LocusLocus

Privacy Policy

Last updated: December 18, 2025

1. Introduction

TDD Software LLC ("Company," "we," "us," or "our") operates Locus (the "Service"), an AI-powered personal analytics platform that helps users unify and query their personal data from various sources.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Name
  • Password (stored securely using industry-standard hashing)

Data from Connected Services

When you connect third-party services (such as Garmin, Strava, or Google Calendar), we collect and store the data you authorize us to access, which may include:

  • Fitness and Health Data: Workouts, activities, sleep data, heart rate, steps, and other health metrics
  • Calendar Data: Events, appointments, and schedule information
  • Activity Data: Routes, performance metrics, and training information

Automatically Collected Information

When you access our Service, we may automatically collect:

  • Device and browser information
  • IP address
  • Usage data and analytics

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Synchronize your data from connected third-party services
  • Enable AI assistants to query your data on your behalf via the Model Context Protocol (MCP)
  • Improve and personalize your experience
  • Communicate with you about the Service
  • Ensure the security of our Service

4. Third-Party Integrations

Locus integrates with the following third-party services:

Garmin Connect

When you connect your Garmin account, we access your fitness and health data through Garmin's official API. This includes workout data, sleep metrics, heart rate information, and activity summaries. We store this data securely in our database to enable querying through AI assistants.

Strava

When you connect your Strava account, we access your activity data including workouts, routes, and performance metrics. OAuth tokens are encrypted and stored securely.

Google Calendar

When you connect your Google Calendar, we access your calendar events to enable AI queries about your schedule. We only access calendar data you explicitly authorize.

For all integrations, we use OAuth 2.0 for secure authorization. We never have access to your passwords for these services.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

  • Encryption of data at rest and in transit (TLS/SSL)
  • Secure storage of OAuth tokens using industry-standard encryption
  • Regular security audits and updates
  • Access controls and authentication requirements

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. When you delete your account or disconnect a service:

  • Account data is deleted within 30 days of account closure
  • Data from disconnected services is deleted within 30 days
  • Backup copies may be retained for up to 90 days for disaster recovery purposes

7. Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Deletion: Request deletion of your data
  • Portability: Request your data in a machine-readable format
  • Withdraw Consent: Disconnect services or delete your account at any time

To exercise any of these rights, please contact us at privacy@onelocus.app.

8. Data Sharing

We do not sell your personal information. We may share your information only in the following circumstances:

  • With your consent: When you explicitly authorize sharing (e.g., through MCP connections to AI assistants)
  • Service providers: With third-party vendors who assist in operating our Service (e.g., cloud hosting)
  • Legal requirements: When required by law or to protect our rights

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

10. International Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We ensure appropriate safeguards are in place for such transfers.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

  • TDD Software LLC
  • Email: privacy@onelocus.app