How-To
Home Assistant Privacy Defaults: How to Harden Your Local Setup
Audit Home Assistant privacy settings in 2026: analytics off by default, Labs device database opt-in, app protection mode, and local-only egress for HA OS.
Home assistant privacy settings in 2026 are not one master switch—they are a stack: core telemetry stays off until you opt in, optional Labs device sharing is separate from day-to-day automations, and apps (formerly add-ons) need explicit protection mode and network boundaries. For a hardened local posture, leave Settings → System → Analytics disabled, keep Labs → device analytics off unless you choose to contribute, enable protection mode on every app that supports it, and pair HA with IoT VLAN egress policy so integrations cannot phone home without you noticing.
Quick answer: What Home Assistant privacy settings should I change first?
Start at Settings > System > Analytics and confirm every tier is disabled. In Settings > System > Labs, leave device analytics off unless you want to contribute to the OHF device database. On Home Assistant OS, enable protection mode on each app, audit cloud-linked integrations, tune Recorder retention, and enforce IoT VLAN firewall rules so only required WAN destinations are allowed.
Methodology: how this audit matrix was built
On 2 June 2026, we walked the public Home Assistant 2026.2 documentation for Analytics, the 2026.2 release notes (device database in Labs), and the privacy FAQ. We scored each control by egress risk (does it open a new outbound channel?) and reversibility (can you disable without reinstall?). We did not benchmark automation latency or UI responsiveness—only data-leaving-the-home boundaries.
Where I’m less sure — exact onboarding wording shifts between 2026.2.x patch releases; if your wizard shows pre-checked analytics boxes, treat that as a regression and screenshot before continuing. Anecdotally, long-time installs upgraded from 2025.x retain prior analytics choices until you revisit Settings → System → Analytics manually.
Original research: Home Assistant privacy control matrix (June 2026)
This citable dataset maps the controls readers search as “privacy mode” into measurable egress tiers. Scores are editorial (1 = local-only, 5 = routine outbound telemetry), not a Home Assistant official rating.
| Control | UI path (HA OS / core) | Default (June 2026) | Egress if left default | Reversible | Privacy score (1–5) |
|---|---|---|---|---|---|
| Basic analytics | Settings → System → Analytics | Off (opt-in) | Version, install type, country code | Yes | 4 when enabled |
| Usage analytics | Same | Off | Integration names, app versions | Yes | 4 when enabled |
| Statistics | Same | Off | Counts only (entities, automations) | Yes | 3 when enabled |
| Diagnostics (Sentry) | Analytics → Diagnostics | Off | Crash reports (Supervisor/OS) | Yes | 4 when enabled |
| Device analytics (OHF DB) | Settings → System → Labs | Off | Anonymized device metadata | Yes | 4 when enabled |
| Home Assistant Cloud | Settings → Home Assistant Cloud | Off until linked | Remote UI, voice bridges | Yes | 3 when enabled |
| Home Assistant Alerts | Core integration (default_config) | On | Pulls security advisories | Disable in YAML | 2 |
| App protection mode | Settings → Apps → per app | Varies | Restricts app capabilities | Per app | 1 when enabled |
| Cloud-linked integration | Settings → Devices & services | Per integration | Vendor API calls | Remove integration | 5 for cloud-only gear |
Sharing analytics is completely optional. Nothing is sent from your installation unless you explicitly opt in.
What “Privacy Mode” actually means in Home Assistant
Search results mix three different ideas:
- Platform privacy defaults — analytics and Labs sharing are opt-in; local protocols (Zigbee, Z-Wave, Matter, Thread, ESPHome) do not require a Home Assistant cloud account12.
- Device privacy mode — camera and vacuum integrations expose vendor switches (Reolink, UniFi Protect, Amcrest) that physically mask lenses or stop recording; unrelated to core telemetry3.
- App protection mode — Supervisor/App security that limits what containerized apps can reach on your host4.
This guide focuses on (1) and (3) plus network policy. For camera-specific privacy switches, see community threads on local-only shutter control; for platform telemetry, stay in Settings → System.
Terminology note: As of June 2026, Home Assistant does not ship a single menu item literally named “Privacy Mode” for the whole install. The hardened posture is defaults + deliberate opt-ins + app hardening.
Audit Settings → System → Analytics (telemetry tiers)
Open Settings → System → Analytics on a desktop browser so you can read descriptions side-by-side with logs.
| Tier | What leaves your LAN when enabled | Who should enable it |
|---|---|---|
| Basic analytics | UUID, HA version, install type, country/region derived from IP | Contributors supporting the public roadmap |
| Usage analytics | Integration names, custom integration versions, recorder engine, app list | Power users comfortable publishing stack fingerprints |
| Statistics | Aggregate counts (entities, automations, users) | Same as usage—lower sensitivity, still identifying when combined |
| Diagnostics | Crash reports via Sentry (Supervisor/OS scope) | Debugging unstable Supervisor builds—not routine production |
Working checklist — analytics
Analytics hardening (5 minutes)
- Confirm all four analytics toggles are disabled unless you have a written reason to enable them.
- Restart is not required; changes apply immediately per official docs.
- After any accidental enablement, read Settings → System → Logs for “Submitted analytics” lines.
- Use Preview device analytics (when Labs sharing is on) before leaving device analytics enabled.
- Re-audit after major upgrades (2026.2 introduced Labs device sharing paths).
Official behavior: payloads send 15 minutes after startup, then about every 24 hours while enabled, and the integration prints what was sent to your log2. That log line is your ground truth—do not assume UI labels alone.
Steel-man: why you might opt in anyway
The Home Assistant project uses aggregated install data to prioritize integrations and to show manufacturers that local control has mass adoption—arguments that helped unlock local APIs on hardware that previously demanded cloud accounts2. The 2026.2 device database extends that story with anonymized hardware fingerprints so buyers can see real-world compatibility before purchase5.
Rebuttal: when opt-out is the right default
If your threat model includes correlation (integration list + country + entity counts ≈ household fingerprint) or regulatory minimization, keep everything disabled. You can still support the project financially or via code without exporting stack metadata. Preview tooling exists precisely because transparency without participation should be possible5.
Verdict: For a privacy-first smart home blog reader, leave all analytics off unless you consciously trade metadata for community signal—and revisit quarterly.
Labs and the 2026 device database (opt-in only)
Home Assistant 2026.2 moved the Open Home Foundation device database behind Settings → System → Labs. Enabling it exposes Device analytics under the main Analytics page and uploads anonymized device metadata—not live entity states—to OHF infrastructure56.
Before enabling:
- Read the Data Use Statement linked from Labs.
- Use Preview device analytics (top-right on the Analytics page when Labs is active)6.
- Remember HACS-only devices may be absent from the public database even if your home uses them daily6.
| Question | Answer |
|---|---|
| Does this replace local control? | No — automations still run on your hardware. |
| Can you opt out later? | Yes — disable Labs; server-side retention is bounded (60 days without updates for standard analytics KV)2. |
| Privacy impact vs basic analytics | Adds device model/manufacturer class signals—higher shopping fingerprint than counts alone. |
Pair this section with how to block IoT internet access so unrelated gadgets do not undermine HA’s local posture.
Harden apps (add-ons) with protection mode and least privilege
On Home Assistant OS, apps run as supervised containers. Protection mode (per app) reduces host access—enable it everywhere the app still functions. As of June 2026, the UI label is Apps (renamed from add-ons in 2026.2)6.
| App role | Protection mode | Network note |
|---|---|---|
| Mosquitto MQTT broker | Enable | Bind to LAN; TLS for Wi-Fi clients (MQTT TLS guide) |
| Frigate NVR | Enable | Keep cameras on NVR VLAN; HA reads RTSP locally |
| File Editor / Studio Code Server | Enable + strong auth | Never port-forward; use VPN/tunnel if remote |
| Cloudflared / DuckDNS | Evaluate need | Outbound-only tunnel still exposes access path—see Cloudflare vs DuckDNS vs Nabu Casa |
Remove apps you do not run. Each idle app is a patch surface and sometimes a latent egress channel (update checks, health pings).
Worked example: Jordan’s Green install (Denver, 186 entities)
Jordan runs Home Assistant OS 2026.2.3 on a Home Assistant Green with ZHA (≈42 Zigbee devices), ESPHome plugs (11), and Frigate on a mini PC—not on the Green itself. Goal: no outbound telemetry, remote access only via WireGuard into the LAN.
| Step | Action | Outcome |
|---|---|---|
| 1 | Disabled all Analytics tiers + Labs device analytics | No scheduled analytics payloads2 |
| 2 | Declined Home Assistant Cloud during onboarding | No Nabu Casa relay |
| 3 | Enabled protection mode on Mosquitto + File Editor apps | Reduced host escape risk |
| 4 | Moved Recorder to MariaDB on NAS; 14-day purge | Smaller blast radius on backups |
| 5 | OPNsense IoT VLAN: deny WAN except NTP + HA update window | Cloud-only Tuya fan fails closed (expected) |
Jordan keeps Home Assistant Alerts enabled so security advisories surface in Repairs—accepting a pull model (HA checks for notices) distinct from push analytics7. Where Jordan is less sure — whether Alerts phones home more than the documented repair feed; they log firewall denies monthly to confirm.
Integrations, Recorder, and cloud bridges
Platform defaults do not stop cloud-dependent integrations (Tuya cloud mode, proprietary weather APIs, some robot vacuums). Maintain a spreadsheet: integration name, cloud required (Y/N), last WAN destination seen in firewall logs.
Recorder stores history locally; tune purge and exclude diagnostic entities—details in SQLite vs MariaDB vs InfluxDB. InfluxDB sidecars are still local if hosted on LAN; do not confuse them with analytics uploads.
Remote access options (privacy snapshot)
| Product | Cloud required | Local storage | Mandatory account | Offline control | Score / 10 |
|---|---|---|---|---|---|
| WireGuard to LAN | No (self-hosted) | N/A | No | Full | 9.0 |
| Home Assistant Cloud | Yes (Nabu Casa) | Partial | Yes | Local automations persist | 6.0 |
| Cloudflare Tunnel | Yes (Cloudflare edge) | N/A | Yes | Full locally | 5.0 |
Network-layer hardening (where defaults end)
Home Assistant cannot enforce VLAN segmentation by itself. Place the HA host on a trusted LAN or dedicated automation VLAN; put Wi-Fi IoT on a separate subnet with explicit rules—guest Wi-Fi vs IoT VLAN and OPNsense IoT egress filtering cover the mechanics.
| Layer | Control | Validates |
|---|---|---|
| DNS | Force local AdGuard/Pi-hole; block DoH bootstrap | Hidden DNS on TVs and speakers |
| Firewall | Default-deny IoT → WAN with allow-list | Integration cloud calls |
| HA host | Deny WAN if you accept manual update windows | True offline automations |
After rules deploy, trigger a Zigbee motion light and a Frigate clip—confirm function without general internet on the IoT VLAN.
Decision flow: should you enable outbound sharing?
| Step | Question | If yes | If no |
|---|---|---|---|
| 1 | Do you need OHF device compatibility stats for shopping? | Enable Labs temporarily, preview payload, disable after purchase | Keep Labs off |
| 2 | Are you filing Supervisor crash bugs? | Enable Diagnostics only during debug week | Keep off |
| 3 | Do you want roadmap influence? | Enable Basic analytics only | Keep all analytics off |
| 4 | Is remote access required? | Pick WireGuard or tunnel you audit | Stay LAN-only |
| 5 | Will cloud integrations stay? | Document + firewall allow-list | Replace with local APIs |
Verdict
Home Assistant’s 2026 privacy defaults are already strong: nothing leaves your home until you opt in, and the new Labs device database is visibly separated from core automations25. Your long-term risk is not the core platform—it is cloud integrations, over-privileged apps, and flat networks that let cameras and speakers bypass the policy you set in Settings.
Position: Treat Analytics and Labs as disabled by default, enable protection mode on every app, audit integrations like a firewall change window, and enforce IoT egress at the router. Re-run this audit after each January/February feature release; that is when Home Assistant historically ships privacy-visible Labs features.
FAQ
Frequently Asked Questions
Does Home Assistant have a single Privacy Mode toggle?
No. Core ships privacy-first defaults (analytics and Labs device sharing are opt-in), while integrations and apps add their own cloud paths. Audit Settings, Labs, apps, and network egress together.
Is Home Assistant analytics enabled by default?
No. Nothing is sent until you enable categories under Settings > System > Analytics during onboarding or later. Each tier is independent.
What is the 2026 device database in Labs?
An optional Open Home Foundation project introduced in Home Assistant 2026.2 that uploads anonymized device metadata when you enable device analytics in Labs—not a requirement for local control.
Should I enable Supervisor diagnostics (Sentry)?
Only if you want crash reports sent to Home Assistant developers. For a strict local-only posture, leave diagnostics disabled and rely on local logs and backups.
Does blocking WAN break Home Assistant?
Core and most Zigbee/Matter/ESPHome automations work offline. You lose vendor cloud bridges, some voice assistants, and easy remote access unless you add a deliberate VPN or tunnel you control.
Is Nabu Casa Home Assistant Cloud required?
No. It is optional paid remote access and voice bridge infrastructure. WireGuard, Tailscale, or Cloudflare Tunnel are common self-managed alternatives with different trust models.
Primary Sources
| ID | Source | Direct URL |
|---|---|---|
| 1 | Is my smart home data private? (FAQ) | https://www.home-assistant.io/faq/is-my-data-private/ |
| 2 | Analytics integration | https://www.home-assistant.io/integrations/analytics/ |
| 3 | Home Assistant 2026.2 release notes | https://www.home-assistant.io/blog/2026/02/04/release-20262/ |
| 4 | About the device database (OHF) | https://www.home-assistant.io/blog/2026/02/02/about-device-database/ |
| 5 | Home Assistant privacy policy | https://www.home-assistant.io/privacy/ |
| 6 | Home Assistant Alerts integration | https://www.home-assistant.io/integrations/homeassistant_alerts/ |
| 7 | Device analytics logging discussion (GitHub) | https://github.com/home-assistant/core/issues/162196 |
Dataset (JSON-LD)
{
"@context": "https://schema.org",
"@type": "Dataset",
"name": "Home Assistant privacy control matrix — egress scoring June 2026",
"description": "Editorial scoring of Home Assistant analytics, Labs device database, apps, alerts, and cloud remote-access options by outbound data risk, verified against official documentation on 2 June 2026.",
"creator": { "@type": "Person", "name": "Privacy Smart Home Research Desk" },
"datePublished": "2026-06-02",
"license": "https://creativecommons.org/licenses/by/4.0/",
"isAccessibleForFree": true,
"inLanguage": "en-US",
"url": "https://www.privacysmarthome.com/guides/home-assistant-privacy-defaults-harden-local-setup-2026/#dataset"
}Footnotes
-
Home Assistant privacy FAQ — local data, no mandatory cloud account ↩
-
Analytics integration — opt-in tiers, 15-minute / 24-hour schedule, 60-day KV retention ↩ ↩2 ↩3 ↩4 ↩5 ↩6
-
Community/device integrations — per-hardware privacy mode switches (cameras) ↩
-
Home Assistant OS apps — protection mode per app (Supervisor) ↩
-
2026.2 release + OHF device database blog — Labs opt-in, preview tooling ↩ ↩2 ↩3 ↩4
-
2026.2 release notes — Apps rename, Labs device analytics path ↩ ↩2 ↩3 ↩4
-
Home Assistant Alerts — repair advisories via default_config ↩