Maybe this is answered, and I couldn’t find it. If so, I apologize.
I am considering using the HA Cloud service. It looks like it’s similar in practice to using a reverse proxy, with little to no storage of information at Nabu Casa. Frankly I think this is great and I am bewildered by the posts I have seen from people asking for cloud storage. If you like someone else having all your data stored where you only kind of own it, then there are tons of other easy options available.
However, after many years of experience, I know that there is no such thing as zero storage of digital information. I trust Nabu Casa when they say they won’t use the information for profit, but that doesn’t mean they don’t store something, even if it is for a short time and just for diagnostic or basic operational purposes. I also know from many years of professional experience that governments are always interested in that stored data. For example, if I was a federal agent investigating a group of dissidents (or terrorists), I might be interested in seeing every time a front-door contact sensor went off at a particular house in the past few days, or the IMEI and IMSI numbers of the mobile devices used to access a cloud account associated with a specific email address. Nabu Casa is based in Irvine, CA, so they are subject to subpoenas and warrants from US law enforcement agencies.
So, my question is, if Nabu Casa was compelled for whatever reason (legal, ethical, moral, whatever…) to disclose my information to someone else (namely a government), what could they disclose?
Would it only be encrypted messages? I assume they could share my login information and device information. They could likely also share info about the external services (amazon, etc.) that I might be connecting with.
I understand it’s all open source, which gives me some comfort, but I am not a software developer, so I can’t read the code and see what is being sent and how it might get stored.
None of this is a deal breaker. I know enough about the way the real-world works to know that I can’t hide if a government really wants to get my digital data. The only saving grace is that it’s rarely worth the effort for the government to really try, even for big cases. I just want to know what is actually being stored going in, and frankly the documentation is surprisingly thin on that topic for a company that places such an emphasis on security and openness.
My 5 cents: until i do something stupid i tend not to break my brains with such things. So far i didn’t do anything illegal (yet😂 at least nothing i know off), so i have nothing to hide. Consequently such details are less important to me than weather in Africa (i’m from EU). I tend to trust NabuCasa that they won’t do it (unless in special situations, as you suggest; then they have to…); there’s really nothing i can do even if i would care (apart from stop using their services).
There’s a line you have to draw, otherwise your life changes to living hell on earth… for instance google or apple know your phone data, position etc…in the moment connect, etc…
Yeah. I am not especially worried about be chased down by the government for anything I have done. Of course, if you wait until you know they are after you, then it’s already too late. 
Also, as I said, I trust that Nabu Casa won’t sell my data, but they could easily be forced to disclose it, or even voluntarily disclose it, if they felt ethically obligated to do so.
I promise, I’m not paranoid, but I do like to know what other people know about me.
For example, I am quite aware of the insane level of detail Google collects about my life, and how often they share that data (for money or as a result of legal request). I also know that their collection and analysis goes far beyond what they put in the file that can be downloaded from their “Data and Privacy” link. Despite this knowledge I currently have no less than three cellular devices, between work and personal use, with multiple google services running on each. I don’t get too worked up about it, but I also know approximately what they can share about me.
I do trust that Nabu Casa’s intentions are noble. It’s the primary reason why I am moving towards using HA for my IOT stuff. I just found it a little odd that they don’t disclose more about what they might at some time be forced to disclose, if it comes to that.
Also, after some research I’m pretty sure that they only collect the exact same stuff any online service has to in order to function. Namely my account info (which would include billing info with my name and address) and basic connection activity logs (which probably includes info about my devices, IP address, timestamps, etc). Nothing to get worked up about, and far less than most.
Exactly this. If you’re just looking at all of the information that you give them as a customer, there’s very little info they have (outside of whatever logs from when you use their service for remote access, etc.). On the list of services to be concerned about in regards to collecting data on me, I feel pretty confident Nabu Casa is down at the bottom. Like the very bottom.