dom.io

I. Privacy

A remote control, not a cloud service.

Your home, your data

dom.io connects directly to your Indigo server. There is no intermediary, no data collection, and no accounts to create. Your home data stays on your network — we never see it.

Push notifications are the one exception — they're relayed through a stateless Cloudflare Worker that forwards and forgets. Details below.

II. The app

Private by design.

Four things the app does — and doesn't do — that follow from one principle: your Indigo server is the only thing dom.io needs to talk to.

Zero SDKs

No analytics or tracking

No usage data leaves the app. We don't know how many devices you have or how often you use dom.io.

Secure enclave

Credentials in iOS Keychain

Your server address and login are stored in the secure enclave — never transmitted except to your own Indigo server.

No relay

Direct WebSocket connection

dom.io connects straight to your Indigo server — no cloud relay, no man-in-the-middle. On WiFi it stays entirely on your local network.

Your provider

Voice stays with your provider

Voice queries go directly to Claude, ChatGPT, Grok, or your local model. dom.io never stores, logs, or relays voice data.

III. The exception

Push notifications — the one exception.

Push is the only feature that touches infrastructure outside your network. Here's exactly what happens.

A Cloudflare Worker, not a server.

Notifications are relayed through a stateless Cloudflare Worker — a tiny function on Cloudflare's edge network. It authenticates your device, forwards the notification to Apple, and immediately discards the content. There is no server, no database of notifications, and no way to read your messages after they're delivered.

Push notification flow: Your Indigo Server sends to the Push Relay (a Cloudflare Worker), which forwards to Apple APNs, which delivers to your iPhone.

What the relay sees

  • APNs device token — an opaque Apple identifier, not your phone number
  • Subscription proof — an Apple-signed receipt, verified cryptographically
  • Notification content — in transit only, immediately discarded after delivery

What's stored

  • Subscription status and app identifier in Cloudflare KV
  • Nothing else — no notification text, no device data, no personal information
  • Expired records auto-delete after 90 days

Authentication

  • All connections use TLS (HTTPS)
  • HMAC-SHA256 signed tokens authenticate each request
  • Apple JWS certificate chain validates subscription proof
  • No passwords or payment data ever touch the relay

Infrastructure

  • Cloudflare Workers — runs on the edge, no persistent server
  • No traditional database — just a KV store for subscription status
  • No logging of notification content
  • Source code available on request

IV. Questions

Happy to go deeper.

If you have questions about how dom.io handles your data, we're happy to go into as much detail as you need.

Ask on the Indigo forum