at least 14 days before the change takes effect and, where required by UK GDPR, seek fresh consent. For minor clarifications, we will update the "Last updated" date at the top of this page.

Where a change to this policy involves new processing for which we rely on your consent, we will seek your explicit consent before that processing begins — continued use of the service alone does not constitute consent to new processing. For changes based on other lawful bases (contract performance, legitimate interests, or legal obligation), we will provide 14 days' notice and your continued use after that date indicates acceptance of those changes. If you do not agree to the updated policy, you may delete your account at any time.

14. Contact us

Hommie — Data Protection
[Registered address — to be added]
ICO Registration: [ZB######]
General privacy enquiries: privacy@usehommie.com
Data Protection Officer: dpo@usehommie.com
ICO complaints: ico.org.uk