01 · legal

Tomoni Privacy Policy.

Version 1.0 · April 2026

What Tomoni is, in one paragraph.

Tomoni is a personal AI companion for iPhone, built by exp². She helps you stay on top of your inbox, your calendar, and the parts of your life you've asked her to pay attention to. She is designed so that what she learns about you lives on your device, not on our servers. This policy explains what that means in practice — what we collect, where it lives, and what we never do with it.

The short version.

what we never do

We do not sell your data. Ever. To anyone.
We do not run ads in Tomoni or in any exp² product.
We do not use your conversations with Tomoni to train AI models.
We do not set cookies on exp².io or its subdomains.
We do not use third-party analytics SDKs to track you across apps or sites.
We do not store your email or calendar content on our servers. It passes through our infrastructure during summary generation and is not retained.
We do not store your conversations with Tomoni on our servers. They live on your device.

1. Where your data actually lives.

Tomoni is unusual in how she handles memory. Most AI products keep everything they learn about you on their servers. Tomoni does not.

1.1 On your device

The memory card — the record of what Tomoni has learned about you, including the synthesized understanding that compounds over time — lives in iOS's local storage on your device. It is not uploaded to exp² servers. It does not transit our infrastructure.

Your conversations with Tomoni are stored on your device. Your OAuth tokens (for Gmail, Outlook, Slack, and other connected accounts) are stored in the iOS Keychain on your device.

1.2 In your private iCloud

Tomoni syncs your memory card across your own Apple devices using Apple's iCloud Key-Value store. This sync happens inside your private iCloud account — not through exp². We cannot read, copy, or access the contents of this sync. If you delete your iCloud data through Apple's settings, we cannot undelete it on your behalf.

1.3 On our servers

We retain only the minimum required to operate the service:

Your account identifier (from Sign in with Apple or your chosen authentication provider)
Your onboarding profile (the preferences you set when you first opened Tomoni — name, work style, communication calibration)
Generated summaries, so they are available if you switch or reinstall your device
Operational metadata such as rate-limit timestamps

We do not store your conversations, your memory card, your email content, your calendar content, or any raw content from connected accounts.

2. What we collect and why.

2.1 Information you give us directly

Your name and preferred name
Your onboarding profile: job context, work style, personal priorities, communication preferences
Account-level settings and preferences you configure in the app

We use this information to generate summaries in your voice and calibrate how Tomoni speaks with you.

2.2 Information from connected accounts

When you connect Gmail, Google Calendar, Outlook, Outlook Calendar, Apple Calendar, Apple Reminders, iCloud Mail, Slack, or any other supported integration, Tomoni accesses:

Email metadata and content (subject, sender, recipients, body, timestamps)
Calendar events (title, time, location, attendees)
Message content from supported messaging services
For Apple integrations: Reminders, HealthKit data, HomeKit data, and other surfaces you explicitly grant permission for

This content is accessed solely to generate your personalized summaries and to answer the questions you ask Tomoni. It passes through our infrastructure in memory during a request; it is not written to persistent storage on our servers.

2.3 Operational metadata

We retain small amounts of operational metadata required to run the service securely — for example, timestamps used to enforce rate limits. This metadata does not include message content, email content, calendar content, or any personal information beyond what's strictly necessary for operation.

3. How your messages are processed.

When you talk to Tomoni, your message passes through our infrastructure on its way to Anthropic's Claude API, which generates Tomoni's response. Anthropic processes this traffic under their Zero Data Retention (ZDR) policy. Under ZDR, Anthropic does not retain your conversation data beyond the processing of each individual request, subject to a safety review window of up to seven days, after which the data is permanently deleted.

Anthropic's privacy policy, which governs their handling of this traffic, is available at anthropic.com/legal/privacy.

4. Third parties.

4.1 Anthropic

Tomoni is powered by Claude, an AI model developed by Anthropic, PBC. Your messages are transmitted to Anthropic's API for processing under the Zero Data Retention policy described above.

4.2 Supabase

We use Supabase to host our account system and store the small amount of server-side data described in Section 1.3. Supabase encrypts data at rest and enforces row-level security policies that restrict access to your own records.

4.3 Google, Microsoft, Apple, and other connected accounts

When you connect a third-party account (Google, Microsoft, Apple, Slack, or others), you authorize Tomoni to access data from that account through OAuth or equivalent permission flows. The terms of service and privacy policies of those providers govern the data we receive from them. You can revoke Tomoni's access at any time through the App's Settings.

4.4 What we do not share

Beyond the third parties named above (all of which are strictly necessary to deliver the service), we do not share your data with anyone. We have no advertising partners, no analytics vendors, no data brokers, and no marketing platforms with access to your information.

5. Data storage and security.

5.1 On-device encryption

Data stored on your device — including your memory card, conversations, and OAuth tokens — is protected by iOS's file-system encryption and, where applicable, the iOS Keychain. Access to this data requires that your device be unlocked.

5.2 Transit

All network traffic between the Tomoni app and exp² infrastructure uses TLS. Traffic between our infrastructure and Anthropic's API also uses TLS.

5.3 Server-side encryption

The small amount of data we do retain on our servers (account identifier, onboarding profile, summaries, operational metadata) is protected by Supabase's encryption-at-rest and row-level security policies.

5.4 What this posture means in practice

What we don't hold, we can't lose, can't leak, and can't be subpoenaed for. Keeping user data on the user's device is deliberate. It is better for you, and it is better for us.

6. Your rights and how to exercise them.

You have the right to:

Access the data we hold about you. Contact us at contact@exp2.io and we will provide a complete export of the server-side data associated with your account.
Correct any inaccurate data we hold about you.
Delete your account and all associated server-side data. Within the app, go to Settings → Privacy & Reset → Delete all data. This removes your account data from our servers and wipes the memory card and conversations from your device.
Disconnect any connected account at any time from Settings. Revoking access stops us from reading any further data from that account; previously generated summaries remain in your account unless you also delete them.
Object to processing of your data. Contact us at contact@exp2.io.

If you delete your data from within Tomoni, we cannot recover it. Memory card content synced to your private iCloud Key-Value store is controlled by Apple and may need to be deleted separately through Apple's settings.

Jurisdiction-specific rights (GDPR, CCPA, other) pending counsel review and formal inclusion.

7. Children's privacy.

TOMONI IS INTENDED FOR USERS WHO ARE 18 YEARS OF AGE OR OLDER. IF YOU ARE UNDER 18, YOU MAY NOT USE THIS APP.

We do not knowingly collect personal information from users under the age of 18. If we become aware that a user under 18 has created an account, we will terminate that account and delete the associated data immediately. Parents or guardians who believe a minor is using Tomoni should contact us at contact@exp2.io.

8. International data transfers.

exp² is based in the United States. If you are located outside the United States, data you submit to Tomoni may be processed in the United States and in the regions where our service providers (Anthropic, Supabase, the connected-account providers you authorize) operate. By using Tomoni, you consent to this processing.

GDPR-specific transfer mechanisms (Standard Contractual Clauses, adequacy decisions) pending counsel review.

9. Changes to this policy.

We may update this policy from time to time. When we do, we will update the date at the top of this page. Material changes — particularly any changes to what we collect or how we use it — will be communicated to active users by email. Your continued use of Tomoni after changes constitutes acceptance of the updated policy.

10. Contact.

exp² (Experience Experiment)
Moses Pan, Founder
contact@exp2.io
Los Angeles, California

For privacy questions, data requests, or concerns, please write to contact@exp2.io.

Version 1.0 draft · April 2026 · pre-counsel review