Trust and Security
Last updated June 21, 2026
How we handle security, where your data lives, and the third parties we rely on.
Overview
HomeQuotr is built on public records. Our pricing data comes from government building permits, not from consumer submissions or scraped third-party sites, so the most sensitive thing we hold is usually just your account email. This page lays out where data lives, how we protect it, and who we rely on to run the service.
We keep this current. If something here is out of date or you have a security question we have not answered, write to us and we will fix it.
Who Operates HomeQuotr
HomeQuotr is operated by LocalLayer AI LLC, a New Jersey limited liability company. References to "HomeQuotr," "we," "us," or "our" on this page refer to LocalLayer AI LLC and the HomeQuotr service it operates.
Where Our Data Comes From
Every price on HomeQuotr is derived from real building permits filed with municipal agencies. We do not use national averages, self-reported data, or consumer-submitted pricing. The pipeline is the authority.
Because the source data is already public, the data we add is the work of organizing, classifying, normalizing, and aggregating it. You can read exactly how on our methodology page.
Subprocessors
These are the third parties that process data on our behalf to run the service. Each one is bound by its own data-processing terms.
| Provider | Purpose | Data handled | Region |
|---|---|---|---|
| Supabase | Managed PostgreSQL database and authentication | Account email, hashed API keys, aggregated permit data | United States (us-east-1) |
| Vercel | Application hosting and serverless compute (origin) | Request and response processing, application logs | United States, global edge |
| Cloudflare | DNS, proxied edge, web application firewall, bot mitigation | Network traffic, IP addresses (hashed for rate limiting) | Global edge network |
| Upstash | Redis for API rate limiting and response caching | Hashed API key identifiers, request counters | United States |
| Sentry | Error monitoring and performance tracing | Error events and stack traces | United States |
| Google Analytics 4 | Aggregate website analytics | Pageview and usage events | Global |
| Google Workspace | Business email and correspondence | Email you send to us | United States |
| StripePlanned | Payment processing for paid subscriptions | Billing contact and payment details | United States |
Stripe is marked planned because billing is not yet live. It will begin processing payment data only when paid subscriptions go live, and this list will be updated at that time.
Security Controls
The controls we run today:
Encryption in transit and at rest
All traffic is served over TLS. Data at rest is encrypted by our database and hosting providers.
Hashed API keys
B2B API keys are stored as Argon2id hashes, never in plaintext. Only a short non-secret prefix is retained for identification.
Row-level security
Database tables enforce row-level security so service access is scoped and account data is isolated.
Tiered access and rate limiting
Every API key is gated by subscription tier, with per-minute burst limits and monthly quotas enforced at the edge and the application layer.
Security headers and CSP
Responses carry a content security policy and a full set of security headers across the site.
Signed webhooks
Outbound data-refresh webhooks are signed with a per-subscription HMAC-SHA256 secret so you can verify every payload before you trust it.
Your Data and Privacy
Consumer accounts hold very little: an email address and your saved searches or price alerts. B2B accounts add an organization and API key records. We do not sell personal data, and we do not run third-party ad networks on the site.
What we collect, why, and how to delete it is spelled out in our privacy policy. You can delete your account at any time from your account settings or by contacting support.
Compliance Posture
We are honest about where we are. HomeQuotr does not yet hold its own SOC 2 attestation. We run on infrastructure providers that do maintain independent security certifications, including Supabase, Vercel, Cloudflare, and Google, so the platform beneath us is audited even while our own program matures.
As we onboard underwriting-grade customers, formal attestations are on the roadmap. If your procurement process needs specific documentation, ask and we will tell you exactly what we can provide today.
Report a Vulnerability
If you find a security issue, tell us before disclosing it publicly and we will work with you to fix it quickly. Email [email protected] with the details and steps to reproduce.
Please do not run tests that degrade the service for others, and:
- No denial-of-service or load testing against production
- No automated scraping or bulk data extraction (see our terms)
- No accessing or modifying data that is not yours
Act in good faith and we will treat your report in good faith.
Contact
Questions about security, data handling, or this page:
- Email: [email protected]
- Company: LocalLayer AI LLC (operator of HomeQuotr)
- Location: New Jersey, United States