Thermostatless

Legal

Privacy Policy

Effective May 2, 2026

Summary

Thermostatless is a thermostat controller. We collect the minimum data required to let you control your HVAC equipment from your phone, your laptop, and your browser. We do not sell your data, we do not run third-party analytics or ad SDKs in the mobile app, and we do not track you across other apps or websites.

What this policy covers

This policy applies to the Thermostatless mobile app for iOS and Android, the dashboard at thermostatless.com, and the backend API at api.thermostatless.com (collectively, the "Service").

Information we collect

Account information

We require an account to associate devices with you and keep them synchronized across your phones, tablets, and browsers. You can sign up with any of the following methods:

  • Email and password. We store the email address you choose. Passwords are never visible to us — Firebase Authentication hashes and stores them.
  • Sign in with Apple. Apple sends us a stable user identifier and, if you choose to share it, your name and email (which may be a private relay address). Apple does not share your password.
  • Sign in with Google. Google sends us your name, email address, and profile picture URL. Google does not share your password.
  • Phone number (web only, planned for mobile). Used solely to verify the device you sign in from.

Whichever method you choose, we receive a Firebase Authentication user ID (UID) and the email or phone associated with the sign-in. We do not request additional permissions or scopes from Apple or Google beyond what's needed to identify you.

Device and operating data

We store the configuration and reported state of any Thermostatless module you register: a device identifier, mode (Off / Heat / Cool / Auto / Eco), fan setting, current temperature, setpoints, schedule entries, and hold state. This data lives in Firebase Realtime Database in the United States and is read by every client you sign in from so the dashboard reflects reality.

Bluetooth

The mobile app requests Bluetooth permission so it can scan for and connect to nearby Thermostatless modules over Bluetooth Low Energy. The Bluetooth radio is used only to discover, pair with, and exchange state with your own Thermostatless hardware. We do not scan for, log, or transmit information about other Bluetooth devices in your environment, and we do not perform background Bluetooth scans.

Network diagnostics

Our backend logs standard HTTP request metadata (timestamp, route, response code, and IP address) for short-term debugging and abuse prevention. These logs are retained for 30 days and are not used for advertising or profiling.

Information we do not collect

  • We do not collect contacts, photos, microphone, camera, or location data.
  • We do not embed third-party analytics, advertising, or tracking SDKs in the mobile app.
  • We do not sell or rent personal information to anyone.

How we use the information

  • To deliver core functionality — register modules, sync state, send commands.
  • To keep the Service secure and operational.
  • To respond to support requests you send us.

Service providers

We use Google Firebase (Realtime Database, Authentication, and Cloud Functions) for backend infrastructure, and Vercel for hosting the website. Both providers act as processors on our behalf and store data in the United States.

Data retention

Device state and configuration are retained as long as the device is registered to your account. You can remove a device at any time from the mobile app or the dashboard, which deletes its state from our database.

Account deletion

You can permanently delete your account from inside the mobile app at Settings → Account → Delete account, or from the website at Settings → Account. Deleting your account immediately:

  • Releases ownership of every Thermostatless module registered to you, so the same modules can be re-registered by anyone.
  • Removes your authentication record (email or Apple/Google identifier).
  • Removes all device state and schedules associated with your user ID.

The deletion is irreversible. Standard backend logs (HTTP request metadata) age out automatically within 30 days.

Your rights

In addition to in-app deletion, you can request a copy of the data we hold about you, or ask us to delete it, by emailing the address below. We respond within 30 days. Residents of California, the European Economic Area, and the United Kingdom have additional rights under their local privacy laws (CCPA / GDPR / UK GDPR), which we honor.

Children

Thermostatless is a utility for adults managing HVAC equipment. The Service is not directed at children under 13, and we do not knowingly collect data from them.

Changes to this policy

If we make material changes, we will update the effective date at the top of this page and, when appropriate, notify you in the app or by email.

Contact

Questions, requests, or concerns: support@thermostatless.com.