Iota-HomeIota-Home

Privacy Policy

Last Updated: April 11, 2026

This Privacy Policy describes how Iota-Home ("we," "us," or "our") collects, uses, stores, and shares information when you use our website, mortgage calculator tools, partner portal, embedded widgets, and mobile applications (collectively, the "Services"). We try to keep this document plain-spoken and specific — if anything is unclear, email contact@iota-home.com.

Who This Policy Covers

Iota-Home serves several types of users, and the data we handle differs for each. This policy covers all of them:

  • Anonymous visitors — people who use our calculators at iota-home.com without creating an account.
  • Registered users — people who create an Iota-Home account to save scenarios, sync across devices, or access account features.
  • Partner portal customers — businesses (credit unions, lenders, realtors, etc.) that subscribe to our embeddable calculator widgets through the B2B portal at /portal.
  • End users of embedded widgets — visitors to a third-party website that has embedded one of our calculators. For these users, the website operator is the primary data controller; we act as a processor on their behalf and collect only minimal, non-identifying analytics.
  • Mobile app users — people using the Iota-Home Android app.

For most purposes, Iota-Home acts as the data controller. For embedded widget analytics on a partner's website, Iota-Home acts as a data processor for that partner.

Information We Collect

Anonymous Visitors

When you use Iota-Home without signing in, your mortgage scenarios, portfolio adjustments, theme preferences, and tab/UI state are stored only in your browser's localStorage. This data stays on your device and is not transmitted to our servers. You can delete it at any time by clearing your browser storage or using the Reset/Clear features in the app.

We also collect analytics (see the Analytics section below) to understand how the site is used.

Registered Users (Accounts)

When you create an account, we collect and store the following in our database (hosted on Supabase):

  • Email address
  • Password hash (handled by Supabase Auth — we never see your plaintext password)
  • Optional profile information: full name, avatar URL
  • Account settings (dark mode preference, last-viewed tabs, etc.)
  • Subscription tier and role
  • Your saved mortgage scenarios (loan amounts, rates, terms, down payments, extra payments, property details, and any notes you add)
  • Portfolio adjustments and what-if scenarios tied to your account
  • Account creation and last-update timestamps

If you sign in with Google, we receive your email address, display name, and avatar URL from Google — nothing more. We do not receive or request access to your Gmail, Drive, contacts, or any other Google service data.

Once you sign in and migrate, your scenarios live in our database (not localStorage) so they can sync across devices. You can export, modify, or delete this data at any time through the Account page.

Partner Portal Customers (B2B)

If you use the partner portal to embed our widgets on your website, we additionally collect and store:

  • Organization name and contact information
  • Domains where the widget is authorized to load (domain allowlist)
  • Widget configuration (theme, colors, logo, card selection, default rates, disclaimer text)
  • Access tokens issued for your tenant (rotatable from the portal)
  • Subscription plan, trial status, and expiry dates
  • Stripe customer ID and subscription ID (billing metadata only — see Payments below)
  • If you use the Brand Extractor tool, the URL you supply is fetched by our serverless function to extract public brand assets (logo, fonts, colors). The extracted results are cached against your tenant record.

End Users of Embedded Widgets

When our calculator widgets are embedded on a partner's website, we collect very limited, anonymized usage events to give partners aggregate analytics:

  • Tenant ID (which partner's widget loaded)
  • Event type (session start, calculation performed)
  • Calculator type (mortgage modeler or affordability calculator)
  • An ephemeral session identifier (a random UUID, not tied to any account or device)
  • Timestamp

We do not collect or store: IP addresses, loan amounts, incomes, financial inputs, names, emails, cookies, or any other personally identifiable information from widget end users. We do not set persistent identifiers that would allow us to track widget users across sessions or sites.

Mobile App Users

The Android app collects the same information as the web app when you are signed in, and uses the same Supabase backend. It does not request device permissions beyond those required for standard web content and deep-link handling. Scenarios are stored locally until you sign in, at which point they migrate to your account.

Analytics Data (All Users on iota-home.com)

We use Google Analytics 4 to understand how our main website is used. This includes:

  • Pages visited and features used (calculators opened, scenarios created, etc.)
  • Time spent on the application
  • Browser type and device information
  • Approximate geographic location (city/country level)
  • Referral source (how you found our site)
  • Rounded, non-identifying event values — for example, loan amounts rounded to the nearest $1,000 and home prices rounded to the nearest $10,000 — used to understand aggregate usage patterns. We do not record the exact values you type into the calculators.

Google Analytics is not loaded on embedded widget pages. Widget analytics use the separate first-party pipeline described above.

Third-Party Service Providers

We use the following third-party services to operate Iota-Home. Each has access only to the data necessary for its function, and each is bound by its own privacy policy.

ProviderPurposeData Accessed
SupabaseDatabase, authentication, file storageAccounts, scenarios, portfolio data, widget tenant configs, widget event logs
VercelWebsite hosting and serverless functionsStandard web request logs (IP, user agent, timestamp)
StripePayment processing for B2B subscriptions and add-onsBilling details entered during checkout (Stripe handles card data directly; we never see your card number)
Google Analytics 4Website usage analytics (main site only, not embeds)Aggregated usage events, device/browser info, coarse location
Google OAuthOptional "Continue with Google" sign-inEmail, display name, avatar URL (only if you choose to sign in with Google)
Google FontsServing brand-matched fonts inside embedded widgetsStandard font-request data (IP, user agent) on pages that load fonts
FRED (Federal Reserve Bank of St. Louis)Live 30-year and 15-year mortgage rate dataNo user data sent — we fetch published rate series on a schedule
API NinjasProperty tax lookup by ZIP codeZIP code only (no other user data)

We do not sell, trade, or rent your personal information to third parties. We only share data with the processors above, and only to the extent necessary to operate the Services.

Payments

All payments for B2B subscriptions and one-time add-ons are processed by Stripe, a PCI-DSS-compliant payment processor. You enter your payment details directly on Stripe's checkout page — we never receive, handle, or store your card number, CVV, or other sensitive card data.

What we do store from the Stripe integration:

  • Stripe customer ID and subscription ID (for managing your subscription)
  • Subscription plan, status, and renewal dates
  • Webhook event history from Stripe (for audit and debugging purposes)

To manage, cancel, or review your subscription and invoices, use the billing portal link inside your partner portal, which opens a hosted Stripe session.

How We Use Your Information

We use the information we collect to:

  • Provide the calculator and account features you requested
  • Sync your scenarios across your devices when you are signed in
  • Authenticate you and keep your account secure
  • Process subscription payments and fulfill B2B service obligations
  • Deliver embedded widgets to authorized partner domains
  • Provide partners with aggregate, non-identifying usage analytics for their own widgets
  • Improve and optimize the Services, diagnose bugs, and understand feature usage
  • Communicate with you about your account, subscription, or support questions you initiate
  • Comply with legal obligations and enforce our terms of service

We do not use your data for advertising, profiling, or any form of automated decision-making that produces legal effects about you.

Share Links

If you create a share link for a scenario, comparison, or portfolio using our short-link sharing feature (/s/:shortId), a copy of that scenario data is saved to our database with a short unique ID. Anyone who has the link can view the scenario. Share links:

  • Require you to be signed in to create (viewing is public)
  • Expire automatically after one year
  • Contain only the calculator inputs and outputs you chose to share, not your account details
  • Can be invalidated by contacting us if you no longer want a link to be accessible

Older share-link formats that encode scenario data directly into the URL (/share/..., /share-comparison/..., /share-portfolio/...) do not store anything on our servers — the entire scenario lives inside the URL.

Data Retention

Data TypeRetention Period
Local browser storage (anonymous users)Until you clear it
Account profile and saved scenariosUntil you delete them or delete your account
Share links (/s/:shortId)1 year from creation, then automatically expired
Partner portal tenant recordsFor the life of your subscription; archived after cancellation
Stripe billing metadata and webhook logRetained as required by tax and accounting regulations (typically 7 years)
Widget event analyticsAggregated and retained for the life of the tenant
Brand Extractor cacheRefreshed on demand; deleted when the tenant is deleted
Admin audit logsRetained for security and compliance review
Google Analytics 4 data14 months (Google's default), then automatically deleted
Vercel edge request logsPer Vercel's retention policy (typically 24 hours to 30 days)

Your Privacy Rights

Regardless of where you live, you can exercise the following rights over the data we hold about you:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to fix inaccurate data
  • Deletion — ask us to delete your account and associated data
  • Export / Portability — request your scenarios in a portable format (JSON)
  • Object / Restrict — object to or restrict certain types of processing
  • Withdraw consent — opt out of analytics at any time via the cookie banner

How to exercise your rights

  • Self-service: most rights can be exercised immediately from the Account page — update your profile, reset data, or delete your account.
  • Email: for anything else, write to contact@iota-home.com. We will respond within 30 days.

GDPR (EEA and UK residents)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the rights above are granted to you under the GDPR / UK GDPR. You also have the right to lodge a complaint with your local data protection authority.

CCPA / CPRA (California residents)

California residents have the rights listed above under the CCPA and CPRA, including the right to know what personal information we collect, the right to request deletion, and the right to non-discrimination for exercising these rights. We do not sell or share personal information as those terms are defined by the CCPA/CPRA.

Account Deletion

You can delete your account at any time from the Account page. When you delete your account, we remove:

  • Your user profile
  • All saved scenarios and portfolio adjustments
  • Your account settings and preferences
  • Your authentication record with Supabase

A limited set of records may survive account deletion where we have a legal or operational obligation to retain them:

  • Stripe billing history and invoices (tax/accounting compliance)
  • Webhook logs and audit logs (security and compliance)
  • Aggregated, non-identifying analytics

Admin accounts cannot self-delete for safety reasons — contact us if you need to remove one.

Cookies and Tracking

We use cookies and similar technologies for authentication, session management, and (with your consent) analytics. Embedded widgets do not set tracking cookies. For the full list and your controls, see our Cookie Policy.

You can manage your cookie preferences through the cookie consent banner on your first visit, or by adjusting your browser settings at any time.

Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data transmission uses HTTPS / TLS encryption
  • Passwords are hashed by Supabase Auth — we never store plaintext passwords
  • Row-level security (RLS) policies enforce that users can only access their own data at the database level
  • Embedded widgets are served with Content-Security-Policy: frame-ancestors restrictions based on each tenant's domain allowlist
  • Partner portal API requests are authenticated with Supabase JWTs
  • Widget analytics ingestion deliberately discards IP addresses and never stores financial inputs
  • Card payment data is handled exclusively by Stripe, a PCI-DSS Level 1 provider

No system is perfectly secure. If you believe you have discovered a vulnerability, please report it responsibly to contact@iota-home.com.

Mobile Application

The Iota-Home Android app shares the same backend and privacy practices as the website. It does not access your contacts, photos, location, microphone, or camera. It uses standard platform storage to cache scenarios and preferences on your device.

The app does not load Google Analytics. Anonymous crash reporting and usage telemetry, if enabled in a future release, will be disclosed here and in the app store listing before rollout.

Third-Party Links

Our website and educational content may contain links to external websites. We are not responsible for the privacy practices of those sites. Review their privacy policies before providing any information.

Children's Privacy

Iota-Home is a financial planning tool intended for adults and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

International Data Transfers

Iota-Home is operated from the United States, and our infrastructure providers (Supabase, Vercel, Stripe, Google) process data in the United States and other jurisdictions. If you access the Services from outside the U.S., your information will be transferred to, stored in, and processed in the U.S. By using the Services you acknowledge this transfer.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be reflected in the "Last Updated" date at the top of this page, and — for significant changes affecting registered users — by email notification to the address on your account. Continued use of the Services after an update constitutes acceptance of the revised policy.

Contact Us

Questions, privacy rights requests, or security reports — reach us at:

Email: contact@iota-home.com

← Back to Home|Cookie Policy
Iota-HomeIota-Home

Powerful mortgage modeling tools for homebuyers, homeowners, and real estate investors. Plan smarter with detailed amortization analysis.

This tool is for planning and education only and does not constitute financial advice. Calculations are estimates based on the information you provide. Taxes, insurance, and closing costs may vary by region and lender. Always verify details with your mortgage lender or financial advisor before making decisions.

© 2026 Iota-Home. All rights reserved.

We value your privacy

We use Google Analytics to understand site usage. Accept to enable full analytics, or decline for cookieless tracking with anonymized data only. All mortgage calculations are stored locally in your browser and never sent to our servers. Privacy PolicyCookie Policy

Mortgage modeling for smarter decisions