App Privacy Policy
As of April 14, 2026
This Privacy Policy applies to all versions of the Controller for HomeKit app distributed through the App Store.
Responsible Party
acasa Software GmbH
Schlossstraße 12
76768 Berg, Germany
contact@acasa-software.de
Contact
For any questions, contact us at support@controller-for-homekit.com.
Support requests sent to this address are processed via our help desk system provided by Atlassian (EU-based, GDPR-compliant). The submitted data (e.g. email address and message content) is only used to handle your request and is not shared with third parties.
Apple HomeKit
Controller for HomeKit interacts with Apple’s HomeKit Framework.
More information: https://www.apple.com/ios/homekit/
With granted permission, the app accesses your HomeKit setup to read and modify homes, zones, rooms, devices, services, service groups, characteristics, scenes, and time- and event-based triggers.
Data is stored in the HomeKit database on your device. Synchronization and communication are handled by Apple’s HomeKit system.
The legal basis is your consent granted through the system permission (Art. 6(1)(a) GDPR).
AWS Server
We operate our own backend server hosted on AWS in Frankfurt.
Stored metadata includes room names, device names, services, characteristics, icons, home name, workflow and backup configurations, and automation metadata.
This enables synchronization across devices, advanced features, and optional sharing with other users. No personal identifiers are stored.
The legal basis is contract performance (Art. 6(1)(b) GDPR).
Mixpanel Analytics
We use Mixpanel to analyze how users interact with the app. Data is processed exclusively on EU servers under GDPR-compliant conditions.
Tracking is enabled by default and can be disabled by the user at any time in the app settings. No data is used to personally identify users.
The legal basis is the legitimate interest in improving the app (Art. 6(1)(f) GDPR). You can object to processing at any time via the app settings.
AI Features (OpenAI API)
For selected AI features in the app, we transmit your inputs to the OpenAI API. The provider is OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, together with its affiliates (OpenAI OpCo, LLC, USA).
Only the content required for the request (prompts) and technical request metadata are transmitted. Direct identifiers such as your name or email address are not sent to OpenAI.
OpenAI generally retains API requests and responses for up to 30 days to detect and prevent abuse, and deletes them afterwards unless a legal retention obligation applies. The transmitted content is not used by OpenAI to train its models.
Processing partly takes place on servers in the USA. Transfers to third countries are safeguarded by Standard Contractual Clauses (Art. 46 GDPR) and OpenAI’s certification under the EU-US Data Privacy Framework. We have entered into a Data Processing Addendum with OpenAI.
The legal basis is contract performance (Art. 6(1)(b) GDPR) when you actively use an AI feature, as well as our legitimate interest in providing intelligent features (Art. 6(1)(f) GDPR). Using AI features is voluntary.
To analyze, debug, and improve the quality of our AI features, we enable the "Store logs" option in our OpenAI organization. The requests sent to OpenAI and their corresponding responses are stored within our OpenAI organization on the OpenAI platform and are only accessible to authorized personnel of our company for evaluation purposes. The retention period is governed by the settings of our OpenAI organization, and stored content can be deleted by us at any time. The data is not shared with any further third parties, and this feature does not result in the content being used to train OpenAI’s models. The legal basis is our legitimate interest in ensuring and improving the functionality of our services (Art. 6(1)(f) GDPR).
StoreKit Transaction Data
We process anonymized StoreKit transaction data to assign internal UUIDs for license validation and access to Pro features. No personal data is linked or stored.
The legal basis is contract performance (Art. 6(1)(b) GDPR).
Notification Feature
To send notifications, a unique token is generated for each user. Notification messages are stored encrypted and transmitted securely via our infrastructure. The token can be regenerated or deleted by the user at any time.
The legal basis is your consent granted by enabling notifications (Art. 6(1)(a) GDPR).
Controller Hub and Workflows
The Controller Hub enables the creation and automation of workflows based on device states, triggers, or schedules. Workflow metadata is stored on our server to support cross-device functionality and optional sharing.
If remote triggering is enabled for a workflow, a unique URL is created to allow external systems to trigger the workflow.
The last executions of each workflow are stored on our server and made available in the app so users can trace the execution history.
To display charts, it is necessary to store values of certain characteristics so they can also be delivered to your own devices that are not themselves the Controller Hub. No server-side analysis of this data takes place.
Disclaimer: Users are fully responsible for the workflows they define. Controller for HomeKit executes workflows exactly as configured and assumes no liability for their effects.
More information: controllerforhomekit.com/features/workflows
The legal basis is contract performance (Art. 6(1)(b) GDPR).
Custom States
You can create custom states (on/off variables) that can be used in workflows as triggers, conditions, or actions.
The name, icon, and current value of a state are stored on our server and synced across your devices. To display history charts, value changes are also recorded as data points on our server.
The legal basis is contract performance (Art. 6(1)(b) GDPR), as state synchronization is a core feature of the app.
Calendar and Reminders
With your permission, the app accesses your calendar events and reminders via Apple’s EventKit. This enables workflows based on calendar events or reminders, as well as creating and modifying events and reminders from within workflows.
Calendar data (e.g. title, date, availability status) is processed exclusively on your device and is not transmitted to our servers. The workflow configuration only stores the calendar name and title pattern, no event content.
External calendar subscriptions (ICS URLs) are fetched directly from your device to the respective provider. Permission can be revoked at any time in your device’s system settings.
The legal basis is your consent granted through the system permission (Art. 6(1)(a) GDPR).
Newsletter
You can subscribe to our newsletter on our website or in the app. We only collect your email address. Subscription is voluntary and based on your consent (Art. 6(1)(a) GDPR).
The newsletter is sent via Mailchimp (The Rocket Science Group LLC, USA). Mailchimp processes your email address on our behalf for the purpose of sending the newsletter. Mailchimp is certified under the EU-US Data Privacy Framework. The email address stored at Mailchimp is not linked to your user account.
You can withdraw your consent at any time and unsubscribe via the link included in every newsletter. After unsubscribing, your email address will be deleted from Mailchimp.
Data Retention
We retain metadata only as long as necessary for the app’s core functions or until deleted by the user. Analytics data is anonymized and processed without identifying individuals.
Security Measures
All data is protected by technical and organizational safeguards against unauthorized access, loss, or manipulation.
Your Rights
You have the right to access, rectification, erasure, restriction of processing, data portability, and objection regarding your personal data. Where processing is based on consent, you may withdraw it at any time.
To exercise your rights, contact: support@controller-for-homekit.com
You also have the right to lodge a complaint with a data protection supervisory authority.