Security & Privacy
Privacy-first by design
Your Home Assistant tokens stay encrypted in your browser. We never see your credentials — by architecture, not just policy.
Your Home Assistant tokens never leave your browser.
This isn't a policy promise — it's the way the system is built. CasaBoard servers have no route to receive, store, or decrypt your HA credentials.
Stays on your device
Default · all plans
- HA OAuth tokens (encrypted in browser storage)
- HA base URL (unless you opt into cloud sync)
- Decryption keys — never transmitted anywhere
Stored by CasaBoard
All protected by Supabase RLS
- Dashboard & page layouts
- Account & subscription info
- HA instance name + URL (paid cloud sync only, opt-in)
When you open a dashboard, your browser decrypts the HA token locally and opens a WebSocket directly to your Home Assistant instance. Live entity data flows between your device and Home Assistant — CasaBoard servers are not in the path.
Your Browser
Decrypts token locally
WebSocket
Direct · no proxy
Your Home Assistant
On your network
CasaBoard servers are not in this diagram. We have no route to intercept or read live entity data from your home.
How HA tokens are protected
When you authorise Home Assistant, the OAuth flow completes in your browser. The resulting tokens are encrypted immediately using the Web Crypto API and written to local storage. They are decrypted only in your session when a dashboard needs to connect to HA.
Clearing browser data or signing in on a new device requires re-authenticating with Home Assistant — this is intentional. It means no credentials are silently migrated through our servers.
Encryption spec
Row Level Security
Supabase / PostgreSQL
Every table in our database enforces RLS — a built-in PostgreSQL feature that makes every query automatically include WHERE auth.uid() = user_id. Even if a query tried to read all rows, the database would only return your own records.
Applies to: pages, sidebars, billing, and optional HA metadata.
Authentication
Supabase Auth
CasaBoard uses Supabase Auth for account management. Sessions are handled via JWT tokens with automatic rotation. All API requests require a valid, verified session — there is no unauthenticated path to user data.
- OAuth sign-in (Google)
- JWT session management
- Middleware protection on all routes
What cloud sync actually stores
Available on paid plans, cloud sync lets you see the same Home Assistant instances when you sign in from a different device. It stores metadata only — the display name and base URL you gave an instance — so you don't have to re-enter it.
OAuth tokens are not included. You'll still need to re-authorise Home Assistant on each new device. Cloud sync removes the URL lookup, not the security step.
Cloud sync stores
- HA instance display name
- HA base URL
Cloud sync never stores
- HA OAuth tokens or refresh tokens
- Passwords or HA admin credentials
- Entity states or smart home data
What the CasaBoard team can see
For support and debugging, certain data is visible to the team. Here's what that includes — and what it structurally cannot include.
We can access
- Account & billing — email, plan, subscription status
- Dashboard metadata — page names, slugs, layout JSON
- Optional cloud sync rows — HA instance name and URL only
- Error logs and analytics — scrubbed of sensitive values
We cannot access
- HA OAuth tokens — not stored in our infrastructure in default mode
- Your HA server, devices, entities, or automations
- Live smart home state — data flows browser↔HA, not through us
- Other users' data — RLS prevents cross-account queries at the database level
Questions about security?
If you have specific questions, found a potential issue, or want a deeper technical explanation of any of the above, reach out directly.
Last reviewed April 2026. This page is updated whenever our data handling practices change.