Thermostat Controller

iPhone app to view and control your Venstar thermostat locally.

(C) 2025 STUDIOJQ
Menu

Security

This app runs locally, reads your Venstar thermostat data locally, and communicates with your Venstar thermostat locally to control it. No data about your thermostat is sent out or stored anywhere other than locally on your phone (and that is only the IP address [see Settings below for more info]).

The only possible pieces of data sent out and stored externally (and this is only if you are using either the push notifications and/or the remote mode feature, and still is not any data tied to, about or from your thermostat) are the API key you provide, the thermostat display name you provide and your phone’s device token for the app (see External data below for more info). No other data about your phone is collected/stored/sent anywhere.

Settings

The only data stored on your phone is what you provide on the settings page, which is the IP address of your thermostat, the display name you want to give to the thermostat in the app, the chosen theme and refresh button position, your chosen setting for remote mode and the API key. The API key is stored in your phone’s keychain for extra security. The API key is also processed externally (see API key below for more info).

External data

API key

In order to connect the iPhone app to the companion app, so you can receive push notifications and/or use the remote mode, it is necessary for us to store your API key. When you add an API key in the app settings, it is sent to and stored securely on our server, along with the thermostat display name you provided in the app settings (just for a custom title on the push notification). The key is hashed before being placed in our database. And this is also why we enforce the UUIDv4 format.

Push notifications and device token

In order to receive push notifications, it is necessary for us to also store your device token. The device token is generated by your phone when you allow push notifications in our app and is unique to our app. When you allow push notifications and add an API key in the app settings, these two items are sent to and stored securely on our server, along with the thermostat display name you provided in the app settings.

  • To be clear, your device token is only sent to and stored on our server if you have allowed push notifications for the app and have also added an API key in the app. If, for example, you allowed push notifications, but then didn’t add an API key, no info at all (so neither the API key, nor the device token, nor the thermostat name) would be sent to our server.

Remote mode and thermostat data

If you are using the remote mode, the data you see in the app is actually coming directly from the companion app. The app on the phone is not sending any extra data out to our server when remote mode is enabled. For more info on the companion app, as well as a link to its GitHub repo, where you can download it and read about how it uses/sends data, see here.

Don’t send any external data

If you would like to make sure no data is sent externally ever/at all, just don’t ever enter a valid UUIDv4 key in the API Key field and save the settings page.