Security overview
How we approach security for HomeStart. This page describes our practices; it is not a third-party audit or certification report.
1. Overview
HomeStart is a planning tool for first-time homebuyers. We take security seriously because the product can involve sensitive financial information when you choose to connect accounts or save personal data.
This overview explains, at a high level, how the app is built, how access is controlled, and how optional bank linking through Plaid fits in. For how we use personal data, see our Privacy Policy.
2. Product architecture
The HomeStart iOS app talks to Google Firebase services, including Firebase Authentication for sign-in and Cloud Firestore for app data. Server-side logic that must stay private runs in Firebase Cloud Functions on Google Cloud infrastructure.
When you use optional bank linking, the app launches Plaid Link so you can connect financial institutions through Plaid. Exchange of sensitive credentials and institution authorization happens between you and Plaid, not by HomeStart collecting your bank password in our app UI for that flow.
3. Authentication & access
- Sign-in is handled by Firebase Authentication (for example, email and password and, if enabled, supported sign-in providers).
- On supported devices you can use biometric lock (such as Face ID or Touch ID) in addition to your device passcode to reduce the risk of casual access on a shared phone.
- Requests from the app to our backend use industry-standard mechanisms so that only authenticated users can invoke protected functions. Session and token handling follow Firebase’s documented patterns.
4. Data protection
- Encryption in transit. Traffic between the app and our services uses HTTPS (TLS).
- Encryption at rest. Data stored in Firebase and Firestore benefits from Google-managed encryption and infrastructure security practices.
- Access control. Firestore is configured so users can read and write data in line with their own account where appropriate. Access rules are designed to prevent one user from accessing another user’s data for the same application features.
- Logging. We aim to avoid logging secrets, full financial access tokens, or unnecessary sensitive detail in application logs. Operational logging is used for reliability and abuse prevention in line with this goal.
5. Plaid integration security
Optional linking to financial institutions is provided through Plaid Link, Plaid’s hosted connection experience.
- Credentials stay with Plaid. When you link an institution, you enter credentials and complete any required steps in Plaid’s interface. HomeStart does not store your bank login password for that flow.
- Limited data for planning. After a successful link, we receive from Plaid the data needed for the product (for example, linked accounts and balances) so we can show savings and planning context in the app. We do not ask Plaid for more than we need for those features.
- Tokens are server-side. Plaid issues tokens as part of the connection process. Exchange and storage of long-lived Plaid access tokens are handled on the server using Firebase Cloud Functions, not embedded in the client app or exposed to other users.
- Your choice. Linking a bank is optional. You can use parts of the product without linking accounts, consistent with in-app options and our Privacy Policy.
Plaid’s own security and privacy practices are described in Plaid’s documentation. Use of Plaid is also covered in our Privacy Policy and, where linked from the app, Plaid’s disclosures.
6. Infrastructure & access controls
- Backend components run on Google Cloud with Firebase, which provides managed patching, physical security, and operational controls for the underlying platform.
- We follow a least-privilege approach for service accounts and automated jobs: each component should have only the permissions required for its role.
- Administrative access to project configuration and data is limited to people who need it for development and operations, and we use secure accounts and strong authentication for that access.
7. User responsibilities
- Keep your device’s operating system and the HomeStart app updated.
- Use a strong device passcode and avoid sharing unlocked access to your phone with people you do not trust.
- Be cautious of phishing: HomeStart will not ask you for your bank password by email. Institution linking happens through Plaid Link inside the app.
- For general account questions, contact hello@homestartapp.com.
8. Reporting security issues
If you believe you have found a security vulnerability in HomeStart, please email security@homestartapp.com. Include a clear description of the issue, steps to reproduce if possible, and your contact information so we can follow up.
We appreciate responsible disclosure and will work to investigate credible reports. Please do not access or modify data that does not belong to you, and do not perform testing that could harm other users or our services.
9. Updates
Security practices evolve as the product grows, as threats change, and as we adopt new controls. We may update this page from time to time. The date below reflects the last revision we note for this document; see the page itself for the current text.
Last updated: 2026-04-11.