Privacy Policy

What Osmia learns about you is yours.

Over months, a daily practice builds an unusually intimate picture of a person — more than almost anything else your devices hold. That raises the bar for how it must be treated. This is the full policy, written to be read, accurate about how Osmia works today. Last updated July 13, 2026.

Who is responsible

Osmia — the app and this site — is operated by Balder Berg Adelgaard, an individual based in Crete, Greece (EU), who is the data controller for everything described here. For any privacy question or request: privacy@osmia.day. If Osmia becomes a company, this line will change to name it.

What Osmia collects

Only what the practice needs:

Your email address — to create your account and sign you in. With Sign in with Apple this may be an Apple private-relay address rather than your real one; that's your choice, and Osmia works the same either way.

Your writing — the intentions, reflections, and conversations you put into the app, the responses Osmia writes back, and an internal structured reading Osmia derives from your words in order to respond well. Thread names and pattern letters generated from your writing are stored with it.

Your account — an internal identifier linking your writing to you, and two optional profile details: a display name (how Osmia addresses you) and your country of residence. Both can be left blank, changed, or cleared at any time.

The waitlist on this site — the email address you give, when you gave it, and a salted one-way hash of the connection it came from, used only to keep the form from being abused and deleted at launch. The address is used once: to tell you when Osmia opens.

Osmia does not collect your location (no GPS — the country above is a setting you choose, not something detected), your contacts, health or wearable data, device or advertising identifiers, browsing history, or payment card details. When payments launch they will be handled by a payment provider acting as merchant of record; Osmia itself will not hold your card.

What your writing can reveal

A reflective practice is intimate by nature. What you write may reveal things about your emotional life, your health, your relationships, your beliefs — the categories the law calls special and protects hardest. Osmia treats all of your writing at that standard, without trying to sort the sensitive from the ordinary. It is processed only because you choose to write it, only to run your practice, and with your explicit consent, which you give when you create your account and can withdraw at any time by deleting it.

Why it is processed

In the law's terms, Osmia processes your data on three bases: to provide the service you signed up for (your account, your sign-in, showing you your own practice); with your explicit consent (processing your writing to generate Osmia's responses); and out of legitimate interest in keeping the service safe (daily fair-use counters and abuse prevention — counting, not reading). There is no secondary use. Nothing here is processed for advertising, profiling beyond your own practice, or sale.

What Osmia does not do

No advertising — Osmia carries no ads by design, and shares nothing with advertisers. No tracking — no analytics, crash-reporting, or telemetry software rides along in the app, and Osmia does not follow you across other apps or sites. No selling — your information is never sold or rented to anyone.

Where your data goes

Osmia stands on a small number of providers, each processing your data only to provide their service:

Supabase hosts Osmia's database and authentication. Your account and writing live there, in the EU (Frankfurt), encrypted in transit and at rest.

A backend service operated for Osmia generates the responses. When you ask Osmia to respond, the text you wrote — never your email or account identity — is sent to it. It runs in the EU (Amsterdam).

Anthropic — the AI service Osmia is built on — processes that text to write the reply. Under Anthropic's commercial terms your writing is never used to train their models; their API logs are kept for a short period (approximately 30 days) for abuse monitoring only. Your identity is not attached to the text they see. Anthropic is a US company; this processing happens under their data-processing terms and the EU-approved transfer safeguards they provide.

Dictation, if you use it, becomes text on your own device where your language supports it; otherwise Apple's speech service transcribes it. Your audio never reaches Osmia's servers and is never stored.

How long it is kept

Your writing is kept for as long as your account exists, so your practice can be a continuous thing. Deleting your account — a control that lives in the app, in your hands — permanently deletes your writing, your conversations, your history, your profile, and the account itself, in one operation. The waitlist address is used once and removable any time by writing to the address below; its anti-abuse hash is deleted at launch.

An honest note on security

Your content is protected by your credentials, standard access controls, and encryption in transit and at rest. It is important to be precise: at this stage your writing is not end-to-end encrypted, and Osmia's operator can, in principle, access stored content to operate and support the service. The direction is clear — the most sensitive things Osmia holds should open only to your key, a lock that holds even for the people who build Osmia — but that lock isn't built yet, and this policy won't claim otherwise until it is.

Your rights

Your data is yours, and the GDPR gives that teeth. You can ask for access to what Osmia holds about you, have it corrected, have it deleted, receive a portable copy, restrict or object to processing, and withdraw consent at any time. The strongest of these is built into the app itself: delete your account, and everything goes with it. For the rest, write to privacy@osmia.day — requests are answered by the person who builds Osmia, within a month. If you believe your rights haven't been honoured, you can complain to your local data protection authority, or to Greece's Hellenic Data Protection Authority.

Children

Osmia is for people aged 16 and over. It is not directed at children and does not knowingly collect data from anyone under 16.

When this policy changes

If this policy changes, the date at the top changes with it, and the current version always lives at this address. If a change matters — new data collected, a new provider, a new purpose — you'll be told inside the app or by email before it takes effect.

Privacy here is a design principle, not a settings page — the same stance the rest of Osmia is built on.