Privacy Policy

1. Information We Collect

We collect only what we need to deliver the Loam service. Here is what that includes.

Account information

When you create an account, we collect your email address and a hashed password. We do not collect your name unless you choose to add it to your profile.

Thought content

The core of Loam is content you deliberately capture: text notes, URLs and their page metadata, voice recordings, PDF and image files you upload, and any text you paste into the app. This content is stored securely and processed by AI to build your personal knowledge graph (see Section 3).

Voice recordings

When you use voice capture, your device records audio and uploads it to our servers over an encrypted connection. The audio is transcribed and then permanently deleted — we do not retain audio files. See Section 4 for the full lifecycle.

Usage data

We collect basic analytics about how you interact with Loam: feature usage events (e.g., "capture submitted", "graph viewed"), session duration, error logs, and app version. This data is aggregated and used to improve the product. It is not linked to the content of your thoughts.

Payment information

Subscription payments are handled by Stripe. We receive only a confirmation of payment status and your subscription tier — we never see or store your full card number or banking details.

Cookies and local storage

We use a small number of cookies and browser storage items to keep you signed in and remember your preferences. See Section 12 for details.

2. How We Use Your Information

We use the data we collect for the following purposes:

Providing the service — storing your thoughts, running AI processing pipelines, building and querying your knowledge graph, and surfacing insights back to you.
Transcription — passing audio recordings to OpenAI Whisper to convert speech to text, after which the audio is deleted.
AI entity extraction — sending your thought content to AI providers (OpenAI, Anthropic, or Google) to identify entities, relationships, tasks, and patterns.
Account management — sending transactional emails (password reset, subscription confirmations). We do not send marketing emails without your explicit opt-in.
Security and fraud prevention — detecting abuse, enforcing rate limits, and protecting the integrity of the service.
Product improvement — analysing aggregated, anonymised usage patterns to understand which features work well and where we should invest effort.

We do not sell your data. We do not use your content for advertising. We do not share your content with other users.

3. AI Processing & Knowledge Graph

Loam's most distinctive feature — automatic knowledge structuring — involves sending your content to AI models and storing the results in a graph database. This section explains that process in detail.

The short version: Your raw text is sent to an AI model to extract entities and relationships. Those derived structures are stored in your personal knowledge graph in Neo4j. Your content is never used to train AI models — we have contractual commitments from all providers guaranteeing this. See Section 5.

What happens when you capture a thought

After you submit a thought, Loam runs an automated pipeline:

Your raw content (the text, URL, or transcription) is stored in encrypted form in our database.
The content is sent to an AI language model with a structured prompt. The model identifies entities (people, organisations, places, topics, concepts), extracts relationships between them, detects action items or tasks, and produces a short summary.
The extracted entities and relationships are written as nodes and edges in your personal knowledge graph, stored in Neo4j on AWS.
Text embeddings (numerical representations of meaning) are generated and stored alongside the content to power semantic search.

What is stored in the knowledge graph

The graph stores derived data — not your raw words, but the structured knowledge extracted from them. Examples of what a graph node or edge might represent:

A person named "Sarah Chen" encountered across multiple thoughts
A relationship: "Sarah Chen works at Acme Corp"
A concept: "machine learning" mentioned in connection with several notes
A task: "Follow up with Sarah about the proposal"

Graph data is yours

Your knowledge graph is entirely personal — it is built solely from your own captures and is never shared with, compared against, or mixed with other users' data. When you delete your account, all graph nodes and edges are permanently erased alongside your raw content (see Section 8).

No automated decision-making with legal effect

Loam's AI processing is used solely to organise and surface your own information back to you. It is not used to make automated decisions about you that produce legal or similarly significant effects.

4. Voice Data

Voice capture is entirely optional. If you choose to use it, here is the complete lifecycle of your audio:

Recording — audio is captured on your device and uploaded to Loam's backend via an encrypted HTTPS connection.
Transcription — the audio file is passed to OpenAI's Whisper API. Whisper processes the audio and returns a text transcript. The audio is sent only for the purpose of transcription.
Deletion — immediately after a transcript is returned, the original audio file is permanently deleted from our servers. We do not retain audio recordings.
Processing — the text transcript is then treated like any other captured thought: stored, processed through the AI extraction pipeline, and added to your knowledge graph.

Audio is not retained. Once transcribed, no copy of your voice recording exists on Loam's servers. If you need to keep audio recordings for your own records, please retain them on your device before submitting.

OpenAI does not use audio submitted via the API to train its models, per their data processing agreements. See Section 5.

5. Third-Party AI Providers

Loam uses the following AI providers to process your content. Each receives only the content necessary for the specific processing task — we do not send your full account history to any provider in a single request.

OpenAI

Used for: entity extraction, relationship mapping, summarisation, embeddings, and voice transcription (Whisper).

OpenAI's API terms include a zero data retention option and a commitment not to use API-submitted data to train their models. We operate under these API terms.

Anthropic

Used for: reasoning-intensive entity extraction and relationship analysis tasks.

Anthropic's API usage policies explicitly prohibit using API inputs and outputs for model training without customer consent. We have not granted such consent.

Google

Used for: embeddings generation and certain language understanding tasks via Google's AI APIs.

Google's API terms for enterprise AI services include data processing agreements that prohibit using customer data to train or improve Google's general AI models.

No training commitment: Your content is never used to train, fine-tune, or improve AI models by any of our providers. This is a contractual commitment, not just a policy preference.

Stripe

Used for: subscription payment processing. Stripe receives your payment card details directly; Loam never sees or stores full payment card data. Stripe's Privacy Policy governs their handling of your payment data.

Amazon Web Services

Loam's infrastructure runs on AWS in the us-east-1 (Northern Virginia) region. AWS is the data processor for stored content and does not access customer data except as required for infrastructure operations. AWS is certified under ISO 27001, SOC 2, and other standards.

6. Data Storage & Security

Where your data lives

All Loam user data — raw thought content, user account records, knowledge graph data, and embeddings — is stored on AWS infrastructure in the us-east-1 region (Northern Virginia, United States). We currently operate from a single region; this may change in the future, and this policy will be updated accordingly.

Encryption

In transit: All data transmitted between your device and Loam's servers uses TLS 1.2 or higher. Connections are rejected if they do not meet this standard.
At rest: Data stored in our databases and object storage is encrypted using AES-256. Encryption keys are managed via AWS Key Management Service (KMS).

Access controls

Access to production systems is restricted to a minimal number of engineers with a documented need. All production access requires multi-factor authentication. Privileged access is logged and reviewed periodically.

Vulnerability management

We maintain a responsible disclosure programme. If you discover a security vulnerability in Loam, please report it to privacy@loam.ink. We commit to acknowledging reports within 72 hours and working in good faith towards a fix.

Breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and, where required by law, notify the relevant supervisory authority within the legally prescribed timeframes (72 hours for GDPR, as soon as practicable under Australian law).

7. International Data Transfers

Loam Pty Ltd is incorporated in Australia. Our servers are in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data export restrictions, your data is transferred internationally when you use Loam.

Transfers from the EEA / UK

Transfers of personal data from the EEA and UK to the United States are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by additional transfer impact assessments where required. You may request a copy of the applicable SCCs by contacting privacy@loam.ink.

Transfers involving AI providers

When your content is sent to AI providers (OpenAI, Anthropic, Google) for processing, those providers maintain their own cross-border transfer mechanisms. Each operates under GDPR-compliant data processing agreements that include appropriate safeguards for international transfers.

Australia to US

For users located in Australia, transfers to the United States are made in accordance with the Australian Privacy Principles, specifically APP 8, which requires reasonable steps to ensure overseas recipients handle personal information in a manner consistent with Australian privacy law.

8. Data Retention & Deletion

While your account is active

We retain your data for as long as your account exists and for a reasonable period afterwards in case you wish to recover it. Specifically:

Thought content — retained until you delete individual thoughts or your account.
Knowledge graph nodes and edges — retained in sync with your thought content. Deleting a thought triggers removal of any graph nodes or edges derived solely from that thought.
Voice audio — deleted immediately after transcription, never retained.
Usage analytics — retained in aggregated, anonymised form for up to 24 months.
Payment records — retained for the period required by Australian taxation law (generally 5 years).

Account deletion — what gets erased

When you delete your Loam account, we permanently erase:

All raw thought content (text, uploaded files, transcriptions)
All knowledge graph nodes and edges derived from your content
All stored embeddings and vector indexes associated with your account
Your account credentials and profile data
Any cached AI processing results

Complete erasure: Unlike many apps that delete your "account" but keep derived data, Loam deletes both your raw content and your entire knowledge graph. Nothing derived from your thoughts is retained after account deletion.

Deletion is irreversible. We recommend exporting your data before deleting your account (see Section 11). After initiating deletion, data is removed from active systems within 30 days and from backups within 90 days.

What is not deleted

We retain de-identified financial transaction records (subscription start/end dates and amounts, without identifying which account they belong to) for taxation compliance. We also retain any data we are legally required to keep — for example, if a law enforcement order obligates preservation of specific records.

9. Your Rights

Depending on where you live, you have specific rights over your personal data. We honour these rights regardless of jurisdiction.

GDPR rights (EU / EEA / UK residents)

Article 15

Right of access

Request a copy of the personal data we hold about you, including what is stored in your knowledge graph.

Article 16

Right to rectification

Ask us to correct inaccurate personal data. You can update most data directly within the app.

Article 17

Right to erasure

Request deletion of your data. Account deletion in the app triggers complete erasure as described in Section 8.

Article 20

Right to portability

Export all your thoughts as Markdown files via the in-app export feature. See Section 11.

Article 18

Right to restriction

Request that we restrict processing of your data while a dispute about accuracy or lawfulness is resolved.

Article 21

Right to object

Object to processing based on legitimate interests. For AI-based processing, contact us to discuss your options.

To exercise any GDPR right, email privacy@loam.ink. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority — in the EU, this is typically the data protection authority in your country of residence.

CCPA / CPRA rights (California residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, and how we use and share it.
Right to delete — request deletion of personal information we have collected from you. This is exercised by deleting your account in the app or by contacting us.
Right to correct — request correction of inaccurate personal information.
Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioural advertising. There is nothing to opt out of.
Right to limit sensitive personal information use — we use sensitive personal information only to provide the service you requested, not for additional purposes.
Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise CCPA/CPRA rights, email privacy@loam.ink with the subject line "California Privacy Request".

Australian Privacy Principles (Australian residents)

Loam Pty Ltd is an Australian entity and complies with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Key commitments include:

APP 1 — we have this open and transparent policy describing how we manage personal information.
APP 5 — we notify you at or before the time of collection of the purposes for which we collect your data.
APP 6 — we only use and disclose personal information for the primary purpose of collection or directly related secondary purposes, or with your consent.
APP 12 — you may request access to the personal information we hold about you.
APP 13 — you may request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

To make an access or correction request under the APPs, email privacy@loam.ink. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. Children's Privacy

Loam is intended for users aged 16 and over. We have set this minimum age in line with the GDPR's digital consent threshold for most EU member states and because the service involves AI processing of personal reflections, which we consider inappropriate for younger users.

We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has created a Loam account, please contact us at privacy@loam.ink and we will promptly delete the account and all associated data.

If you are under 16, please do not use Loam or submit any personal information to us.

11. Data Portability

Your thoughts are yours. You can export all your captured content at any time from within the Loam app:

Go to Settings → Export data in the app.
Your thoughts are exported as individual Markdown (.md) files, one per capture, including the original content, timestamp, and any metadata you have added.
The export is delivered as a downloadable ZIP archive.

The export includes your raw thought content. It does not include the full knowledge graph structure (nodes and edges) in a machine-readable format — if you need a graph export for technical migration purposes, email privacy@loam.ink and we will work with you to provide one.

We recommend exporting your data before deleting your account, as deletion is permanent and irreversible.

12. Cookies

Loam uses a small number of cookies and browser storage mechanisms to operate. We do not use advertising cookies or third-party tracking cookies.

Authentication token — a session cookie that keeps you signed in. It expires when you sign out or after an inactivity period.
Preferences — local storage entries that remember your UI preferences (e.g., dark mode setting). These never leave your device.
Analytics — we use privacy-respecting, first-party analytics to understand how the product is used. No data is shared with advertising networks.

We do not use Google Analytics, Facebook Pixel, or any other third-party advertising or tracking technology.

For full details, see our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the service, technology, or applicable law. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Send a notification to your registered email address at least 14 days before the changes take effect, for changes that materially affect your rights or how we use your data.
Where required by law (e.g., for changes to data processing under GDPR that require fresh consent), we will seek your explicit agreement before the changes apply to your data.

Your continued use of Loam after the effective date of a policy update constitutes acceptance of the updated policy for non-material changes. For material changes, we will obtain fresh consent where required.

We encourage you to periodically review this page. Previous versions of this policy are available on request.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise any of your rights, or have a privacy concern, please reach out:

Loam Pty Ltd
Privacy enquiries: privacy@loam.ink
General: hello@loam.ink
Website: loam.ink

We aim to respond to all privacy-related enquiries within 5 business days, and to substantive requests (such as data access or deletion requests) within 30 calendar days as required by applicable law.

If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. If you are in Australia and are not satisfied with our response after providing us an opportunity to resolve the issue, you may contact the Office of the Australian Information Commissioner (OAIC).