Security at Omoi

Last updated: 16 July 2026

Omoi holds some of the most personal data an app can hold. This page explains, in plain language, how it is protected.

How your data is protected

  • Encrypted in transit. Every connection between the app and our servers uses TLS. There is no unencrypted path.
  • Encrypted at rest. Databases and file storage (your attachments, photos, voice notes) are encrypted at rest by our infrastructure provider.
  • Your password is never stored. Only a salted hash. Sessions use short-lived signed tokens (JWT).
  • Strict data isolation. Every single database query is scoped to your user ID, enforced in the server code path — not the client. Another user’s request physically cannot address your rows.
  • Bank SMS is never stored. On Android, transaction SMS are parsed for the transaction and discarded; full message bodies never touch our database. (Details: Privacy Policy §3.)
  • No ads, no trackers. The app contains no advertising or third-party analytics SDKs. Nobody is profiling you inside Omoi.
  • AI providers can’t train on your data. Anthropic and OpenAI process content solely to return results, under terms prohibiting training use.
  • Least privilege. Production secrets live in the deployment environment, not in code; sub-processors receive only the data their function needs.
  • Payments never touch us. Card details go to Apple/Google; we only learn your subscription state.

Found a vulnerability?

Email admin@getomoi.com. We commit to acknowledging reports within 3 business days and will not pursue good-faith researchers. Please don’t access other users’ data while demonstrating an issue.


Related: Privacy Policy · Support · Delete your account