Privacy Policy
Last updated: April 17, 2026
Bloom Street LLC ("Bloom Street," "we," "us," or "our") operates Osera, an AI-powered application for iPhone. This Privacy Policy explains how we collect, use, store, and share your personal information when you use Osera and related services, including our website at osera.io.
By using Osera, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use Osera.
1. Important Notice: Experimental Technology
Osera is built on cutting-edge artificial intelligence technology. We want to be upfront about what that means for your privacy:
- Your conversations are processed by third-party AI providers. To generate responses, your messages — including personal details, files, and context — are sent to external AI services. We use multiple providers across different countries, including the United States, the European Union, and China.
- We cannot fully control how AI providers handle your data. While we select providers with reasonable data practices and use API-level access (which typically offers stronger privacy protections than consumer-facing products), each provider operates under its own privacy policy and local laws.
- AI systems can be unpredictable. Responses may be inaccurate, inappropriate, or may inadvertently reference information from your conversations in unexpected ways.
- Use discretion with sensitive information. We recommend against sharing highly sensitive data — such as passwords, financial account numbers, medical records, or legal matters — in conversations with Osera.
We take reasonable steps to protect your data, but complete security cannot be guaranteed with any internet-connected AI service. We believe you deserve to know this upfront rather than buried in fine print.
2. AI Disclosure
Osera is powered entirely by artificial intelligence. You are not interacting with a human. All responses are generated by AI systems. While Osera may feel personal, it is not a real person.
Osera is not a mental health service, therapist, counselor, or crisis intervention tool. It is not a substitute for professional mental health treatment. If you are experiencing a mental health crisis, contact the 988 Suicide & Crisis Lifeline (call or text 988), the Crisis Text Line (text HOME to 741741), or your local emergency services.
3. Information We Collect
3.1 Account Information
When you create an account, we collect:
- Email address
- First name (optional)
- Authentication identifiers (one-time passcodes or magic links delivered via email)
- Apple ID identifier (if using Apple Sign-In)
3.2 Conversation Data
When you interact with Osera, we process:
- Messages: Text messages you send and AI-generated responses
- Attached files: Images, documents, and other files you share
- Tool results: Data retrieved on your behalf from connected services (email content, calendar events, web search results, etc.)
- Conversation context: Your full conversation history is included with each AI request to maintain continuity. This means earlier messages — including personal details mentioned in prior exchanges — are re-sent to AI providers with each new message.
Messages are stored on our servers for up to 30 days. Your AI assistant also maintains workspace files (memory, preferences, personality notes) that are stored on your cloud agent and synchronized with our servers.
3.4 Location Data
If you grant location permission, we collect:
- Latitude, longitude, and accuracy
- Collected via significant location change monitoring (not continuous GPS tracking)
- Sent to our servers for contextual awareness
You can enable or disable location tracking at any time in app settings. Location data is automatically deleted from our servers after 48 hours.
2.5 Apple Data (Calendar and Reminders)
If you grant the relevant permissions, Osera can access:
- Calendar events: Title, time, and location of upcoming events (next 24 hours)
- Reminders: Title, due date, and priority of incomplete reminders (next 7 days)
This data is synced to our servers to provide your AI assistant with relevant context. Each sync overwrites the previous data — no history is retained. This data may be included in AI requests when relevant to your conversation.
2.6 SMS Messaging
2.6.1 Waitlist SMS
When you provide your phone number on osera.io or text JOIN or MINE to (415) 936-7594, we collect your phone number and send up to two (2) text messages: one confirmation when you join the waitlist, and one notification when access is available. Your phone number is stored in our waitlist database to notify you when Osera is available. We do not sell, share, or use waitlist phone numbers for marketing purposes. Reply STOP to opt out, HELP for help. Message and data rates may apply. Up to two (2) messages total.
No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
2.6.2 Current Messaging Features
Osera does not currently expose SMS-based group messaging, chat spaces, or voice calling in the shipped iOS app. If we launch coordinated messaging features later, this Privacy Policy will be updated before those features become generally available.
2.7 Device and Technical Information
When you install and use Osera, we automatically collect:
- A unique installation identifier (regenerated if you reinstall the app)
- Device model and operating system version
- App version
- Push notification token
- Error reports including error messages and environment details
2.8 Usage and Billing Information
- Which AI models are used for each request
- Token counts (input and output) and response times
- Cost calculations for billing purposes
- Subscription status, tier, and billing cycle
2.9 Integration Data
When you connect third-party services (such as email, calendar, messaging, or productivity tools), we store:
- OAuth access and refresh tokens (managed through an integration authentication service)
- Connection status and the email address associated with each connection
You can disconnect any integration at any time, which revokes access.
2.10 Calendar Subscriptions (ICS Feeds)
You may provide URLs for academic or institutional calendar feeds (such as Blackboard, Canvas, or Moodle ICS feeds). When you do:
- Feed URLs: The ICS feed URL you provide is stored on our servers
- Event data: Our server fetches and parses the calendar feed to extract event titles, times, locations, and descriptions
- Sync frequency: Feeds are automatically re-fetched every 6 hours to keep your calendar context current
- AI context: Parsed events may be included in AI requests to provide scheduling awareness
You can remove a calendar subscription at any time, which stops fetching and deletes the stored events.
2.11 Photo Context Awareness
If you grant photo library access, Osera may use on-device machine learning (Apple Vision framework) to analyze your photo library metadata:
- Scene labels: On-device image classification produces category labels (e.g., "beach," "concert," "hiking") without transmitting your actual photos
- GPS coordinates: Per-photo GPS coordinates (latitude/longitude) are extracted from photo metadata and sent to our servers
- Interest profile: Aggregated scene and location data is synced to our servers to help your AI understand your interests and lifestyle
Your actual photos are never uploaded to our servers or sent to AI providers. Only metadata (scene labels, GPS coordinates, aggregate counts) leaves your device — your actual photos are never uploaded. You can revoke photo library access at any time in iOS Settings.
2.12 Music Data (MusicKit and ShazamKit)
If you grant access to Apple Music:
- Library analysis: Osera uses Apple MusicKit to analyze your on-device music library, including artists, genres, play counts, and recently played tracks
- Taste profile: A summarized music taste profile is synced to our servers and may be included in AI context
- Song recognition: When you use the "what's playing?" feature, Osera uses Apple ShazamKit to identify songs on-device. Recognized song information (title, artist, album) is synced to our servers
Music data is processed through Apple's frameworks on your device. We receive summarized taste data and recognition results, not raw audio or your full library catalog.
2.13 Weather Data (WeatherKit)
Osera uses Apple WeatherKit to fetch weather conditions for your current location. Weather data (temperature, conditions, forecast) is injected into your AI context to enable weather-aware responses. No weather data is stored long-term — it is fetched on-demand and used only for the current conversation context.
2.14 Email Account Credentials (JMAP)
If you connect an email account via JMAP (an open email protocol):
- Credentials stored: Your JMAP server URL, username, and password are stored on our servers to enable email tool access
- Usage: These credentials allow your AI to read, search, and compose emails on your behalf
- Security: Credentials are stored on our servers with access controls. They are transmitted over encrypted connections (TLS) when connecting to your email server. We recommend using app-specific passwords
You can remove your email credentials at any time in Settings, which immediately revokes Osera's access to your email account. We strongly recommend using an app-specific password rather than your primary email password.
2.15 Social Graph Analysis
Osera derives relationship intelligence from your interactions to provide better context:
- Relationship scores: Based on how frequently you mention people and interact across the product, we compute relationship proximity scores
- Community detection: We identify social clusters (e.g., "college friends," "work team") from your interaction patterns
- Derived data storage: This analysis is stored in a separate database optimized for graph queries
Relationship graph data is derived from information you have already provided to Osera through conversations and product activity. We do not import social graphs from external social networks. This data is used solely to improve your AI's contextual awareness of the people in your life.
2.16 Onboarding Profile
During onboarding, we may collect information about your personality, interests, communication preferences, and needs through a text conversation or in-app onboarding flow. This profile is stored in your assistant's workspace to personalize the experience.
2.17 Payment Information
Payments are processed by third-party payment processors. We do not directly collect or store payment card details. From our payment processors, we receive and store subscription identifiers, status, tier, and billing cycle dates.
2.18 Website Analytics
When you visit osera.io:
- Without cookies: We collect page views, referrer, UTM parameters, and approximate country (from IP geolocation) via our own server-side tracking.
- With consent: If you accept cookies, third-party advertising measurement tools may set cookies on your device. You can reject these at any time via the consent banner.
2.19 Feedback
If you submit feedback, we collect your message, any screenshots or recordings you include, and diagnostic information about your environment at the time of submission.
3. How Your Data Reaches AI Providers
This section is important. Understanding how your data flows through AI systems is central to making informed decisions about using Osera.
3.1 What Gets Sent
When you send a message, the following is transmitted to an AI provider to generate a response:
- Your new message
- Your full prior conversation history (up to the provider's context limit, which can be very large — up to millions of words)
- Results from any tools used during the conversation (email content, calendar data, web search results, file contents, etc.)
- System context including your first name and basic preferences
- Images and file attachments
3.2 Multiple Providers
Osera uses multiple AI providers to ensure reliability and performance. If one provider is unavailable or rate-limited, your request may be automatically routed to another. This means your conversation data may be processed by several different AI services over time.
We use AI providers based in:
- The United States
- The European Union
- China
Data sent to providers based in China is subject to Chinese law. Chinese authorities may have legal authority to access data processed within their jurisdiction. We use these providers because they offer strong AI capabilities at accessible price points, but you should be aware of this when deciding what information to share with Osera.
3.3 What We Don't Send
We do not send the following to AI providers:
- Your email address or authentication credentials
- Your payment information
- Your email account passwords or JMAP credentials
- Your actual photos (only derived metadata like scene labels and GPS coordinates)
- Raw audio from music recognition
- Other users' data
- OAuth tokens for your connected services
Note: Some contextual data — including weather conditions, calendar events from ICS feeds, music taste profiles, photo interest profiles, and relationship context from social graph analysis — is included in AI requests when relevant to your conversation.
3.5 No Content Redaction
We do not currently scrub or redact personal information from your messages before sending them to AI providers. If you mention someone's name, phone number, or other personal details in a conversation, that information will be included in the data sent to providers. Please exercise discretion.
4. How We Use Your Information
To Provide Osera's Core Service
- Process your messages and generate AI responses
- Synchronize conversations between your devices
- Execute actions on connected third-party services on your behalf
- Deliver proactive check-ins and contextual assistance
- Store and retrieve your assistant's memory and preferences
To Manage Billing
- Track token usage against your subscription tier
- Process subscription changes and renewals
- Maintain billing records
To Improve the Service
- Identify and fix bugs using error reports and diagnostics
- Analyze usage patterns to improve features (using aggregated, non-conversation data)
- Optimize AI provider routing for reliability and cost
To Communicate With You
- Send authentication codes and service-related messages
- Notify you of policy changes or important updates
- Respond to support and feedback requests
To Ensure Security
- Detect and prevent abuse of the service
- Enforce our Terms of Service
5. How We Share Your Information
We share your information with the following categories of third parties. We do not sell your personal information to anyone.
5.1 AI Providers
Your conversation data (messages, files, context) is sent to third-party AI providers to generate responses. We use multiple providers across the United States, the European Union, and China. See Section 3 for details on what data reaches these providers.
5.2 Integration Services
When you connect third-party accounts (email, calendar, messaging, etc.), an integration authentication service manages OAuth tokens on your behalf. This service stores your access credentials for connected accounts.
5.3 Infrastructure Providers
We use third-party services for:
- Backend database and authentication
- Cloud compute for your AI agent
- Graph database for social relationship analysis (hosted by a third-party provider)
- Object storage for archived data
- Email delivery for authentication codes and service messages
- Content delivery and DNS
- Website hosting
These providers process data as necessary to operate the infrastructure but do not use your data for their own purposes.
5.5 Payment Processors
Subscription payments are handled by third-party payment processors. They receive your email and payment details. We receive only subscription identifiers and status — never your card number or bank details.
5.6 Website Analytics (with consent)
With your consent via our cookie banner, website usage data may be shared with third-party advertising measurement services.
5.7 Legal and Safety Disclosures
We may share information:
- To comply with legal obligations, court orders, or government requests
- To protect our rights, property, or safety, or that of our users
- In connection with a merger, acquisition, or sale of assets (you will be notified)
- With your consent or at your direction
6. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Synced messages | 30 days | Automatic daily cleanup |
| Location pings | 48 hours | Automatic daily cleanup |
| Cloud agent logs | 24 hours | Automatic hourly cleanup |
| Agent backups | 30 days | Automatic daily cleanup |
| ICS calendar events | Until subscription removed + next sync cycle | Overwritten every 6 hours; deleted on removal |
| Photo sync data (per-photo metadata) | 90 days (rolling) | Automatic cleanup; on account deletion or permission revocation |
| Photo interest profile (aggregated) | Duration of account | On account deletion or permission revocation |
| Music taste profile | Duration of account | On account deletion or permission revocation |
| ShazamKit recognition results | Duration of account | On account deletion |
| Email credentials (JMAP) | Until disconnected by user | Immediate on disconnection |
| Social graph data | Duration of account | On account deletion |
| Weather data | Not stored (fetched on-demand) | N/A |
| Usage and billing logs | Duration of account + legal retention period | On account deletion (subject to tax/legal holds) |
| Device telemetry | Duration of account | On account deletion |
| Error reports | Duration of account | On account deletion |
| Account information | Until deletion requested + reasonable wind-down period | On request |
When your subscription ends: After a 7-day grace period, your cloud agent's workspace data is archived. Archives are retained for 30 days (trial accounts) or 1 year (paid accounts that have churned), after which they are permanently deleted. If you re-subscribe during this window, your data can be restored.
AI provider retention: We do not control how long AI providers retain data they receive. Most API-level services have stated policies against using API data for model training, but retention practices vary by provider and jurisdiction. Data sent to providers in China may be subject to local data retention requirements.
7. International Data Transfers
Bloom Street LLC is based in the United States. Your data is processed in multiple jurisdictions:
- United States: Our primary backend, most AI providers, payment processing, and infrastructure.
- European Union: Some AI providers are based in the EU.
- China: Some AI providers are based in China. Your conversation data — including message content, tool results, and system context — may be processed on servers in China, subject to Chinese law.
For users in the European Economic Area, United Kingdom, or Switzerland: these transfers are conducted using appropriate safeguards where available, including Standard Contractual Clauses. However, we acknowledge that transfers to China may not benefit from the same level of data protection as transfers within the EU or to countries with adequacy decisions.
By using Osera, you acknowledge that your information will be transferred to and processed in multiple jurisdictions, including countries that may have different — and potentially less protective — data laws than your country of residence.
8. Data Security
We implement the following security measures:
- All data in transit is encrypted via TLS/SSL
- Authentication tokens are stored in your device's secure iOS Keychain, not in plain text
- Authentication uses one-time passcodes — no passwords are stored anywhere
- OAuth tokens for connected services are stored server-side with access controls
- Email credentials (JMAP) are stored server-side with access controls and transmitted only over TLS-encrypted connections
- API keys for AI providers are stored server-side and never exposed to your device
What we don't currently do:
- We do not redact personal information from messages before sending them to AI providers
- We do not offer end-to-end encryption for conversations
No system is perfectly secure. Despite our efforts, we cannot guarantee that your data will never be accessed by unauthorized parties. This is especially relevant for data transmitted to third-party AI providers operating in different legal jurisdictions.
9. Legal Basis for Processing (EEA/UK Users)
If you are located in the European Economic Area or United Kingdom, we process your personal information under the following legal bases:
Performance of Contract
Processing your account information, conversation data, and usage data is necessary to provide Osera's services.
Consent
The following require your explicit consent:
- Camera access for photo capture
- Location tracking
- Calendar and reminders access
- Photo library access for interest profiling
- Apple Music library access
- Email account credentials (JMAP)
- Client-side website analytics cookies
You may withdraw consent at any time by disabling the relevant feature or revoking the permission in your device settings.
Legitimate Interests
We process certain information based on legitimate business interests, where those interests are not overridden by your rights:
- Device telemetry and error reporting to maintain service stability
- Security monitoring to prevent abuse
- Server-side website analytics (cookieless)
Legal Obligation
We process information as required for tax reporting and legal compliance.
10. Your Rights and Choices
10.1 All Users
Permission Controls
You can grant or revoke any device permission (camera, calendar, reminders, location) at any time through iOS Settings.
Location Tracking
You can toggle location tracking on or off within the Osera app. When disabled, no location data is collected or transmitted.
Integration Management
You can connect or disconnect third-party integrations at any time, which revokes OAuth access to those services.
Account Deletion
You may request deletion of your account and associated data by contacting us at privacy@osera.io. We will process your request within 30 days.
Communications
You can opt out of non-essential communications by contacting us.
10.2 EEA, UK, and Swiss Users
You have additional rights under applicable data protection laws:
- Right of Access: Request a copy of the personal information we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete information.
- Right to Erasure: Request deletion of your personal information.
- Right to Restriction: Request restricted processing in certain circumstances.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interests.
- Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing.
- Right to Lodge a Complaint: File a complaint with your local data protection authority.
To exercise any of these rights, contact us at privacy@osera.io. We will respond within 30 days.
10.3 California Users
Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information we collect and how we use it, the right to request deletion, and the right to opt out of sales. We do not sell personal information.
11. Cookies and Tracking
Osera App
The Osera iPhone app does not use cookies or third-party tracking. We do not use any analytics SDKs, crash reporting services, or advertising frameworks within the app.
Website (osera.io)
| Technology | Purpose | Consent Required |
|---|---|---|
| Server-side analytics | Page views, referrer, approximate country | No (cookieless) |
| Advertising measurement pixels | Ad campaign effectiveness | Yes |
You can manage cookie preferences by clearing your browser cookies and revisiting our site.
12. Children's Privacy
Osera is not intended for users under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from minors. If we become aware that we have collected information from a minor, we will delete it. If you believe we have collected information from a minor, please contact us immediately.
13. Third-Party Links and Services
Osera integrates with third-party services (email, calendar, messaging, etc.) at your direction. Each integrated service is governed by its own privacy policy. We encourage you to review the privacy policies of any services you connect.
14. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
- Post the updated policy with a new "Last updated" date
- Send an email notification to your registered email address
- Display a notice within the Osera application
Your continued use of Osera after the effective date constitutes acceptance of the updated policy.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your data:
Bloom Street LLC
Email: privacy@osera.io
We commit to responding to all privacy inquiries within 30 days.
This Privacy Policy is effective as of April 17, 2026.