Privacy Policy
Last updated: March 21, 2026 · Effective: March 21, 2026
1. Introduction
Onsu Home ("we," "us," or "our") is operated by The Kosh Labs LLC. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Onsu Home web application (the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.
Onsu Home currently supports internet-connected Rinnai tankless water heaters. Onsu Home is an independent product and is not affiliated with, endorsed by, or sponsored by any water heater manufacturer.
Contact: privacy@thekoshlabs.com
2. Information We Collect
2.1 Information You Provide Directly
- Google Account Information: When you sign in with Google, we receive your email address, display name, and profile photo from Google.
- Rinnai Account Credentials: If you link a Rinnai account, we collect and store your Rinnai email and password (encrypted at rest with AES-256) to communicate with Rinnai's API on your behalf.
- Schedules and Preferences: Water heater schedules, temperature preferences, and app settings you create.
- Billing Information: If you subscribe to a paid tier, payment processing is handled entirely by Paddle.com (our Merchant of Record). We do not collect, see, or store your credit card numbers or payment method details. Paddle may share your email address, subscription status, and transaction IDs with us to provision your account.
2.2 Information Collected Automatically
- Usage Data: We collect analytics events (e.g., feature usage, temperature changes, schedule creation) via Firebase Analytics (Google Analytics 4). This data is associated with your Firebase user ID, not your email address.
- Device Data: Water heater status information (temperature, operational state) is read from the Rinnai API in real time and is not stored long-term.
- Activity Logs: We maintain a rolling log of the most recent 200 actions performed through the Service (e.g., temperature changes, recirculation events).
2.3 Cookies and Tracking Technologies
| Cookie / Storage | Type | Purpose |
|---|
| Firebase Auth | Essential | Authentication session management |
| analytics_consent (localStorage) | Essential | Stores your cookie consent preference |
| _ga, _gid | Analytics | Google Analytics 4 (if consent given) |
| __gads, __gpi | Advertising | Google AdSense ad personalization (if consent given, free tier only) |
| IDE, DSID | Advertising | DoubleClick ad delivery and frequency capping (if consent given) |
| Paddle checkout cookies | Functional | Session management during subscription checkout (set by Paddle.com) |
Analytics and advertising cookies are only set after you provide explicit consent via our cookie consent banner. Essential cookies and localStorage items are required for the Service to function and cannot be disabled.
3. How We Use Your Information
- Service Operation: To authenticate you, control your water heater, execute schedules, and display device status.
- Subscription Management: To manage your subscription tier, enforce feature limits, and process upgrades or cancellations via Paddle.
- Analytics: To understand how users interact with the Service, improve features, and monitor application performance (with your consent).
- Security: To detect abuse, enforce rate limits, and protect the integrity of the Service.
4. How We Share Your Information
- Google: Firebase Authentication, Firebase Analytics (GA4), Google AdSense (advertising on free tier), Cloud Run hosting infrastructure.
- Paddle.com (Merchant of Record): Paddle processes all subscription payments on our behalf. When you subscribe, Paddle collects your payment information directly. Paddle is the seller of record for your subscription and handles invoicing, tax collection, and refunds. Paddle's privacy policy applies to the payment information they collect: paddle.com/legal/privacy.
- Manufacturer API: Your water heater account credentials are transmitted to the manufacturer’s servers to control your water heater. We are not affiliated with or endorsed by any water heater manufacturer.
- We do not sell your personal information.
5. Advertising
If you are on the Free tier, the Service displays advertisements served by Google AdSense. Third-party vendors, including Google, use cookies to serve ads based on your prior visits to this and other websites. You may opt out of personalized advertising by visiting Google Ads Settings or aboutads.info.
Advertising cookies are only set after you provide explicit consent via our cookie consent banner. Paid-tier users (Hot and Blazing) are never shown ads and no advertising cookies are set for them.
6. Data Security
- Rinnai credentials are encrypted at rest using AES-256 (Fernet symmetric encryption).
- All data in transit is protected by HTTPS/TLS.
- The Service runs on Google Cloud Run with Google-managed infrastructure security.
- Firebase Authentication handles session management with industry-standard security.
- We never see or store your credit card or payment method details — these are handled exclusively by Paddle.
7. Data Retention
The following table describes how long we retain different categories of data:
| Data Category | Retention Period |
|---|
| Account data (profile, preferences) | Until account deletion |
| Schedules (free tier) | Auto-deleted 30 days after creation |
| Schedules (paid tiers) | Until account deletion (no expiry) |
| Activity logs | Rolling 200 most recent entries |
| Analytics data (GA4) | 14 months (Google default) |
| Rinnai credentials (encrypted) | Until you unlink your Rinnai account or delete your account |
| Subscription/billing records | Retained by Paddle per their data retention policy |
8. Legal Basis for Processing (GDPR)
For users in the European Economic Area, United Kingdom, and Switzerland, our legal bases for processing personal data are:
- Consent: For analytics and advertising cookies (you may withdraw consent at any time via the cookie consent banner or Account settings).
- Contractual Necessity: For account data, Rinnai credentials, and service operation (required to provide the Service you signed up for).
- Legitimate Interests: For security monitoring, abuse detection, and rate limiting.
9. Your Rights
All Users
- Access: You can view all data we hold about you in the Account tab.
- Deletion: You can delete your account and all associated data using the "Delete Account" button in the Account tab, or by contacting us at privacy@thekoshlabs.com.
- Consent Withdrawal: You can withdraw cookie consent at any time through the cookie preferences option in the Account tab. Withdrawal does not affect the lawfulness of prior processing.
EU/EEA Residents (GDPR)
You have the right to access, rectify, erase, restrict processing, object to processing, and data portability under the General Data Protection Regulation. To exercise these rights, contact privacy@thekoshlabs.com. We will respond within 30 days.
California Residents (CCPA)
You have the right to know what personal information we collect and how it is used, to delete your personal information, and to opt out of the sale of your personal information. We do not sell personal information. To exercise these rights, contact privacy@thekoshlabs.com or use the opt-out controls in the cookie consent banner.
10. Children's Privacy
The Service is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us immediately at privacy@thekoshlabs.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:
The Kosh Labs LLC
Email: privacy@thekoshlabs.com