Privacy Policy

Last updated: March 2026

1. Introduction

LoxAI ("we", "our", "us") is a self-hosted AI assistant for Loxone smart home owners. This Privacy Policy explains how we collect, use, and protect your information when you use the LoxAI Bridge (local software), our cloud AI service, and the LoxAI website.

Contact: hello@loxai.app

2. Data We Collect

We collect the following categories of data:

  • Account data (e.g. email address, license key)
  • Usage data (e.g. number of AI requests per day)
  • Technical data (e.g. IP addresses for rate limiting)

3. LoxAI Bridge (Local Software)

The LoxAI Bridge runs entirely on your local device (Docker container, Raspberry Pi, or Unraid server). The following data is processed and stored exclusively on your device:

  • Miniserver credentials (AES-256 encrypted in local SQLite database)
  • Sensor values and device information from your Loxone Miniserver
  • Automation rules and execution logs
  • MQTT topics and messages
  • Home Assistant entity data

This data never leaves your local network. The Bridge communicates directly with your Miniserver via WebSocket on your local network. No smart home credentials, sensor data, or personal device information is transmitted to our servers.

4. AI Analysis (Cloud Proxy)

When you create an AI-powered automation, only the following data is transmitted to our cloud server (hosted by Hetzner in Germany):

  • Your free-text input (e.g. "Close blinds when it gets hot")
  • Device names and types (without credentials)
  • MQTT topic names (without message contents)

This data is forwarded to the Claude API (Anthropic, Inc.) for processing. No Miniserver credentials, IP addresses, or personal information is transmitted. AI requests are not stored or logged beyond temporary server logs required for rate limiting and abuse prevention.

5. Account & License

When you register for a LoxAI account or activate a license key, we store:

  • Email address
  • License key and plan type
  • Daily/monthly usage counts (number of AI requests)
  • Last verification timestamp

This data is stored on our server (Hetzner Cloud, Germany) and used exclusively for license management and rate limiting.

6. Payment Processing (Stripe)

For paid features, we use Stripe (Stripe, Inc., USA) as our payment processor. Payment data is processed directly by Stripe. We only receive payment confirmation and your email address. For details, see the Stripe Privacy Policy.

7. Third-Party Services

We use the following third-party services:

  • Anthropic (Claude API) — AI text analysis. Data processed according to Anthropic's Privacy Policy.
  • Hetzner Cloud — Server hosting in Germany (EU). Subject to GDPR.
  • Stripe — Payment processing. See Stripe Privacy Policy.
  • Resend — Transactional emails (license keys, welcome emails).
  • GitHub Pages — Hosting of our landing page.

8. Cookies & Tracking

Our website uses no cookies and no tracking (no Google Analytics, no Facebook Pixel, no advertising networks). All resources (fonts, CSS, icons) are self-hosted — no external CDNs are used and no IP addresses are transmitted to third parties. The LoxAI Bridge does not set any cookies or perform any tracking.

9. Data Retention

  • Server logs (IP, request path): automatically deleted after 30 days
  • AI request content: not stored beyond processing
  • License data: retained as long as the account is active
  • Local Bridge data: stored indefinitely on your device, fully under your control

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All communication with our cloud server uses HTTPS/TLS encryption
  • Miniserver credentials are AES-256-CBC encrypted at rest
  • Rate limiting and brute-force protection on all API endpoints
  • No sensitive data (passwords, tokens) in server logs

11. Children's Privacy

LoxAI is not intended for use by children under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us at hello@loxai.app and we will promptly delete it.

12. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

  • Access your stored data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Withdraw consent (Art. 7(3) GDPR)
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise your rights, contact us at: hello@loxai.app

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.

Deutsche Version (Datenschutzerklärung)