Security

This app runs locally, reads your Venstar thermostat data locally, and communicates with your Venstar thermostat locally to control it. No data about your thermostat is sent out or stored anywhere other than locally on your phone (and that is only the IP address [see Settings below for more info]). The only pieces of data sent out and stored externally are the API key you provide, the thermostat display name you provide and your phone’s device token for the app (see API key and device token below for more info). No other data about your phone is collected/stored/sent anywhere.

Settings

The only data stored on your phone is what you provide on the settings page, which is the IP address of your thermostat, the display name you want to give to the thermostat in the app, the chosen theme and refresh button position, and the API key. The API key is stored in your phone’s keychain for extra security. The API key is also processed externally (see API key and device token below for more info).

API key and device token

In order to connect the iPhone app to the companion app, so you can receive push notifications, it is necessary for us to store your API key and device token. The device token is generated by your phone when you allow push notifications in our app and is unique to our app. When you allow push notifications and add an API key in the app settings, these two items are sent to and stored securely on our server, along with the thermostat display name you provided in the app settings (just for a custom title on the push notification). The key is hashed before being placed in our database. And this is also why we enforce the UUIDv4 format.