Blog
Built to know nothing.
Loom ships with no telemetry. Not as a checkbox we defaulted off, but as an architecture with nowhere to send your data.
A promise versus a property
Most privacy pages are promises: we collect this, we will not do that, trust us. Promises can be amended in the next release. A property of the architecture cannot. So when we say Loom has no telemetry, the claim is structural. There is no analytics endpoint, no account system beyond your existing Claude login, and no server of ours in the loop at all.
The same thinking runs through the rest of the app. Your Conductor API keys live in the OS keychain only, never in config files we could accidentally read or sync. Your state stays on your machine. A secret-path deny-list blocks reads and writes to credential files regardless of what any model asks for. Outbound HTTP from the app goes through an SSRF-guarded Rust proxy, and every file, git, and shell operation is checked against a workspace authorization registry.
The useful side effect: this forbids entire categories of product. We cannot ship a usage dashboard, a growth funnel, or "anonymized" analytics, because the data those features need does not exist on our side. That is the point. And because Loom is Apache-2.0, you do not have to take any of this on faith. Read the source, or the shorter privacy page.
The mechanisms
Three walls, all load-bearing.
Keychain, not config files
Keys for your Conductor providers are stored in the OS keychain and nowhere else. They never sit in a dotfile, a project folder, or anything a sync tool might scoop up.
A deny-list that holds
Secret paths are blocked for reads and writes at the app level. Six autonomous sessions are exactly the situation where you want that rule enforced by code, not by hoping every model behaves.
A guarded proxy
The app's HTTP traffic runs through an SSRF-guarded Rust proxy, so a request cannot be steered at internal addresses. Boring, structural, and always on.
Questions
Common questions.
What does Loom send over the network?
Loom itself reports nothing. The traffic that exists is yours: the Claude Code CLI talking to Anthropic on your login, and the Conductor provider you configured, reached through the guarded proxy. Remove those and the app is silent.
Do I need to create an account?
No. There is no Loom account. The only sign-in involved is your existing Claude login, which belongs to you and Anthropic, not to us.
Can the Conductor stay local too?
Yes. Point it at LM Studio, MLX, or Ollama and planning never leaves your machine. The local models guide walks through it.
Hand it the work.
Walk away.
macOS, Linux, and Windows. Around 13 MB. Free and open source.