HomeFront collects no user data. No telemetry. No analytics. No tracking. Everything runs on your device.
What We Collect
Nothing. HomeFront does not collect, store, transmit, or sell any personal data. There is no account system. There is no analytics SDK. There are no crash reporters. There are no usage trackers. The app runs entirely on your device.
How DNS Filtering Works
HomeFront filters DNS queries using a blocklist stored locally on your device. When an app or website attempts to connect to a known malicious, phishing, or tracking domain, HomeFront blocks the request before it leaves your device. No DNS queries are routed through our servers. There is no VPN, no proxy, and no middleman. The blocklist is downloaded and updated periodically as a static file.
How Breach Checking Works
HomeFront checks whether your email addresses or passwords have appeared in known data breaches using the Have I Been Pwned (HIBP) API with k-anonymity.
Here is exactly what happens:
- Your email or password is hashed locally on your device using SHA-1
- Only the first 5 characters of the hash are sent to the HIBP API
- HIBP returns all matching hash suffixes for that prefix
- Your device checks the response locally to determine if there is a match
- Your full email, password, or complete hash never leaves your device
This is the same technique used by 1Password and other security tools. HIBP cannot determine which hash you were checking.
Third-Party Services
HomeFront communicates with three external services. Here is exactly what data is sent to each:
- Have I Been Pwned (haveibeenpwned.com) — Receives the first 5 characters of a SHA-1 hash during breach checks. Never receives your email or password.
- ThreatFox (abuse.ch) — HomeFront downloads threat indicator lists from ThreatFox to update its local blocklist. No user data is sent.
- URLhaus (urlhaus.abuse.ch) — HomeFront downloads malicious URL lists from URLhaus to update its local blocklist. No user data is sent.
- Steven Black's hosts (GitHub) — HomeFront downloads community-maintained ad and tracker blocklists to block advertising and tracking domains. No user data is sent.
- Pete Lowe's Ad Servers (pgl.yoyo.org) — HomeFront downloads a curated list of known advertising domains. No user data is sent.
That is the complete list. There are no other network requests. No analytics endpoints. No telemetry beacons. You can verify this yourself with a network monitor.
Data Retention
HomeFront retains no data on any server because HomeFront has no server. All scan results, security scores, and configuration are stored locally on your device in the app's sandboxed container. Uninstalling HomeFront removes all associated data.
Children's Privacy
HomeFront does not collect personal information from anyone, including children under 13. Because the app collects no data whatsoever, there is no COPPA concern. HomeFront is safe for users of all ages.
Contact
If you have questions about this privacy policy, contact us at privacy@gethomefront.app.
Changes to This Policy
If we change this privacy policy, we will update this page with the new effective date. Given that our policy is "we collect nothing," meaningful changes are unlikely. If we ever did collect data in the future, we would require explicit opt-in consent and update this policy before any collection begins.