Skip to content
LoomBack to home

Last updated 2026-05-13

Privacy Policy

Loom is built by MingLLM, Inc. for solo founders who want chat to fan out into a swarm of agents. We collect the minimum data needed to make that work, encrypt it at rest and in transit, and delete it on a published schedule. This policy explains exactly what happens to your data.

Data we collect

  • Account data. Email address, display name, and an opaque Clerk user ID. We do not collect a password — Clerk handles authentication. If you sign in with Google or GitHub we receive a subject ID, never an OAuth token outside the scope you grant.
  • Briefs and chat transcripts. The messages you send to agents and the agent responses, including tool inputs and outputs. Stored row-scoped to your tenant.
  • Artifacts. Any file an agent writes to final/ — reports, datasets, code, PR diffs. Stored in S3 under a per-job prefix with KMS-managed encryption.
  • Usage events. One row per agent step and per Factory session, used for billing meters and reconciliation. No message content is stored on the usage row.
  • Audit log. Every state-changing API call (sign in, create job, connect integration) writes a row with user ID, IP, and user-agent.
  • Cookies. One session cookie from Clerk and one CSRF cookie set by Loom. No third-party advertising cookies, ever.

Processors

We share data with the following sub-processors strictly to deliver the product:

  • Anthropic — model inference (Opus, Sonnet, Haiku). Your prompts are sent over TLS and are not used to train Anthropic models per their no-training policy for API customers.
  • OpenAI — model inference (GPT-5 family). Same no-training default as Anthropic.
  • Voyage AI — embedding generation for the memory / RAG layer (voyage-3-lite, 512-d).
  • Stripe — billing, invoicing, payment methods. We never store full card numbers.
  • Clerk — identity, sessions, multi-factor.
  • Amazon Web Services — compute (Fargate), database (RDS Postgres), cache (ElastiCache Redis), storage (S3), encryption (KMS), DNS (Route 53). Region: us-east-1.

Retention

  • Artifacts: 90 days by default. Starred artifacts are retained until you remove the star or delete your account.
  • Briefs & transcripts: 90 days. Auto-purged via a nightly job.
  • Usage events: 30 days for billing reconciliation, then deleted.
  • Audit log: 7 days.
  • Backups: RDS automated backups retained 7 days. A nightly logical dump lives in S3 (encrypted, 30 days).
  • Account deletion: on request via privacy@mingllm.com, all rows are tombstoned within 24 hours and physically purged within 30 days.

Your rights

If you live in the EU/UK (GDPR) or California (CCPA), you have the right to access, correct, port, and delete your personal data, and to object to processing. Email privacy@mingllm.com and we will respond within 30 days. We do not sell personal data. We do not engage in cross-context behavioral advertising.

Children

Loom is not directed to anyone under 18. If we learn we have collected data from a child under 18, we will delete it.

Changes to this policy

If we make a material change, we will email account holders at least 14 days before it takes effect. The "Last updated" date at the top of this page tracks the latest revision.

Contact

Privacy questions: privacy@mingllm.com. Security: security@mingllm.com. Mailing address: MingLLM, Inc., 660 Forest Avenue, Palo Alto, CA 94301.