Privacy Policy
Effective date: July 13, 2026 (beta)
Provided by: the Loomy team (“we”, “us”, “our”)
Loomy is in an invite-only beta. This policy reflects the app's actual
data practices during the beta and will be finalized (including formal legal review) before
general availability. 本政策以英文版本为准。
The short version
Loomy is a private, local-first journal. Your entries, photos, voice notes,
location history, and health readings are stored on your device — we do not run
accounts and we do not keep a copy of your journal on a server.
- No accounts, no login, no email required to use Loomy (beta access uses an
invite code only).
- No advertising, no analytics, no trackers, and no sale of your data. Ever.
- Cloud AI (Google Gemini) is used only when you choose an AI feature (writing
a summary, transcribing a recording, generating an album cover, or a health report). At that
point the relevant content is sent for processing and a result is returned — see
AI features.
- Connecting a wearable (Whoop or Oura) or Apple Health is optional and
you authorize it yourself. Apple Health data is read on your device and is not sent to us.
- You can export all your data at any time and erase everything from
the device with one tap.
This is a summary; the full policy below controls.
1. Scope
This policy explains how the Loomy mobile app handles information. It does not cover
third-party services you connect to Loomy (such as Whoop, Oura, Apple, or Google), which are
governed by their own privacy policies.
2. Information stored on your device
Loomy keeps your content locally in an on-device database and file storage.
This includes, depending on how you use the app:
- Journal entries — text, and the AI-polished versions of them.
- Media — photos you attach and voice recordings you make.
- Location history — GPS points collected in the background (if you grant the
permission), and the “stays”/trips derived from them, plus any places you name.
- Health & wellness data — recovery, sleep, strain, steps, active energy,
workouts and similar metrics synced from a connected wearable or read from Apple
Health (on-device, iOS only), and the mood/energy/body ratings you enter.
- Preferences & settings — language, timezone, reminder time, and similar.
- Credentials — access tokens for wearables you connect are stored in the
device's secure keystore (iOS Keychain / Android Keystore). Loomy has no password of its own.
We do not transmit this on-device data to us. Some of it is sent to third-party processors
only in the specific situations described in Sections 3–5.
3. AI features and what gets sent
When you use an AI feature, Loomy sends the necessary content to Google's Gemini
models to generate a result. Requests are routed through our own lightweight proxy server
(hosted on Cloudflare) so that our API keys are never shipped inside the app; the proxy passes
your request through to Google and does not store your content.
| When you… | What is sent to Google Gemini |
| Compose / “lay out” a day | The day's journal text, a compact digest of that day's metrics, and place/timeline context |
| Transcribe a voice note | The audio recording for that clip |
| Generate an album cover | A short text prompt derived from the day's summary |
| Generate a health report | A de-identified statistical digest (averages, correlations, symptom counts) — not your raw entries |
Google processes this data as a data processor to return the result. Google's handling of API
data is governed by its own terms; we do not use your content to train any model ourselves. If
you never use AI features, no journal content leaves your device through this path.
AI output can be wrong or incomplete and is not professional, medical, or
mental-health advice (see the Terms of Service).
4. Location, weather, and maps
If you grant location permission, Loomy logs your location in the background to build your
daily “footprint” and timeline. This processing happens on your device — your raw
location trace is not uploaded to us or to a routing service. Narrow exceptions send limited
location data to third parties so those features work:
- Weather (Open-Meteo): approximate coordinates are sent to retrieve local
weather for an entry.
- Naming a place / address search (Google Maps & Places, via our proxy): the
coordinates or text you search are sent to resolve a place name.
- Map tiles (Stadia Maps / Stamen): map-tile coordinates near your locations are
requested to draw the faint background map.
You can decline or later revoke location permission in your device settings; those features
degrade gracefully.
5. Third parties who may process your data
- Google (Gemini AI, Maps/Places) — AI generation and place lookup, as above.
- Whoop, Oura — if you connect them, Loomy fetches your data from their APIs using
access you grant via their login. Your relationship with them is governed by their policies.
- Apple Health (HealthKit) — if you enable it (iOS only), Loomy reads health
metrics from the Health app locally on your device. This is an on-device read; your
Apple Health data is not transmitted to us or to any third party, and is used only within the
app (and never for advertising).
- Open-Meteo — weather lookups.
- Stadia Maps / Stamen — map tiles.
- Cloudflare — operates our proxy server. To prevent abuse, the proxy processes
basic request metadata (such as IP address) for rate-limiting; it is not used to profile you
and your journal content is not stored there.
- Apple / Google (platform) — app distribution, local notifications, and — if you
have device backup enabled — your app's data may be included in your encrypted
iCloud/Google device backup, controlled entirely by your own device account settings
(not by us).
We have no advertising, analytics, attribution, or crash-reporting SDKs in the
app, and we do not sell or rent your information to anyone.
6. Permissions we request
- Location (incl. background) — to auto-capture your daily footprint, stays, and
weather/city context. Optional.
- Microphone — to record voice notes you dictate. Optional.
- Photo library — to attach photos to entries and to save generated album covers.
Optional.
- Notifications — to deliver your daily reminder. The notification text never
contains your health data or entry content. Optional.
- Face ID / Touch ID — only if you enable App Lock, to unlock the app. Biometric
data never leaves the device and is handled entirely by the OS.
- Apple Health (HealthKit) — only if you connect Apple Health (iOS), to read
steps, active energy, and sleep. Read on-device; nothing is written back. Optional.
7. Retention and deletion
Because your data lives on your device, you control retention:
- Export your full journal (entries, media, locations, places) to a file at any
time from Settings → Data Management.
- Reset All Data erases your entries, media, locations, saved places, and
generated covers from the device.
- Uninstalling the app removes its on-device data (a device backup you made may
still contain a copy until it expires per your platform's settings).
- To stop wearable syncing, disconnect the integration; to revoke Loomy's access entirely,
also remove it in your Whoop/Oura account. To stop Apple Health access, revoke it in iOS
Settings → Privacy & Security → Health → Loomy.
8. Security
Your data stays on your device; secrets (API keys, client secrets) are held on our server,
never in the app bundle. Wearable tokens are stored in the OS secure keystore, and optional App
Lock adds a biometric/passcode gate. No method of storage or transmission is 100% secure, and we
cannot guarantee absolute security.
9. Children
Loomy is not directed to children under 13, and we do not knowingly collect data from them.
If you believe a child has used Loomy, contact us and we will help.
10. International users
Some processors above (e.g. Google, Cloudflare) may process data in the United States or
other countries. By using AI or connected features you understand that the relevant data may be
processed in those locations.
11. Your rights
Because Loomy is local-first with no accounts, you already hold your data directly: you can
access and export it, correct it by editing, and delete it — all from within the app, without
contacting us. Depending on where you live, you may have additional rights under laws such as
the GDPR or CCPA; contact us to exercise them.
12. Changes
We may update this policy. Material changes will be reflected by a new effective date and,
where appropriate, an in-app notice.
13. Contact
Questions or requests: hello@loomyjournal.com.