Security

Your home's data deserves serious treatment.

We don't sell it. We don't train on it. We encrypt it. You can take it with you any time.

Three principles, in plain English.

01

Your data is yours.

Export it, delete it, take it somewhere else. We don't lock you in.

02

Not used to train AI.

We do not use your content to train Holm's models or anyone else's. Period.

03

Shared only when you say.

No partner gets your data unless you explicitly invite them to a property.

Encryption and hosting

Your data is encrypted both while it sits on our servers and while it travels between your phone and ours. We host on enterprise cloud infrastructure inside US data centers, with encrypted backups replicated to a second location in case anything ever goes wrong. (For the technically curious: that infrastructure is Amazon Web Services — the same hosting trusted by major banks, hospitals, and government agencies.)

Access and authentication

Your password is never stored in readable form — even by us. Two-step sign-in (the kind your bank uses) ships with the public release. Sessions sign you out automatically when you're inactive, and we alert you if a sign-in looks suspicious.

AI and training

Holm's assistant runs on large language models. We send only the minimum data needed to answer your question, and we use contractual terms with every model provider prohibiting use of your data for training. The model-provider list will be published with the public release.

Compliance posture

An independent third-party security audit (the standard one in our industry, called SOC 2) is on the roadmap for after public launch — we'll publish concrete dates when we've scoped it. Holm doesn't handle medical data or store your full payment card details; billing runs through a dedicated payment processor (Stripe) so the sensitive parts of your card never touch our systems.

Responsible disclosure

If you believe you've found a vulnerability, please file it via the contact formand select Security in the topic field. We acknowledge within 24 hours. Good-faith research is welcome — we don't pursue legal action against researchers who follow our disclosure policy.

Data portability + deletion

You can take everything with you any time — as a PDF, as a spreadsheet, or as a developer-friendly raw file if you have someone moving you to another tool. Delete your account and we erase your data within 30 days, except where we're required by law to retain billing records.

Status and uptime

A public status page goes live alongside the web and mobile apps. Our uptime target is 99.9% monthly for the web app and iOS app once shipped.

Questions about how we handle security?

Send us a note →