Security at Omoi
Last updated: 16 July 2026Omoi holds some of the most personal data an app can hold. This page explains, in plain language, how it is protected.
How your data is protected
- Encrypted in transit. Every connection between the app and our servers uses TLS. There is no unencrypted path.
- Encrypted at rest. Databases and file storage (your attachments, photos, voice notes) are encrypted at rest by our infrastructure provider.
- Your password is never stored. Only a salted hash. Sessions use short-lived signed tokens (JWT).
- Strict data isolation. Every single database query is scoped to your user ID, enforced in the server code path — not the client. Another user’s request physically cannot address your rows.
- Bank SMS is never stored. On Android, transaction SMS are parsed for the transaction and discarded; full message bodies never touch our database. (Details: Privacy Policy §3.)
- No ads, no trackers. The app contains no advertising or third-party analytics SDKs. Nobody is profiling you inside Omoi.
- AI providers can’t train on your data. Anthropic and OpenAI process content solely to return results, under terms prohibiting training use.
- Least privilege. Production secrets live in the deployment environment, not in code; sub-processors receive only the data their function needs.
- Payments never touch us. Card details go to Apple/Google; we only learn your subscription state.
Found a vulnerability?
Email admin@getomoi.com. We commit to acknowledging reports within 3 business days and will not pursue good-faith researchers. Please don’t access other users’ data while demonstrating an issue.
Related: Privacy Policy · Support · Delete your account