Privacy Policy

Effective 15 June 2026

Loam is a local-first mountain-bike maintenance app. It is designed so that your garage data stays under your control, on your device. This policy explains what Loam stores, what is sent off-device when you use optional network features, and how that information is handled.

Core Privacy Principles

• Local-First: Your data is stored on your device, not on our servers.
• Transparency: We only access external data (Strava/Bosch) when you explicitly authorize it.
• Data Minimization: We only process the minimum information necessary to provide the feature you choose to use.
• No Tracking: We do not use analytics, trackers, or advertising IDs.

What Loam stores on your device

• Garage Data: Your bikes, components, setup values (PSI, clicks), service history, and odometer readings are stored in your phone's private app storage.
• Photos: Any photos you upload or choose from search results are stored locally on your device.
• Secure Credentials: Authentication tokens for services you connect (Strava, Bosch eBike) are stored in the platform's secure store (Apple Keychain on iOS / encrypted storage backed by Android Keystore on Android). They are not stored in a Loam account or database.

There is no Loam backend database. We cannot see your garage data because it never leaves your phone.

Connecting External Services (Optional)

Strava Integration

Connecting Strava is optional. If you connect, Loam accesses your Strava profile, your bikes (gear), and your activities (including private activities, only with your explicit authorization) solely to calculate component service usage from your ride time and distance.

• Your activity data is read directly from Strava to your device using your own Strava authorization. It is never sent to, or stored on, Loam's servers.
• Your Strava access token is stored only in your device's secure storage (iOS Keychain / Android Keystore). Loam's backend is used only to complete the Strava sign-in (OAuth token exchange/refresh/revoke) and never stores your Strava credentials or activity data.
• We never sell your data, use advertising or tracking SDKs, or share your Strava data with any third party, service shop, sponsor, or AI/ML tool.
• We only ever show you your own Strava data.
• You can disconnect Strava at any time in Settings. Disconnecting removes the token from your device and asks Strava to revoke Loam's access; you can also revoke access at https://www.strava.com/settings/apps.

Bosch eBike Integration

If you connect a Bosch eBike, Loam uses the official Bosch Data Act API. With your explicit consent, the app reads your eBike's system values, such as total odometer, motor operating hours, battery charge cycles, and available ride history. Imported data is stored on your device. Bosch credentials are stored securely on-device and requests go directly between the app and Bosch.

How we handle secrets

To keep API secrets out of the app, Loam uses a Cloudflare Worker for Strava token operations, image search, and optional feedback delivery. Requests are encrypted in transit using HTTPS. The Worker validates and forwards requests without writing their contents to a Loam database. Cloudflare processes the connecting IP address to deliver requests and enforce short-term abuse rate limits. Cloudflare may also process standard infrastructure data under its own service policies.

Image Search

When you search for a bike photo, your search terms (such as manufacturer, model, and year) are sent to the Loam Worker and then to Serper.dev. Some searches may also be sent directly from the app to Wikimedia Commons or the Internet Archive. These providers return image or archived-page results. Loam does not retain a search history.

Optional Feedback

If you choose Send feedback, Loam sends the feedback category and message, your optional contact email, the app version, and your operating-system name and version to the Loam Worker. The Worker forwards this information to a private Discord channel used to review and respond to feedback. Cloudflare and Discord act as service providers for this feature. Do not include sensitive personal information in the message.

Feedback is kept only as long as reasonably needed to investigate the report, respond, and improve Loam, and is periodically deleted. You can request deletion by emailing the privacy contact below and identifying the approximate submission date, message, and optional email address used.

Cookies and Web Tracking

The Loam website does not set Loam cookies, use tracking pixels, or use analytics. The hosting provider receives standard request information, such as an IP address and browser details, to deliver the page and its self-hosted font files. Loam does not use that information to track visitors.

What Loam does NOT do

• No Analytics: We don't track how you use the app.
• No Advertising: We don't use ad identifiers or show ads.
• No Data Selling: We do not sell personal data or use it for targeted advertising.
• No Accounts: You don't need to create an account or provide an email to use Loam.

Data Retention and Deletion

You can delete bikes, components, service records, and photos in the app. Uninstalling Loam removes its on-device app data. You can disconnect Strava or Bosch in Loam's settings; Loam clears the locally stored credential and attempts to revoke it with the provider. You can also revoke access from the provider's account settings.

Your control

Loam does not create a Loam account. For optional feedback held by us, you may request access, correction, or deletion by contacting us. Depending on your location, additional privacy rights may apply.

Legal Bases for Processing

Loam processes the limited information described above only where a lawful basis applies. For most people that is one or more of the following:

• Consent: connecting Strava or a Bosch eBike, or sending optional feedback, happens only because you ask Loam to. You can withdraw consent at any time by disconnecting the service or not using the feature.
• Legitimate interests: operating the Loam Worker securely, including short-term rate limiting that prevents abuse and protects API quotas.
• Delivering a feature you requested: exchanging and refreshing tokens, importing your data, or searching for a bike photo when you ask Loam to.

Service Providers We Use

Loam has no backend database, but a few processors handle specific requests on your behalf. Each acts only as a service provider and is governed by its own privacy policy:

• Cloudflare — hosts the Loam Worker and serves this website; processes connecting IP addresses for delivery and abuse rate limiting.
• Serper.dev — returns bike-photo search results for the terms you search.
• Discord — receives the optional feedback you choose to send, in a private channel.
• Wikimedia Commons and Internet Archive — may return image or archived-page results for photo searches.

International Data Transfers

Loam stores nothing centrally, but the service providers above operate global infrastructure, so a request you trigger may be processed on servers outside your country, including outside the EU/EEA. Each provider maintains its own safeguards for these transfers under its respective policy.

Security

Network requests use HTTPS and are encrypted in transit. Connection tokens are held in the platform secure store (Apple Keychain / Android Keystore), never in a Loam account. Because there is no central Loam database of your garage data, there is no central store of personal data to breach. No method of transmission or storage is ever completely secure, but Loam is designed to keep the amount of off-device data as small as possible.

Your Rights

Depending on where you live, you may have some or all of the following rights over personal data held about you:

• Access: ask what personal data is held and get a copy.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of data held about you.
• Portability: receive your data in a portable, machine-readable form.
• Object or restrict: object to or restrict certain processing.
• Withdraw consent: at any time, without affecting processing already carried out.

Because Loam keeps your garage data on your own device, you exercise most of these rights directly in the app — editing or deleting bikes, components and history, disconnecting a service, or uninstalling. For the limited data we may hold (optional feedback), contact us using the details below. You also have the right to lodge a complaint with your local data-protection supervisory authority.

Children's Privacy

Loam is intended for adult riders and is not directed at children under 13. Loam does not knowingly collect personal information from children. If you believe a child has provided information through the optional feedback feature, contact us and we will delete it.

Contact

Privacy contact: israelenduromtb@gmail.com.

Changes

If this policy changes, the “Effective” date above will be updated.