Legal
Privacy Policy
Last updated: 19 March 2026
This website and the Loom app are owned and operated by My Side Quests Limited trading as Sidequests Studio, registered with Companies House in England and Wales.
Loom is built on a simple principle: your creative work belongs to you, not us. This policy explains exactly what data we collect, what we do with it, and how you remain in control at all times.
What we collect
Loom collects as little data as possible to function. Here is a complete list of data we handle:
On-device data
Your boards, images, text, and drawings are stored locally on your device. This data never leaves your device unless you choose to enable iCloud sync or use the AI Arrange feature.
Sign in with Apple
When you sign in, we receive only an opaque user identifier provided by Apple. We do not request or receive your name, email address, or any other personal information. This identifier is used solely to authenticate your requests to our services.
AI Arrange
When you use the AI Arrange feature, the following data is sent to our servers:
- Board structure and layout metadata (item positions, sizes, rotations, text content, colours)
- Computed image analysis metadata — dominant colours, composition metrics (focal points, symmetry, whitespace), and semantic tags (e.g. "outdoor", "minimal"). This analysis is performed entirely on your device using Apple's Vision framework
- A hashed account identifier (a SHA-256 hash of your iCloud user ID that cannot be reversed to identify you)
- Your subscription status and timezone
Your actual photos and images are never uploaded to our servers. Only computed metadata about those images is transmitted.
Purchase data
When you make an in-app purchase, we receive transaction identifiers, product identifiers, and purchase dates from Apple's StoreKit. This data is stored on our servers to track your purchased board slot balance and process refunds or revocations.
Usage logs
We log AI Arrange session events (creation and completion) along with your hashed account identifier and the number of items arranged. These logs are used for quota enforcement, debugging, and service reliability. We also log request performance metrics and token usage counts.
Crash reports
If the app crashes, Apple may send us an anonymised crash log. These contain no personally identifiable information and are used solely to fix bugs.
What we do not collect
- We do not collect your name, email address, phone number, or any contact information
- We do not collect your location (precise or coarse)
- We do not access or use advertising identifiers (IDFA)
- We do not use third-party advertising or analytics SDKs
- We do not track you across other apps or websites
- We do not sell, share, or rent your personal data to any third party for advertising or marketing purposes
- Your photos and images never leave your device — only computed metadata is transmitted when you use AI Arrange
Identifiers and hashing
To protect your identity, we derive a SHA-256 hash from your iCloud user identifier. This one-way hash is used as your account identifier across our services. It cannot be reversed to recover your original Apple user ID or any personal information.
Third-party services
Loom uses the following third-party services to operate. Each receives only the minimum data necessary:
- Google Vertex AI — receives board structure and image analysis metadata to generate AI layout suggestions. Does not receive your photos, account identifier, or subscription status.
- Upstash (Redis) — provides temporary session storage for AI Arrange results (expires after 60 minutes) and short-term account binding (expires after 30 days).
- Supabase (Postgres) — stores quota records, audit logs, and purchase ledger data. See "Data retention" below for specific retention periods.
- Apple CloudKit — if you enable iCloud sync, board metadata is stored in your personal iCloud account. This data is governed by Apple's privacy policy and is encrypted in transit and at rest. We cannot access your iCloud data.
- Apple App Store Server API — we verify in-app purchase transactions with Apple to prevent fraud and process refunds.
Data retention
We retain server-side data only as long as necessary:
- AI Arrange audit logs — deleted after 90 days
- Quota records — deleted after 90 days of inactivity
- Purchase ledger — retained for 1 year to support balance tracking and refund processing, then deleted
- AI Arrange sessions (Redis) — automatically expire after 60 minutes
- Account bindings (Redis) — automatically expire after 30 days
- On-device data — remains on your device until you delete it or remove the app
iCloud sync
If you choose to enable iCloud sync, your board metadata is stored in your personal iCloud account using Apple's CloudKit. We cannot access your iCloud data. iCloud sync is entirely optional — if you prefer to keep all data local, disable iCloud Drive for Loom in your device settings.
Camera and photo library access
Loom requests access to your camera and photo library solely to allow you to add images to your mood boards. Photos are stored locally on your device. When you use AI Arrange, on-device image analysis (using Apple's Vision framework) generates metadata such as dominant colours and composition metrics. Only this computed metadata is sent to our servers — your actual photos are never uploaded.
You can revoke these permissions at any time in Settings → Privacy & Security on your device.
Tracking
Loom does not track you. We do not link your data with data from other apps or websites, we do not share data with data brokers, and we do not use advertising identifiers. We do not use any third-party analytics or advertising SDKs.
Children's privacy
Loom is not directed at children under the age of 13. We do not knowingly collect information from children. If you believe a child has provided information through the app, please contact us and we will address it promptly.
Your rights and account deletion
You have full control over your data:
- Delete boards — delete any board from within the app at any time
- Delete all local data — remove the app from your device to delete all locally stored data
- Disable iCloud sync — turn off iCloud Drive for Loom in your device settings
- Delete server-side data — request deletion of all data associated with your account (hashed identifier, quota records, audit logs, and purchase history) by emailing hello@my-loomboard.com. We will process your request within 30 days.
If you are located in the European Economic Area, you may also have rights under the GDPR to access, correct, or restrict processing of your data. Contact us at the address below to exercise these rights.
Changes to this policy
If we change this policy in a material way, we will update the "Last updated" date above and notify users via an in-app notice. We will never make changes that reduce your privacy protections without clear notice.
Contact
Questions or concerns about this policy? We'd like to hear from you.