Privacy Policy

Last updated: April 30, 2026

This policy describes how Loch Inc. ("Loch Inc.", "we", "us") handles personal information when you use our mobile application and related websites (the "Service"). We try to keep this short and readable. If anything is unclear, email prithvir@loch.one.

1. Information we collect

Information you provide

• Account information. When you sign up, we receive your email address and, if you sign in with Google, your name and profile photo as supplied by Google.
• Profile and preferences. Display name, language, theme and similar settings you choose inside the app.
• Content. Reflections, notes, voice recordings, and any other content you create in the app.

Information we collect automatically

• Device and usage data. Approximate region (from IP), device model, operating system, app version, crash logs, and high-level events needed to keep the app reliable.
• Authentication metadata. Sign-in timestamps and session identifiers so we can keep you logged in safely.

Referral tracking

• When someone visits a referral landing page (a URL of the form credo-journal.com/r/CODE), we record the referral code, the time of the visit, the visitor’s coarse user-agent string, and a one-way salted hash of their IP address. The raw IP is never written to disk.
• The hash is used only to rate-limit suspicious traffic against a single referral code. It is not joined to any personally identifying data.
• If you create an account after clicking a referral link, we record a single attribution row that links the new account to the referrer so we can credit them with in-app points. The attribution can be deleted on request.
• The Credo app may read your device’s clipboard once on its very first launch only if it contains a string that exactly matches our referral code format (BLF-XXXXX). Anything else in the clipboard is ignored and never sent to our servers.

What we do not collect

• We do not run advertising trackers or third-party ad SDKs.
• We do not sell or rent personal information, and we do not "share" it for cross-context behavioral advertising.
• Voice recordings stay on your device unless you explicitly choose to publish or back them up.

2. How we use information

• To create and operate your account and provide the Service.
• To sync your content across your devices, when you have signed in.
• To diagnose crashes, prevent abuse, and improve reliability and performance.
• To communicate with you about your account, security, and material changes to the Service.
• To comply with applicable law and enforce our Terms of Service.

3. Legal bases (EEA / UK users)

We rely on the following legal bases under the GDPR / UK GDPR: (i) contract — to provide the Service you signed up for; (ii) legitimate interests — to keep the Service secure, prevent abuse, and improve reliability; (iii) consent — where required for optional features; and (iv) legal obligation — when we must respond to lawful requests.

4. Service providers we use

• Supabase — authentication, database, and storage infrastructure.
• Google Sign-In — when you choose to sign in with a Google account.
• Apple App Store / Google Play — distribution and, if enabled, in-app purchases.

Each provider only receives the information needed to perform its function and is bound by its own contractual and legal obligations.

5. International transfers

Loch Inc. is operated from the United States and our providers may process data in other regions. Where required, transfers from the EEA, UK, or Switzerland rely on Standard Contractual Clauses or another lawful mechanism.

6. How long we keep information

We keep account information for as long as your account is active. If you delete your account, we delete or de-identify your personal information within 30 days, except where we are required to retain it for legal, security, or fraud-prevention reasons. Aggregated, anonymous data may be retained indefinitely.

7. Your rights

• Access, correction, deletion. You can review and edit your profile inside the app, and request deletion of your account by emailing prithvir@loch.one.
• Portability. You can request an export of your data.
• Objection / restriction. EEA, UK, and Swiss users may object to or restrict certain processing.
• California rights (CCPA / CPRA). California residents may request access to or deletion of personal information and may appeal a denial. We do not sell or share personal information for cross-context behavioral advertising.
• Complaints. EEA / UK users may complain to their local data protection authority.

8. Security

We use encryption in transit (HTTPS), encryption at rest for stored data, and access controls inside our infrastructure. No system is perfectly secure; if you believe your account has been compromised, please contact us immediately.

9. Children

Loch Inc. is not directed to children under 13 (or under 16 in the EEA / UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. If changes are material, we will notify you in the app or by email before they take effect. The "Last updated" date at the top of this page always reflects the current version.

11. Contact us

Questions or requests? Email prithvir@loch.one.