Privacy Policy
1. Introduction
HoardIQ ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our home inventory mobile application (the "App").
The App is operated by HoardIQ, a sole proprietorship (enkeltmandsvirksomhed) registered in Denmark (CVR: registration pending), Rønnebærvej 10, 2. 216, 2840 Holte, Denmark. HoardIQ is the data controller for the personal data described in this policy.
This policy applies to:
- The HoardIQ mobile app (Android and iOS)
- The HoardIQ API (api.hoardiq.com)
- Our analytics and monitoring services
By using the App, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
2.1 Personal Information You Provide
Account Information:
- Email address
- First and last name
- Password (hashed with BCrypt, never stored in plain text)
Home Inventory Data (User Content):
- Home details (name, description, address)
- Room names and descriptions
- Storage unit names, types, and descriptions
- Item names, descriptions, categories, tags
- Item photos (stored on our server)
- Purchase dates, expiration dates, estimated values
- Barcode data (for item lookup)
Collaboration Data:
- Email addresses of people you invite to your home
- Access permissions (view/edit rights)
2.2 Information Collected Automatically
Device Information:
- Device type, operating system, app version
- Unique device identifiers (for push notifications)
Usage Analytics (Self-Hosted Matomo):
- Pages/screens viewed
- Features used (search, photo capture, export)
- Session duration and frequency
- Crash reports (via GlitchTip)
Log Data (Seq Structured Logs):
- API request logs (endpoint, response time, status code)
- Error logs (for debugging)
- IP addresses (for rate limiting and security)
2.3 Information from Third Parties
OpenRouter AI (Image Analysis):
- When you capture item photos, we send the photo to OpenRouter's AI models to analyze and extract item name, category, description, estimated value, and tags
- OpenRouter's data processing is governed by their privacy policy
- We do not send personal identifiers (email, name) to OpenRouter
Open Food Facts / UPC ItemDB (Barcode Lookup):
- When you scan a barcode, we query these services to retrieve product information
- No personal data is sent to these services
3. How We Use Your Information
We use your information to:
- Provide and Maintain the App — create and manage your account, store your home inventory data, enable collaboration features
- Improve the App — analyze usage patterns (via Matomo), fix bugs and crashes (via GlitchTip), optimize performance
- AI-Powered Features — analyze item photos to suggest names, categories, and values
- Communicate with You — send push notifications for item expiration reminders
- Ensure Security — detect and prevent fraud, monitor for unauthorized access, enforce rate limits
4. Legal Basis for Processing (GDPR)
We process your personal data based on:
- Contractual Necessity: To provide the App's core features (inventory management)
- Legitimate Interests: To improve the App, ensure security, and prevent fraud
- Consent: For analytics (Matomo) and AI features (OpenRouter) — you can withdraw consent at any time
5. Data Sharing and Disclosure
5.1 We Do NOT Sell Your Data
We do not sell, rent, or trade your personal information to third parties.
5.2 Service Providers (Data Processors)
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| OpenRouter | AI image analysis | Item photos (temporary) | USA |
| Matomo | Self-hosted analytics | Usage events (no PII) | Denmark (self-hosted) |
| Seq | Structured logging | API logs | Denmark (self-hosted) |
| GlitchTip | Crash reporting | Error stack traces | Denmark (self-hosted) |
5.3 Legal Requirements
We may disclose your information if required by law or in response to valid requests by public authorities.
6. Data Retention
We retain your data for as long as your account is active or as needed to provide you services.
- Account data: Until you delete your account
- Home inventory data: Until you delete the home or your account
- Photos: Until the associated item is deleted
- Analytics data (Matomo): 24 months
- Log data (Seq): 90 days
- Crash reports (GlitchTip): 12 months
After account deletion, we retain data for 30 days (grace period) before permanent deletion.
7. Your Data Protection Rights (GDPR / CCPA)
You have the following rights regarding your personal data:
- Right to Access: Request a copy of your personal data by contacting [email protected] or via Settings → Export Data.
- Right to Rectification: Update your account information directly in the App.
- Right to Erasure: Delete your account via Settings → Delete Account.
- Right to Data Portability: Export your data in JSON or CSV via Settings → Export Data.
- Right to Object / Restrict Processing: Opt-out of analytics in Settings.
- Right to Withdraw Consent: Withdraw consent for analytics and AI features via Settings.
8. Cookies and Tracking Technologies
We use local storage on your device to maintain your session and preferences. We do not use cookies for advertising or cross-site tracking.
Matomo Analytics (Self-Hosted): Uses a cookie to distinguish unique visitors (can be disabled in Settings). No data is shared with third-party advertising networks.
9. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Password Security: BCrypt hashing with 12 rounds
- API Security: JWT tokens with short expiry (1 hour) and refresh token rotation
- Transport Security: TLS 1.2+ for all API communication
- Database Security: SQL Server with encrypted connections
- Photo Storage: Server-side storage with restricted access
- Secrets Management: Environment variables and SecureStorage (no hardcoded secrets)
However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
10. International Data Transfers
Your data may be transferred to and processed in countries other than your country of residence:
- Primary Storage: Denmark (SQL Server on romank.dk)
- AI Processing: USA (OpenRouter) — we rely on Standard Contractual Clauses for data transfers
By using the App, you consent to this transfer.
11. Children's Privacy
The App is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete it.
12. Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page, sending an in-app notification, and updating the "Last Updated" date.
13. Contact Us
If you have any questions about this Privacy Policy, please contact us:
- Data Controller: HoardIQ (enkeltmandsvirksomhed), Rønnebærvej 10, 2. 216, 2840 Holte, Denmark (CVR: registration pending)
- Email: [email protected]
- Data Protection Officer: [email protected]
14. Supervisory Authority
If you are in the European Economic Area (EEA), you have the right to lodge a complaint with your local data protection authority.
List of EU Data Protection Authorities
15. California Privacy Rights (CCPA)
If you are a California resident, you have the following rights:
- Right to Know: You can request information about the personal information we collect, use, and disclose
- Right to Delete: You can request deletion of your personal information
- Right to Opt-Out: We do not sell your personal information, so this right does not apply
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise these rights, contact us at [email protected] or use the in-app data export/delete features.