Last updated: April 19, 2026
Omoi (the "App", and its operator the "Operator") is a photo and video storage service. This policy explains how the App handles personal information.
Your memory data is stored in Amazon Web Services (AWS) Tokyo region (ap-northeast-1).
The Operator does not disclose personal information to third parties except in the following cases:
After a subscription is cancelled, the Operator will, in accordance with Section 7 of the Terms of Service, send one email containing the URL of the receipt page to your registered email address. This email is sent through Amazon Simple Email Service (SES) from the mail.omoiapp.com domain.
You have the following rights regarding the personal information we hold about you through the App:
To exercise these rights, please use the contact form. Account deletion can also be performed directly from the App via Settings → Delete Account.
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and / or the UK GDPR applies to our processing of your personal information.
Controller: the Operator of Omoi, based in Japan. Contact through the contact form.
Legal bases for processing (per GDPR Article 6):
Cross-border transfers: your personal information is stored in AWS Tokyo, Japan (Section 3). Japan has been recognized by the European Commission as providing an adequate level of data protection (Adequacy Decision of 23 January 2019), which is the legal mechanism for transfer. UK transfers rely on the UK adequacy regulations for Japan.
Your additional GDPR rights (in addition to those in Section 7): you have the right to lodge a complaint with your local supervisory authority. EU/EEA contact details are available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.
Retention: see Section 6 for memory data retention. Account-level information (Apple ID identifier, optional email) is retained while your account is active and deleted promptly upon account deletion request.
What is sent to AWS Tokyo: photos and videos you choose to entrust, their metadata (filename, capture date, dimensions, file size), and Apple ID identifier hash for ownership association. Email address (if you provided one) is stored separately and used only for post-cancellation receipt page delivery (Section 5).
Data Protection Officer (DPO): the Operator has not appointed a DPO under GDPR Article 37. Our processing does not involve regular and systematic monitoring of data subjects on a large scale, nor large-scale processing of special category data, so a DPO is not legally required at our current scope. The Operator handles all privacy inquiries directly via the contact form.
Children's data (Article 8): the App is not directed at children. Where the App is offered as an "information society service" to children, the consent of the holder of parental responsibility is required for users below the age of digital consent in their member state (typically 13–16 years). If you become aware that a child has provided personal information without parental consent, please contact us so we can delete the account and data.
Automated decision-making (Article 22): the Operator does not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. Subscription quota enforcement (storage cap, monthly restore count) is mechanical contract enforcement, not personal evaluation.
EU representative (Article 27): the Operator currently does not have an EU representative. We are evaluating this requirement as user numbers grow; this section will be updated when an EU representative is appointed.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides additional rights.
Categories of personal information collected (in the prior 12 months):
| Category | Collected |
|---|---|
| Identifiers (Apple ID, email if provided) | Yes |
| Internet / app usage data (storage stats, restore counts) | Yes |
| Customer records (subscription plan, transaction IDs) | Yes |
| Visual / audiovisual data (photos and videos you entrust) | Yes — only what you choose to upload |
| Geolocation, biometric, sensory, professional, education, inferences | No |
| Sensitive personal information (per CCPA) | No |
Sources: directly from you (Sign in with Apple, photos you choose to entrust) and from your use of the App.
Business purposes: providing the service, account management, subscription verification, security, debugging, post-cancellation delivery (Sections 1–6).
Sale or sharing: the Operator does not sell or share your personal information for cross-context behavioral advertising. We do not provide a "Do Not Sell or Share My Personal Information" link because there is nothing to opt out of.
Sensitive personal information (CPRA): the Operator does not knowingly collect any of the following CPRA-defined sensitive personal information: government-issued identifiers (SSN, driver's license, passport), account login + password, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail / email / text messages (other than to the addressee — irrelevant for our service), genetic data, biometric identifiers, health information, sex life or sexual orientation. Photos and videos you choose to entrust may incidentally contain sensitive information depending on what you photograph; we treat all entrusted media as your own data and do not analyze its content.
Retention by category:
| Category | Retention period |
|---|---|
| Identifiers (Apple ID, email) | While account is active; deleted on account deletion request |
| Internet / app usage data | While account is active; deleted on account deletion request |
| Customer records (subscription, transaction IDs) | While account is active; deleted on account deletion request (some Apple-side retention may apply per Apple's terms) |
| Visual / audiovisual data (entrusted photos and videos) | See Section 6: while subscribed → 180 days post-cancellation → 30-day download window |
Service providers and contractors (not "sale" or "share"): the Operator discloses personal information only to service providers and contractors necessary for service delivery (AWS for storage, Apple Inc. for subscription processing, Amazon SES for email). These disclosures are governed by contracts that prohibit using the data for any purpose other than providing services to the Operator, and are exempt from the CCPA's "sale" or "share" definitions.
Minors under 16: CCPA prohibits the sale or sharing of personal information of consumers between ages 13 and 16 without their affirmative authorization, and minors under 13 require parental consent. The Operator does not sell or share personal information of any user, so this opt-in is not applicable.
Your CCPA rights (in addition to those in Section 7):
To submit a verifiable consumer request, please use the contact form. We will verify your identity through your Apple ID-based account; we do not require additional documentation. We will respond within 45 days, with a possible 45-day extension if needed (we'll notify you).
Authorized agents: you may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you, and we may verify your identity directly with you.
"Shine the Light" (California Civil Code §1798.83): California residents may request a notice describing categories of personal information we shared with third parties for direct marketing purposes. As stated above, we do not share personal information for direct marketing.
This policy may be revised as needed. Material changes will be announced inside the App.
For privacy inquiries, please use the contact form.