Privacy Policy

Effective Date: May 30, 2026

Operator: Loop by Ramas, Italy, EU
Contact: ramas.app111@gmail.com

This Privacy Policy describes how Loop ("we," "us," "our," or "the app") collects, uses, and protects your information.

Summary

No account required — most personal data remains stored locally on your device
Local-first — thoughts, entries, and personal reflections are stored locally and encrypted
Minimal collection — we collect only limited, non-identifying usage data and technical information necessary to operate the service
No selling — we do not sell or share your personal information for advertising or marketing purposes

Note: If you use the Deep Loop AI feature, the content you submit is processed through our backend and AI providers to generate responses. See Section 3 for details.

1. Information Stored on Your Device

The following data is stored locally on your device and is never transmitted to our servers:

Your name (optional, used only for personalization within the app)
Your thought entries, shifts, and reframes
Your anchors/intentions and categories
Session history and intensity ratings
Streak and progress data
Notification preferences

Encryption: Sensitive data is encrypted using AES-256-GCM authenticated encryption. Encryption keys are stored in your device's hardware-backed secure storage (Android Keystore or iOS Keychain).

Deletion: You may delete all local data at any time via Settings > Delete my data. Uninstalling the app also removes all local data.

2. Information We Collect

2.1 Usage Analytics

We collect limited, non-identifying usage events to understand how the app is used and improve it:

Event name (limited to: paywall_viewed, subscription_started, shift_completed)
Screen name (e.g., "shift," "progress")

These events contain no personal information, no user content, and no identifiers that can be linked to you. Analytics are stored on Supabase servers in Frankfurt, Germany (EU).

Legal basis (GDPR): Legitimate interest in understanding app usage and improving the service (Art. 6(1)(f)).

2.2 Device Identifier

When you use the Deep Loop AI feature, we generate a random device identifier (UUID) to:

Track free trial usage (6 lifetime sessions per device)
Prevent abuse of the service

This identifier is randomly generated on your device, is not linked to your identity or any account, and cannot be used to identify you personally. It is stored on Supabase (EU).

Legal basis (GDPR): Legitimate interest in fair use enforcement and abuse prevention (Art. 6(1)(f)).

2.3 IP Address

Your IP address is temporarily processed for:

Rate limiting (maximum 40 requests per hour) to prevent abuse
Security monitoring

IP addresses are stored for a maximum of 1 hour and are then automatically deleted. They are not linked to your identity, content, or usage patterns beyond rate limiting.

Legal basis (GDPR): Legitimate interest in security and abuse prevention (Art. 6(1)(f)).

2.4 Subscription Information

If you purchase a subscription (monthly or annual), the transaction is processed by Apple App Store or Google Play Store and managed via RevenueCat. We receive:

A pseudonymous user identifier assigned by RevenueCat (not your name or email)
Subscription status (active, expired, cancelled)
Purchase events (subscription started, renewed, cancelled)

We do not receive or store your payment details such as credit card numbers, billing addresses, or bank account information.

Legal basis (GDPR): Performance of contract (Art. 6(1)(b)).

2.5 Creator/Promo Codes

If you activate a creator or promotional code, we store:

The code activated
A reference to the creator for attribution purposes
The bonus expiration date

This data is used solely for promotional attribution and providing bonus features. It does not involve advertising, profiling, or third-party data sharing.

Legal basis (GDPR): Performance of contract (Art. 6(1)(b)).

3. AI-Powered Features (Deep Loop)

3.1 How Deep Loop Works

When you use the Deep Loop AI dialogue feature:

Your message and recent conversation history are transmitted to our server (Supabase, Frankfurt, EU)
The content is forwarded to OpenAI (USA) to generate an AI response
The AI response is returned to you
Your conversation content is NOT stored on our servers or OpenAI's servers after the response is delivered

OpenAI processes this data under their API Data Usage Policy, which states that API inputs are not used for model training. We do not include your name, email, or any account identifier in requests to OpenAI.

Data transfer: Data transmitted to OpenAI is processed in the United States. This transfer is conducted under OpenAI's Standard Contractual Clauses in accordance with GDPR Chapter V.

3.2 AI Safety and Limitations

AI responses are generated automatically without human review
AI is NOT a substitute for professional mental health advice, therapy, or counseling
AI may occasionally produce inaccurate, unexpected, or inappropriate responses
We implement content safety filters and prompt security measures, but cannot guarantee all responses will be appropriate

If you encounter concerning AI content, please contact us at ramas.app111@gmail.com.

Legal basis (GDPR): Your explicit action of initiating the AI session constitutes consent (Art. 6(1)(a)); alternatively, performance of contract for paid subscribers (Art. 6(1)(b)).

4. Voice Input

When you use voice input to speak your thoughts:

Your speech is processed by your device's built-in speech recognition service
iOS: Apple Speech Recognition (processed on Apple servers, USA)
Android: Google Speech Services (processed on Google servers, USA)

We do not receive, store, access, or transmit your voice recordings. Audio is processed in real-time by your device's operating system and converted to text. We receive only the transcribed text.

5. Crash Reporting

We use Firebase Crashlytics (operated by Google LLC) to collect crash reports when the app encounters errors. This includes:

Device model and operating system version
App version and state at crash time
Error messages and stack traces
Technical device identifiers used solely for crash grouping

Crash reports do NOT include your name, thoughts, entries, reflections, or any user-generated content. Crash data is retained for 90 days and used solely to diagnose and fix bugs.

Legal basis (GDPR): Legitimate interest in app stability and error diagnosis (Art. 6(1)(f)).

6. Specialist Directory

6.1 What We Display

Loop includes an optional directory of independent wellness specialists (therapists, psychologists, coaches). Specialist profiles are provided by the specialists themselves and include name, credentials, bio, photo, contact information, languages, location, and professional type.

6.2 Featured and Sponsored Listings

Some specialists may appear as "Featured" or have promoted visibility. This placement is arranged directly between the specialist and Loop by Ramas, clearly labeled, and based on listing agreements — NOT on your personal data, behavior, or usage patterns.

Important: We do NOT use your personal data, thoughts, emotions, session history, or app activity to target, recommend, or personalize specialist listings.

6.3 Independent Professionals

Specialists are independent professionals, not employees or agents of Loop by Ramas. We do not verify credentials, licenses, or qualifications. We do not guarantee the quality of their services. You must verify credentials independently before engaging any specialist.

7. Sharing Features

7.1 Progress Report Sharing

You may choose to generate and share a PDF progress report with a specialist. This feature is:

Voluntary — you initiate the sharing
User-controlled — you choose whether to include your name (anonymous by default)
Local — the PDF is generated entirely on your device and shared via your device's standard share function

We do not receive, transmit, or store shared reports.

7.2 Anonymity Consideration

Even when sharing anonymously, your progress data and patterns may contain information that could potentially identify you to a recipient who knows you. You are solely responsible for the content you choose to share and the consequences of sharing.

8. Push Notifications

Push notifications are scheduled and delivered locally on your device. Your notification preferences are stored only on your device. No notification content, timing, or preferences are transmitted to our servers.

9. Third-Party Services

Service	Purpose	Data Processed	Location
Supabase	Backend, analytics, AI routing	Anonymous events, device UUID, IP (temporary)	Frankfurt, EU
OpenAI	AI dialogue responses	Conversation content (not stored after response)	USA
RevenueCat	Subscription management	Pseudonymous ID, subscription events	USA
Firebase Crashlytics	Crash reporting	Device info, crash logs	USA
Apple Speech Recognition	Voice-to-text (iOS)	Voice audio (real-time processing only)	USA
Google Speech Services	Voice-to-text (Android)	Voice audio (real-time processing only)	USA
Apple App Store	Payments, distribution (iOS)	Payment processing (we do not receive payment details)	USA
Google Play Store	Payments, distribution (Android)	Payment processing (we do not receive payment details)	USA
Google Fonts	Typography	IP address (for font loading)	USA

For transfers to the USA, we rely on Standard Contractual Clauses (SCCs) where applicable, the receiving services' data protection measures and certifications, and your consent where required.

10. Data Retention

Data Type	Retention Period
Local data (thoughts, entries, history)	Until you delete or uninstall the app
Device UUID	Indefinitely (for fair use enforcement)
IP address	Maximum 1 hour (automatically deleted)
Analytics events	Indefinitely (non-identifying, aggregated)
Crash reports	90 days
Creator code activation	Indefinitely
Subscription records	Per RevenueCat retention policy

11. Children's Privacy

Loop is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

Age verification is required during app setup via date-of-birth entry. Users who indicate they are under 13 are blocked from using the app.

If we discover that a child under 13 has provided information to us, we will promptly delete any associated data. If you believe a child under 13 has used Loop, please contact us immediately at ramas.app111@gmail.com.

12. Your Privacy Rights

All Users

Delete your data: Settings > Delete my data (removes all local data)
Uninstall: Removes all local data from your device
Request server data deletion: Email ramas.app111@gmail.com to request deletion of your device UUID and any associated analytics

European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

Access: Request a copy of the personal data we hold about you
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Restriction: Request that we limit processing of your data
Objection: Object to processing based on legitimate interest
Data Portability: Receive your data in a structured, machine-readable format
Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact ramas.app111@gmail.com. We will respond within 30 days (or as required by law).

California Users (CCPA/CPRA)

If you are a California resident, you have the following rights:

Know: Request information about what personal information we collect and how we use it
Delete: Request deletion of your personal information
Non-Discrimination: We will not discriminate against you for exercising your privacy rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes other than those disclosed in this Privacy Policy.

13. Security

We implement technical and organizational measures to protect your data:

Encryption: Local data encrypted with AES-256-GCM authenticated encryption
Secure Key Storage: Encryption keys stored in Android Keystore / iOS Keychain
Transport Security: All network communications encrypted via HTTPS/TLS
Access Control: Row-level security policies on database tables
Rate Limiting: Protection against automated abuse
No Accounts: No passwords to compromise; no centralized user database

While we implement reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

14. Do Not Track

Loop does not respond to "Do Not Track" browser signals because the app does not track users across third-party websites or applications.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this policy. For significant changes, we will provide notice within the app.

Your continued use of Loop after changes constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you should stop using the app and delete your data.

16. Contact

Loop by Ramas
Italy, EU
Email: ramas.app111@gmail.com

For privacy inquiries, data requests, or complaints, please email us. We aim to respond within 30 days.