Security & Privacy

Domio connects directly to your Indigo server. Your home data stays on your network — we never see it.

Private by design

Domio is a remote control, not a cloud service. It talks directly to your Indigo server over your local network or your own reflector — no intermediary, no data collection, no accounts to create.*

* Push notifications are the one exception — they're relayed through a stateless Cloudflare Worker that forwards and forgets. Details below.

  • No analytics or tracking

    Zero third-party SDKs. No usage data leaves the app. We don't know how many devices you have or how often you use Domio

  • Credentials in iOS Keychain

    Your server address and login are stored in the secure enclave — never transmitted except to your own Indigo server

  • Direct WebSocket connection

    Domio connects straight to YOUR Indigo server — no cloud relay, no man-in-the-middle. On WiFi it stays entirely on your local network

  • Voice stays with your provider

    Voice queries go directly to Claude, ChatGPT, Grok, or your local model. Domio never stores, logs, or relays your voice data

Push notifications — the one exception

Push is the only feature that touches infrastructure outside your network. Here's exactly what happens.

A Cloudflare Worker, not a server

Notifications are relayed through a stateless Cloudflare Worker — a tiny function on Cloudflare's edge network. It validates your subscription, forwards the notification to Apple, and immediately discards the content. There is no server, no database of notifications, and no way to read your messages after they're delivered.

Push notification flow: Your Indigo Server sends to the Push Relay (a Cloudflare Worker), which forwards to Apple APNs, which delivers to Your iPhone.

What the relay sees

  • APNs device token — an opaque Apple identifier, not your phone number
  • Subscription proof — an Apple-signed receipt, verified cryptographically
  • Notification content — in transit only, immediately discarded after delivery

What's stored

  • Subscription status and app identifier in Cloudflare KV
  • Nothing else — no notification text, no device data, no personal information
  • Expired records auto-delete after 90 days

Authentication

  • All connections use TLS (HTTPS)
  • HMAC-SHA256 signed tokens authenticate each request
  • Apple JWS certificate chain validates subscription proof
  • No passwords or payment data ever touch the relay

Infrastructure

  • Cloudflare Workers — runs on the edge, no persistent server
  • No traditional database — just a KV store for subscription status
  • No logging of notification content
  • Source code available on request

Questions?

If you have questions about how Domio handles your data, we're happy to go into as much detail as you need.

Ask on the Indigo forum →