This Privacy Policy explains what data Loam collects, why we collect it, how long we keep it, and the rights you have over it. It applies to the Loam messaging product, the @loam AI agent, and every third-party connector you choose to authorise (including, but not limited to, Shopify, Linear, Zendesk, GitHub, Sentry, Gmail, and Google Drive).
We follow the principles of the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Shopify's Protected Customer Data rules. Where this policy and a signed Data Processing Agreement disagree, the DPA governs.
1. Who we are
“Loam”, “we”, “our”, and “us” refer to the operating entity that provides the Loam product. Legal entity: Acrelane Enterprises OÜ, a private limited company registered in the Republic of Estonia (registry code 16923072, VAT EE102857122). Registered address: Tornimäe tn 3 // 5 // 7, 10145 Tallinn, Estonia.
For all privacy enquiries, contact privacy@getloam.co. We aim to respond within five working days.
2. Scope
This policy covers three categories of data:
- Workspace data — messages, channels, files, members, and AI interactions inside a Loam workspace.
- Connector data — data ingested into a workspace's per-organisation knowledge graph (LoamDB) from third-party services such as Shopify.
- Account & billing data — the information we need to operate the service: email addresses, sign-in identifiers, plan choice, payment method (handled by Stripe; we do not see card numbers).
3. Data we collect
3.1 Directly from you
- Account identifiers: email address, name, profile image, OAuth provider subject identifier.
- Workspace content: messages you post, channels you create, files you upload.
- Configuration: connector authorisations, agent settings, permission rules.
- Support correspondence and feedback you send us.
3.2 From connected third-party services
When you authorise a connector, Loam reads data on your behalf from that service. The exact data depends on the connector and on the scopes you grant during OAuth. We only request the scopes needed for the features you enable.
3.3 Automatically
- Technical logs (request method, route, status code, trace identifier) used for debugging and uptime.
- Minimal session cookies used to keep you signed in.
- No third-party advertising or cross-site tracking is performed on this site.
4. Shopify-specific disclosures
If you connect a Shopify store to Loam, Loam acts as a data processor for the merchant (you) and an integration partner for Shopify. We process the following Shopify data on your behalf:
- Orders, including line items, totals, customer notes, fulfilment status, and refund records
- Customers (Tier-1 protected customer data — email address, name, displayName)
- Products and variants
- Inventory levels and locations
- Pages (shop content) and policies where exposed by the Shop API
- Fulfilments and shipping events
- Abandoned checkouts
Customer email, name, and displayName are treated as Shopify Tier-1 Protected Customer Data. Access to this data inside Loam is restricted: it surfaces only to authorised members of your workspace via the @loam agent and the merchant's own UI surfaces. We do not redistribute Shopify customer data to any third party.
Loam does not write to your Shopify store except through explicit, user-confirmed actions (for example, an agent that drafts a refund response that you approve). The connector does not perform background mutations.
5. How we use your data
Connector data — including Shopify data — is used to:
- Answer questions inside your workspace via the
@loamagent. - Generate analysis-pass memories visible only to authorised members of your workspace. Examples include refund themes, SLA breaches, recurring product issues, abandoned-cart trends, and fulfilment health summaries.
- Surface relevant context to the merchant's own internal team. Nothing leaves your workspace.
- Provide operational monitoring, error tracking, and customer support for your account.
We never sell your data. We do not share your data with advertisers, data brokers, or any third party for their own marketing or model-training purposes.
6. We do not train foundation models on your data
Loam uses Anthropic Claude for AI inference. Anthropic's commercial terms contractually prohibit training their models on inputs we submit on your behalf. We do not train, fine-tune, or pre-train any foundation model on your data, and we do not authorise any sub-processor to do so.
Aggregated, fully anonymised product metrics (for example, the count of messages per day across the platform) may be used to improve service quality. Such metrics never include message content, customer identifiers, or any value derived from a single workspace.
7. Lawful basis for processing
- Performance of a contract (GDPR Art. 6(1)(b)) — processing required to provide the Loam service you have signed up to.
- Legitimate interest (GDPR Art. 6(1)(f)) — merchant data we ingest on your authorisation, to deliver the value you signed up for. You can object at any time by disconnecting the connector or contacting us.
- Consent (GDPR Art. 6(1)(a)) — the explicit OAuth grant you provide when connecting a third-party service.
- Legal obligation (GDPR Art. 6(1)(c)) — tax, accounting, and regulatory record-keeping for billing.
8. Data retention & deletion
Connector data is retained for as long as the connector remains authorised. When you disconnect a connector, or when you delete your workspace, the associated data is cascade-purged from LoamDB:
- Within 7 days in production for normal disconnects.
- Within 30 days maximum, which is the upper bound we contractually commit to.
- Backups roll off on the schedule documented in our DPA.
Account and billing records are kept for the period required by applicable tax and accounting law — typically six years — after which they are deleted or anonymised.
9. Shopify compliance webhooks (GDPR endpoints)
Loam implements all three mandatory Shopify GDPR webhooks:
- customers/redact — surgical purge of a specific customer's data from the merchant's workspace. We delete by
prov:wasAttributedToprovenance URI, removing matching memories, entity rows, and content extracted from that customer's records. The purge completes inside Shopify's 30-day service-level requirement. - customers/data_request — on request, we generate a structured manifest of the data we hold for the named customer: content rows, derived entities, analysis memories, and order references. The manifest is delivered to the merchant for onward forwarding to the data subject, in line with the GDPR right of access.
- shop/redact — full org-scope purge. When Shopify notifies us that a shop has been uninstalled for 48 hours or more, we delete all data associated with that shop's organisation in LoamDB and revoke stored credentials in Nango.
10. Sub-processors
We use the following sub-processors to provide the service. Each is bound by a written agreement requiring confidentiality, security, and use of data only on our documented instructions.
| Sub-processor | Purpose | Jurisdiction |
|---|---|---|
| Convex | Primary database for the messaging product (messages, channels, workspaces, membership). | United States |
| Anthropic | Large language model inference (Claude). Operates under Anthropic's commercial terms, which contractually prohibit training their models on our customer inputs. | United States |
| Langfuse | AI observability and tracing. PII-aware filtering is applied before traces are written; we use the self-hostable build with restricted retention. | European Union |
| Nango | OAuth credential vault. Stores connector access tokens and refresh tokens; we never see raw third-party credentials. | United States / European Union |
| Vercel | Hosting and edge delivery of the Loam web application. | United States |
| Railway | Hosting for the LoamDB knowledge-graph service (osdb). | United States |
| Axiom | Structured application logs. Logs are scoped by trace identifier and do not include message bodies or third-party content. | United States |
| Stripe | Billing and payment processing. Card data never touches Loam infrastructure. | United States |
We notify customers in advance of any new sub-processor that handles customer data. You can request the current sub-processor list at any time by emailing privacy@getloam.co.
11. Security
Loam encrypts data in transit (TLS 1.3) and at rest (AES-256). Third-party access tokens are stored in Nango's isolated credential vault. Internal access to production systems is least-privilege, audited, and requires explicit approval. See our Security page for a fuller technical overview.
12. Your GDPR rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:
- Access the personal data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure — ask us to delete your data.
- Portability — receive a copy in a structured, machine-readable format.
- Restriction of processing in certain circumstances.
- Objection to processing based on legitimate interest.
- Withdraw consent at any time for processing that relies on consent.
- Lodge a complaint with your local supervisory authority.
To exercise any of these rights, email privacy@getloam.co. We will verify your identity and respond within 30 days.
13. California (CCPA / CPRA) rights
If you are a California resident, you have the right to:
- Know what categories of personal information we collect and the purposes for which it is used.
- Request access to, or deletion of, your personal information.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information for cross-context behavioural advertising.
- Non-discrimination for exercising any of these rights.
Do Not Sell or Share My Personal Information. Loam does not sell or share personal information for cross-context behavioural advertising, and we have not done so in the preceding 12 months. There is therefore no opt-out mechanism to provide — the “sale” does not happen. If our practices change, we will update this policy and add a clear opt-out link before any such activity begins.
14. International transfers
Several of our sub-processors are located in the United States. By using Loam you acknowledge that personal data may be transferred to, stored in, or processed in the United States and other jurisdictions where our sub-processors operate.
For transfers of personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable. A copy of the SCCs we have executed with each sub-processor is available on request.
15. Children's data
Loam is a workplace product and is not directed at children under 13 (or under the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@getloam.co and we will delete it.
16. Cookies & tracking
The Loam product uses a small number of strictly-necessary cookies and similar storage primitives to keep you signed in and to persist UI preferences. The marketing site uses privacy-respecting analytics (Vercel Analytics) which does not set cross-site tracking cookies. We do not embed advertising trackers.
17. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify customers by email (to the workspace owner's address) at least 14 days before the change takes effect, and we will update the “Last updated” date at the top of this page. Continued use of Loam after the effective date constitutes acceptance of the revised policy.
18. Contact
Privacy and data-protection enquiries: privacy@getloam.co.
Postal address: Acrelane Enterprises OÜ, Tornimäe tn 3 // 5 // 7, 10145 Tallinn, Estonia.
Data Protection Officer / EU representative: as a company established in Estonia (European Union), Acrelane Enterprises OÜ does not require a separate Article 27 GDPR representative. We have not appointed a formal Data Protection Officer at this stage; privacy and data-protection enquiries are handled directly by the operating team at the email above.