Privacy

Your data, your business.

Palmi is built for a few people you actually trust. We treat your data the same way — like it belongs to you, because it does. This page explains, in plain English, what we collect, why, and what we don’t do with it.

Last updated: April 23, 2026

The short version

  • We collect the minimum we need to make palmi work.
  • We do not sell your data. Ever.
  • We do not serve third-party ads and we do not build advertising profiles.
  • Only the people in your circle see what you post to that circle.
  • You can export or delete your account at any time by emailing us.

If something on this page is unclear, write to privacy@palmi.app and we’ll rewrite it.

Who we are

“Palmi,” “we,” “us,” or “our” refers to the operator of the palmi application and palmi.app. You can reach us at hi@palmi.app for general questions or privacy@palmi.app for anything on this page.

What we collect

Information you give us

  • Phone number. Used to sign you in and to verify you’re a real person. We send a one-time code by SMS at sign-in.
  • Profile. Your display name, optional bio, optional profile photo, and any optional fields you choose to add (job title, school, city, website, etc.).
  • Content you post. Answers, replies, photos, and videos you share in your circles.
  • Contact info. If you join our waitlist, your email address.

Information we collect automatically

  • Device & app basics. Device type, OS version, app version, crash reports, and coarse timestamps. Used to fix bugs and keep the app running.
  • Push tokens. If you opt into notifications, we store the device token needed to send them.
  • Security logs. IP address and limited request metadata, kept briefly for abuse prevention and account safety.

What we do not collect

  • Precise location. We never ask for GPS.
  • Your contacts, camera roll, microphone, or calendar (unless you explicitly share a specific item).
  • Cross-site tracking identifiers or third-party advertising IDs.

How we use it

  • To run the app: sign you in, show your circle its posts, deliver notifications.
  • To keep people safe: prevent spam, abuse, and impersonation.
  • To improve the product: aggregate, de-identified usage patterns only.
  • To email you about access and launch updates tied to your waitlist request.
  • To contact you about your account or a serious product change.

We do not use your content to train third-party advertising models or sell it in any form. If we ever use aggregate data to improve our own product, it is not tied back to you.

Who sees what you post

Palmi is built around small circles of 5–15 people. Content you post to a circle is visible only to members of that circle and to palmi staff acting in a narrow, documented role (abuse review, legal requests, or restoring a lost account at your request).

Your profile photo and display name may be shown to other members of circles you join, and to people you invite.

Who we share data with

We share your data with a small set of vendors who help us run palmi. Each is bound by contract to use your data only to provide their service to us.

  • Supabase — database, authentication, file storage.
  • Twilio — SMS delivery for sign-in codes.
  • Expo — push notification delivery.
  • Model providers — we use large language models strictly for content moderation and for drafting daily questions. We do not send your name, phone number, or profile fields to these providers, and providers are prohibited from using our data for training.

We do not sell your personal information. We do not share it with data brokers. We do not provide it to advertisers.

Retention

  • Your posts remain until you or your circle owner deletes them, or you delete your account.
  • Security logs are retained for up to 90 days.
  • Backups are rotated on a rolling basis and deleted data expires from them within 30 days.
  • If you delete your account, we remove your profile and content within 30 days, except where a narrow legal obligation requires us to keep specific records longer.

Your rights

Regardless of where you live, you can ask us to:

  • Access a copy of your data.
  • Correct anything that’s wrong.
  • Delete your account and associated content.
  • Object to a specific use, or ask us to restrict it.

To make any of these requests, email privacy@palmi.app from the address tied to your account or verify with the phone number on file. We respond within 30 days.

If you’re in the EEA or UK, you have the right to complain to your local data protection authority. If you’re in California, the CCPA/CPRA gives you the rights listed above; we do not “sell” or “share” personal information as those terms are defined by the CCPA.

Security

Your data is encrypted in transit and at rest. Access inside palmi is limited to the few people who need it to run the service. We enforce two-factor authentication on our admin tools. We’re a small team, so we’re not going to pretend we’re impenetrable — but we take this seriously, and if something happens, we’ll tell you directly.

Children

Palmi is not intended for anyone under 13. If you believe a child under 13 has created an account, email privacy@palmi.app and we’ll remove it.

International transfers

Palmi is operated from the United States. If you’re accessing it from elsewhere, your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses where required.

Changes to this policy

If we change this policy in a way that meaningfully affects you, we’ll tell you in the app or by email before it takes effect. Older versions are available on request.

Contact

Privacy questions: privacy@palmi.app
Everything else: hi@palmi.app

Read the Terms →