Your data.
Safe. To the highest standards.

Your data lives in Frankfurt, Germany, in Google Cloud region europe-west3. Processing functions run in EU region europe-west1 (Belgium). In normal operation, your content does not leave the EU.

We use Google Cloud / Firebase as our infrastructure. Processing is GDPR-compliant under Standard Contractual Clauses and the EU-US Data Privacy Framework.

For highly sensitive data — tax ID, IBAN, marriage contract, tax notices, birth certificates — no. These are end-to-end encrypted: the key lives on your device (Secure Enclave / iCloud Keychain), and on our servers we only ever see unreadable ciphertext.

For operationally required fields (address, amounts, categories), we apply strict need-to-know access with four-eyes review and monthly audit-log reviews. All staff are bound by NDA and regularly trained.

• In transit: TLS 1.3 on every connection.
• At rest: AES-256 with Customer-Managed Encryption Keys (CMEK).
• Highly sensitive fields: additional zero-knowledge encryption with your personal key.
• Recovery: Point-in-Time Recovery (rolling 7 days).
• External validation: annual penetration test and ongoing bug-bounty program.

If you connect a mailbox, we receive only read-only access via OAuth 2.0 (scope gmail.readonly) — we cannot send, modify or delete messages. Your inbox is not mirrored; we process only what you actively trigger. You can see and disconnect the linked account at any time with one click.

No. If a bank connection is used, it goes exclusively through a licensed PSD2 provider (AISP) as read-only Account Information Service. Initiating payments (PISP) is technically excluded. Your consent expires every 90 days and must be re-confirmed by you.

Cancellation triggers a two-stage GDPR Art. 17 workflow:

• 30-day grace period — the account is locked but recoverable if you change your mind.
• Then a hard wipe — including all backup snapshots and provider logs. You receive a deletion confirmation by email.

Before deletion you can export all your data as a JSON and PDF bundle at any time (GDPR Art. 20).

No — and it's contractually excluded. Houselinc does no profiling, no advertising, no data sales. Our sub-processors are technical service providers only (cloud infrastructure, AI processing, push notifications, newsletter delivery), all under Data Processing Agreements per GDPR Art. 28. The full, versioned list is published on our website.

These fields receive the highest protection level: zero-knowledge encryption with a key that never leaves your device. Even we cannot decrypt this data — for us, it sits in storage as ciphertext.

A second authentication step (biometrics or PIN) is required to view these fields. Important: your recovery phrase is generated once at onboarding — keep it safe, as only you can use it to restore access.

AI processing is currently used only for invoice recognition (OCR / data extraction). The provider is Anthropic (Claude). It is contractually guaranteed that your data is not used for training and is retained for at most 30 days for Trust & Safety purposes.

Before any AI processing, the app shows you which file goes where, and you can decline. For zero-knowledge data, an additional file-specific approval is required.

Yes. We follow GDPR Art. 33 and 34: regulator notified within 72 hours, affected users notified without delay in case of high risk. This is operationalised by:

• A documented incident-response plan, rehearsed twice a year.
• A public status page at status.houselinc.com.
• A tested customer-notification email pipeline.
• Anomaly detection on data access with active alerting.