Privacy Policy
Last updated: March 23, 2026
LoomBrain is a cloud-hosted personal knowledge graph operated by Back to Meaning. This Privacy Policy describes how we collect, use, store, and protect your information when you use the LoomBrain web service and browser extension (collectively, the "Service").
By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address (required) — used for authentication and account communication.
- Display name (optional) — used to personalize your experience.
- Password — stored as a cryptographic hash (PBKDF2 with a per-user salt and 100,000 iterations). We never store your password in plaintext.
If you sign in with Google, we receive your email address, display name, and Google user ID through the OAuth protocol. We do not request access to your Google contacts, calendar, or any other Google services.
1.2 Content You Capture
The core function of LoomBrain is to capture and organize web content you choose to save. When you use the browser extension to capture a page, we collect:
- Page content — the HTML of the webpage (up to 5 MB per capture).
- URL and page title of the captured page.
- Content type — automatically classified (article, tweet, repository, PDF, audio, note, video, or image).
- Your annotation — an optional note you provide explaining why you captured the content.
- Content hash — a SHA-256 hash used solely for deduplication.
- Timestamp — when the capture occurred.
For specific content types, we may extract additional data: tweet text from X (Twitter), README content from GitHub repositories, and metadata from YouTube videos.
Important: We only capture content when you explicitly trigger a capture. The extension does not passively monitor or record your browsing activity.
1.3 Browser Extension Permissions
The LoomBrain browser extension requests the following permissions. Each is necessary for the extension to function:
- tabs / activeTab — to read the current page when you trigger a capture.
- scripting — to extract page content for capture.
- storage — to store your authentication tokens locally in the browser.
- offscreen — for background content processing.
- webNavigation — to detect when a page has finished loading before capture.
- Host permission (all URLs) — to allow capture from any website you visit. This permission is only exercised when you explicitly initiate a capture.
1.4 Authentication and Session Data
To keep your account secure, we generate and manage:
- Access tokens — short-lived JSON Web Tokens (15-minute expiry).
- Refresh tokens — stored as cryptographic hashes (30-day expiry).
- API keys — for programmatic access, stored as cryptographic hashes.
- Magic link tokens — for passwordless sign-in, hashed and expire within 15 minutes.
- Device authorization codes — for authenticating the extension, expire after a short period.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service — store and organize your captures into a personal knowledge graph.
- Process content with AI — generate summaries, tags, key points, and classifications for your captures (see Section 3).
- Enable search — create vector embeddings of your content for semantic search.
- Authenticate you — verify your identity and protect your account.
- Deduplicate content — avoid storing the same capture twice using content hashes.
- Maintain the Service — monitor processing health, debug failures, and improve reliability.
We do not use your data for advertising, profiling, or selling to third parties.
3. AI Processing
When you capture content, it is processed by AI to enrich your knowledge graph. Specifically:
- Content analysis — your captured content is sent to Anthropic's Claude API to generate summaries, extract key points, suggest tags, and classify content into categories.
- Embedding generation — text from your captures is processed by Cloudflare AI to create vector embeddings that power semantic search.
We maintain a full processing audit trail (provenance) for every AI operation, recording which model was used, when processing occurred, and the volume of data processed.
Your content is sent to these AI providers solely for the purpose of providing the Service to you. We do not permit these providers to use your content for training their models.
4. Data Storage and Security
4.1 Infrastructure
All service data is hosted on Cloudflare's global network:
- Database — Cloudflare D1 (SQLite-based), with strict tenant isolation.
- Object storage — Cloudflare R2 for raw capture content, organized by tenant.
- Vector store — Cloudflare Vectorize for search embeddings.
- Processing queue — Cloudflare Queues for the ingestion pipeline.
4.2 Security Measures
- Passwords are hashed with PBKDF2 using a unique per-user salt and 100,000 iterations.
- API keys, refresh tokens, and magic link tokens are stored as cryptographic hashes.
- All data in transit is encrypted via HTTPS (TLS).
- Multi-tenant data isolation is enforced at the database level — your data is logically separated from other users' data.
- Access tokens are short-lived (15 minutes) to limit exposure.
4.3 Local Storage
The browser extension stores authentication tokens in the browser's local storage. These tokens are not encrypted at rest on your device. You can clear them at any time by signing out of the extension or clearing your browser data.
5. Third-Party Services
We share data with the following third-party services, solely to operate the Service:
| Service | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Infrastructure (compute, database, storage, queues) | All service data |
| Anthropic (Claude API) | AI content analysis | Captured page content |
| Cloudflare AI | Vector embedding generation | Text content from captures |
| Google (OAuth) | Optional sign-in | OAuth token exchange (email, name, user ID) |
We do not sell, rent, or share your personal data with any other third parties. We do not use analytics or tracking services.
6. Cookies and Tracking
LoomBrain does not use cookies. Authentication is handled via tokens stored in the browser's Storage API. We do not use any analytics, advertising, or tracking technologies.
7. Data Retention and Deletion
- Account and content data is retained for as long as your account is active.
- Ephemeral tokens (magic link tokens, device authorization codes, OAuth state) are automatically purged upon expiration.
- Processing provenance (audit records of AI operations) is retained for operational and compliance purposes.
To request deletion of your account and all associated data, contact us at [email protected]. We will process deletion requests within 30 days.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate personal data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Data portability — request your data in a structured, machine-readable format.
- Restriction — request that we limit how we process your data.
- Objection — object to processing of your personal data.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
9. Children's Privacy
LoomBrain is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
11. Contact
If you have questions about this Privacy Policy or our data practices, contact us at:
Back to Meaning
[email protected]