Loomee Privacy Policy

1.1 Controller and Processor

21media acts as the data controller for personal information collected through Loomee. We determine the purposes and means of processing your personal data. For users in the European Union, we comply with the General Data Protection Regulation (GDPR). For California residents, we comply with the California Consumer Privacy Act (CCPA).

1.2 Scope of This Policy

This Privacy Policy applies to all information collected through:

• Our mobile applications for iOS and Android
• Our marketing website at https://loomee.app
• Email and other electronic communications with us
• Any other means through which you interact with Loomee

1.3 What Loomee is — and isn’t

Loomee is a wellness app that plays personalized daily affirmations with voice and music. Loomee is not a medical, psychiatric, psychological, or therapeutic service. Nothing in the app is medical advice, diagnosis, or treatment.

2.1 Information stored only on your device

The following stays on your device unless you explicitly enable cloud sync or the Loomee Pro tier:

• The name you provide during onboarding (optional)
• Your goals, struggles, and category preferences
• Mood entries with optional notes
• Journal reflections you write
• Custom affirmations you author
• Custom reminders you configure
• Theme preference (light, dark, auto) and accent color
• Spoken-aloud attestations
• Resonance feedback (which affirmations "hit" or "missed")

2.2 Information synced to our backend (Supabase)

We keep an anonymous mirror keyed by a device-generated UUID (device_id). We do not know you personally — only that two events came from the same device. We sync:

• Anonymous device_id
• Platform (ios or android) and app version
• Onboarding answers: goals, struggles, satisfaction baseline
• Aggregate counters: streak, total sessions, glow score, category play counts
• Custom affirmations you write (so AI features can reference them)
• Preferences: preferred voice ID, pace, stability, music track, music enabled/disabled, music volume
• Subscription state mirrored from Apple StoreKit: is_pro, expiry timestamp
• Resonance history (boosted categories)
• Last seen / last active timestamps

We do not sync:

• Mood entry notes — stays on device only
• Journal reflection bodies — stays on device only
• Your real name beyond what you enter (we don't pull from contacts)
• Any contact information
• Location

2.3 Information sent to third parties through Loomee

When you use specific features, the relevant data leaves your device:

• Affirmation text-to-speech (ElevenLabs via our backend): affirmation text + your voice/pace/stability preferences. The generated audio is cached on our backend and locally on your device.
• AI affirmation generation (Anthropic via our backend, Pro): your goals, recent mood ratings, streak length, time of day, top-played categories, boosted categories. We do not send your name, custom-affirmation text, reflections, or any free-text input to the LLM.
• Subscription purchase (Apple StoreKit): Apple handles the transaction. We receive only the purchase receipt (proof of payment).
• Crash reports (Sentry, if installed): stack trace, device model, OS version, app version, anonymized device_id. No personal data, no affirmation content.

2.4 Automatically collected information

When the app launches we automatically capture:

• App version (expo-application’s nativeApplicationVersion)
• Platform string from React Native (ios / android)
• Anonymous device ID generated on first launch
• Timestamps of activity (last seen, last active)

We do not collect IP address, advertising identifier, MAC address, IMEI, phone number, or precise location.

2.5 Cookies and tracking technologies

The mobile app does not use cookies, web beacons, fingerprinting, or any cross-app tracking technology. The marketing website at https://loomee.app is fully static — no analytics scripts, no trackers, no ad pixels.

3.1 To deliver the service

• Picking the right affirmation for your slot (daily, morning, afternoon, evening) using your goals, mood, time of day, and resonance signal
• Generating audio for each affirmation through ElevenLabs
• Generating AI affirmations through Anthropic (Pro feature)
• Recording your streak, sessions, mood, and glow score
• Restoring your data when you reinstall (if Pro / cloud sync is active)
• Scheduling local notifications you've configured

3.2 To process subscriptions

We use the StoreKit receipt to verify your Loomee Pro entitlement with Apple and to mirror is_pro to your Supabase row so the app can recover entitlement state after reinstall.

3.3 To diagnose issues

If a crash or unhandled error occurs and Sentry is installed in the build, we receive a stack trace and device metadata so we can fix the bug.

3.4 To improve Loomee

We look at aggregate patterns: which music genres get the most play, which voices are picked, what pace people prefer. These help us decide what to curate next. We never analyze your individual rows for any purpose other than serving your own experience.

3.5 What we don’t use your data for

• We do not sell your data
• We do not share your data with advertisers
• We do not use your data for cross-app or cross-site tracking
• We do not profile you for ad targeting
• We do not train AI models on your custom affirmations, reflections, or mood notes

4.1 Service providers

4.2 Legal compliance

We may disclose information if required by law, valid legal process, or to protect our rights, safety, or property — but only the minimum necessary. We will challenge overbroad requests where lawful and possible.

4.3 Business transfers

If 21media is acquired or merged, your data may transfer to the successor. You will be notified before any such transfer materially changes the controller relationship.

4.4 With your consent

We will not share your data for any other purpose without your explicit consent.

Our backend services are hosted in the European Union (Supabase project in Frankfurt). Some of our service providers (ElevenLabs, Anthropic, Apple, Sentry) operate globally and may process data in the United States or other jurisdictions. We rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms to ensure equivalent protection for international transfers.

By using Loomee, you consent to your information being processed in jurisdictions outside your own.

6.1 Technical measures

• All network traffic between the app, our backend, and third-party services uses HTTPS with current TLS versions
• Supabase enforces Row Level Security; the anonymous key has scope only for rows matching your device_id
• IAP receipts are validated against Apple's servers, never trusted from client code alone
• We do not store payment information — Apple handles all payment data
• Audio cache files on our backend are stored in private Supabase Storage buckets with signed-URL access

6.2 Organizational measures

• Access to the Supabase project is limited to authorized 21media personnel
• Service-role keys are stored in secret vaults, never in client code
• Production secrets rotate on personnel changes

6.3 Limitations

No system is 100% secure. If a breach affects your data, we will notify you within 72 hours of discovery as required by GDPR and applicable US state breach-notification laws.

When you tap “Delete account” in Settings, your Supabase row is tombstoned (soft-deleted) within seconds and hard-deleted within 30 days.

8.1 Rights available everywhere

• Access — request a copy of the data we hold about you
• Correction — ask us to correct inaccurate data
• Deletion — ask us to delete your data (also via in-app “Delete account”)
• Portability — receive your data in a machine-readable format
• Restriction — ask us to limit how we use your data
• Objection — object to processing based on legitimate interest

8.2 GDPR rights (EU / UK / EEA)

All of 8.1, plus:

• Right not to be subject to solely automated decisions
• Right to lodge a complaint with your national supervisory authority

8.3 CCPA rights (California)

• Right to know what we collect and why
• Right to delete (also via in-app "Delete account")
• Right to opt-out of sale (we don't sell — automatic for everyone)
• Right to non-discrimination for exercising these rights

8.4 How to exercise these rights

Email hello@21media.online with the subject line “Privacy request” and your device_id (find it in Settings → About). We will respond within 30 days.

Loomee is rated 4+ on the App Store but is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have, email hello@21media.online — we will delete promptly.

For users between 13 and the age of majority in their jurisdiction, we recommend parental supervision. The app contains no inappropriate content but does include subscription purchases that can incur charges.

The mobile app does not respond to Do Not Track browser signals because the app does not contain a web browser or web tracking. The marketing website contains no tracking to honor.

The app may surface links to third-party websites (App Store, support pages, licensing information for music tracks). When you tap such a link, you leave Loomee and are governed by that site’s privacy policy. We are not responsible for third-party privacy practices.

In-app browser sessions opened from Settings (Privacy, Terms) use Apple’s SFSafariViewController (iOS) or Chrome Custom Tabs (Android) — these are session-isolated and do not share cookies with your default browser.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Bump the "Last updated" date at the top
• Surface an in-app banner on next launch summarizing the change
• Email you (where we have a contact address) if the change is significant

Continued use of Loomee after a material change indicates acceptance of the revised Privacy Policy. If you don’t accept the change, you may stop using the app and request deletion.

We maintain previous versions of this policy on request.

21media
Lithuania
hello@21media.online

For privacy-specific requests:

• Email subject: Privacy request
• Include your device_id (Settings → About in the Loomee app)

For unresolved concerns in the EU, you have the right to contact your national data protection authority.