Schalliol Automation

← Back to HearthPilot

Privacy & Security architecture

This page is a security-architecture statement, not a legal privacy policy. A formal privacy policy will be published before the App Store launch in August 2026, under review by counsel. The statements below describe how the HearthPilot product is engineered today; the formal policy will describe legal terms, jurisdictions, and your rights.

The principle

Your credentials live only on hardware you own. HearthPilot is self-hosted by default. Schalliol Automation runs no server that stores or can read your vendor credentials, device state, automation history, or home media — because your home never passes through our infrastructure in the first place. There is no Schalliol-held copy of your home to read, leak, or hand over.

This is the differentiator the wedge customer pays for. Compromising on it later destroys the brand permanently, so we ship it from day one.

Where everything actually lives

Your device is the most-trusted tier; there is no Schalliol cloud in your data path at all. The whole stack inverts standard SaaS trust.

  • Your device — iPhone or iPad — holds the trust root. A per-household master key is derived at first launch and its only copy lives in your iCloud Keychain, which Apple encrypts end-to-end. We can't read it. Apple can't read it for us.
  • The Brain — a small Node.js runtime you install on a Mac, NAS, or Pi you own. It holds your vendor credentials encrypted at rest, runs the premium-gear integrations, and talks to your local devices. It is reachable from your phone over an HTTPS tunnel you provision. Schalliol Automation has no access to it, its data, or the devices it controls.
  • No Schalliol server in the middle. There is no hosted HearthPilot backend holding your home today. The app talks to your Brain; your Brain talks to your devices. We are not in that path.

What we actually have

Nothing. Because we run no server in your data path, there is no Schalliol-held database, credential store, or log of your home for a breach or a subpoena to reach. There is nothing to subpoena. The working key your Brain uses is derived on demand from the key in your iCloud Keychain and held in memory only; we never see it.

An honest limit: physical access to your Brain

We will not claim something we can't back up. The Brain runs on a computer in your home, and like any computer, someone with physical access to your powered-on, unlocked Brain hardware can read its working memory — including the derived key while the process is running. That is explicitly out of scope for HearthPilot's privacy guarantees: it is the same caveat that applies to any laptop, NAS, or server in your house, and securing the physical device is the owner's responsibility. What we can promise is the part we control — that we hold no copy of your credentials or home and have nothing to surrender.

The AI sees names, not your home

HearthPilot's optional room-association feature sends only device and room names to Anthropic's Claude API to suggest which room each device belongs in. No device state, credentials, IP addresses, MAC addresses, emails, or telemetry is ever sent. You can turn the feature off entirely in Settings, and it can be disabled on the Brain as well. Anthropic processes that data under its own privacy policy.

One safety gate the AI cannot bypass

Every high-consequence action — unlocking a door, disarming security, opening a water valve, igniting a gas fireplace — routes through a single confirmation gate on your Brain. There is one source of truth for what counts as high-consequence, and every path to your devices goes through it: a tap, a Scene, a whole-home Mode, or an AI-composed plan. An AI proposal is never a standing pre-authorization to surrender safety — the step is held for your explicit confirmation, every time. The AI proposes; you approve.

No microphone, no camera, no always-listening layer

The app requests no microphone and no camera permission. Plain-English scenes and AI requests are typed, not spoken — there is no voice capture and no always-listening layer anywhere in the product. The app also uses no advertising identifier, no third-party analytics SDKs, and no third-party crash reporters.

Recovery

Your root key lives in your iCloud Keychain, so recovery follows your Apple ID. You always have a path back into your own data; we never have a path into it.

Planned — coming with hosted HearthPilot

Everything in this section is on the roadmap, not shipped, and not live today. We list it so you know where HearthPilot is headed — not to describe what runs now. Until it ships, HearthPilot is self-hosted only, exactly as described above.

  • A hosted Brain option for households without their own always-on hardware. When and if it ships, its planned design runs the LLM-intent path inside an attested confidential-compute enclave (AWS Nitro) with a published, independently verifiable binary hash — the same pattern Apple uses for Private Cloud Compute — and a public transparency log so clients can verify the runtime before releasing ciphertext. None of this is built yet.
  • A dedicated HearthPilot Hub appliance, validated NAS installs, and broader social/recovery options are future phases, not current features.

What's covered, what isn't

The architecture above applies to the HearthPilot product: your devices, your credentials, your home state, your automation history — all of which live on hardware you own.

The HearthPilot waitlist (this site's email signups, when the form goes live) will be stored in a third-party email service. The privacy architecture above does not apply to the marketing waitlist — the marketing list contains email addresses only, never device credentials or home data.

Questions, reports, audits

For security disclosures, email security@hearthpilot.com. For privacy questions, privacy@hearthpilot.com. Reports are read by the founder.