← paumeapp.com

privacy policy

last updated: april 29, 2026

paume ("we", "us", "our") operates the paume mobile application. this policy explains what data we collect, how we use it, and your rights. we wrote it in plain language because you shouldn't need a law degree to understand your privacy.

the short version: your palm photo goes to openai for analysis, then everything lives on your phone. we don't have a database of your data. we don't sell anything. delete the app and it's all gone.

information we collect

paume collects the minimum information needed to give you a reading:

• palm photographs. when you scan your palm, the photo is sent to openai's API for analysis. we do not store your palm photo on our servers — our server is stateless and discards the image immediately after forwarding it. the photo and your reading are stored only on your device.
• apple ID identifier. if you sign in with apple (required for subscriptions and compatibility readings), we receive an anonymous, app-specific identifier. we do not receive your real name, email address, or other apple account details unless you choose to share them.
• local weather data. paume uses apple's weatherkit to get your local weather conditions for daily insights. this uses your device's approximate location. we do not store, transmit, or log your location — it stays on your device.
• email address. only if you voluntarily sign up through our website. used solely to notify you about launches and updates. unsubscribe anytime.

how we use your information

• to generate your personalized palm reading via AI analysis
• to create line diagrams showing your palm lines highlighted on your hand
• to provide daily insights connected to your reading and local conditions
• to process subscription payments through apple
• to enable compatibility readings between two users

we do not use your data for advertising, profiling, or any purpose beyond providing the paume service to you.

AI processing & openai

your palm photo is sent to openai's API through our cloudflare worker proxy. here's exactly what happens:

• our cloudflare worker receives your photo, adds our API key, and forwards it to openai. the worker is stateless — it does not store, log, or cache your image.
• openai processes the image and returns a text analysis + generated diagram images.
• openai does not use API inputs to train their models.
• openai may retain API inputs for up to 30 days for abuse monitoring and safety purposes, after which they are automatically deleted.
• the analysis and images are returned to your device and stored locally.

for details on openai's data handling: openai privacy policy.

palm photos & biometric data

some jurisdictions classify palm prints as biometric data. we want to be clear about how we handle this:

• paume analyzes your palm lines for entertainment and self-reflection only — not for identification, authentication, or matching purposes.
• we do not use palm photos to identify you, verify your identity, or compare your palm against any database.
• we do not build or maintain a biometric template or identifier from your palm.
• your palm photo is stored on your device only and is never used for any purpose beyond generating your reading.

data storage

all your personal data — palm photo, reading results, line diagrams, daily insights, and preferences — is stored on your device using apple's swiftdata framework. we do not operate a user database or server-side storage. your data never leaves your phone except during the AI processing step described above.

third-party services

• openai — processes palm photos and generates readings and images. privacy policy
• apple (storekit) — processes subscription payments. privacy policy
• apple (weatherkit) — provides weather data for daily insights. no personal data is shared.
• cloudflare workers — routes API requests. stateless, no data stored. privacy policy

we do not use any analytics SDKs, crash reporting tools, advertising networks, or tracking services.

what we do NOT collect

• we do not collect your precise location (weather uses approximate location on-device)
• we do not access your contacts, calendar, or phone data
• we do not use analytics, tracking pixels, or device fingerprinting
• we do not serve ads or work with advertising networks
• we do not sell, rent, or share your personal information with anyone
• we do not use cookies (paume is a native app, not a website)

push notifications

paume can send you daily insight notifications and weekly card alerts. these are local notifications generated on your device — not sent from our servers. we ask for notification permission after your first reading, never before. you can change your preference anytime in iOS settings or within the paume app.

children's privacy

paume is rated 12+ on the app store and is not directed at children under 13. we do not knowingly collect personal information from children under 13. if you are a parent or guardian and believe your child under 13 has used paume, please contact us. since all data is stored on-device, deleting the app removes all data.

your rights — for everyone

• access your data: all your data is already on your device. open the app to see it.
• delete your data: delete the app to delete everything. or use "delete account & data" in settings to clear data without removing the app.
• email list: unsubscribe from any email, or contact us to be removed.

your rights — EU residents (GDPR)

if you're in the european union, you have additional rights under GDPR:

• right of access: request a copy of your data — since it's all on your device, you already have it.
• right to rectification: your reading is generated from your palm; re-scan for updated results.
• right to erasure: delete the app or use "delete account & data" in settings.
• right to data portability: your reading data is stored locally on your device and can be shared via the app's share features.
• right to object: you can stop using the service at any time. we don't process data for marketing or profiling.
• lawful basis: we process your palm photo based on your consent (you initiate the scan). you can withdraw consent by not using the scan feature.

our data processor (openai) maintains standard contractual clauses for EU data transfers. contact us at info@paumeapp.com for any GDPR-related requests.

your rights — California residents (CCPA)

if you're in california, the CCPA gives you specific rights:

• right to know: this policy describes all data we collect and how we use it.
• right to delete: delete the app to delete all data. contact us for email list removal.
• right to opt-out of sale: we do not sell your personal information. ever.
• right to non-discrimination: we don't treat you differently for exercising your rights.

data retention

• on your device: data is retained until you delete the app or clear it in settings. you control this completely.
• openai: may retain API inputs for up to 30 days for safety monitoring, then auto-deletes.
• our servers: we retain nothing. the cloudflare worker is stateless.
• email list: retained until you unsubscribe or request removal.

changes to this policy

if we make meaningful changes, we'll update this page and the "last updated" date. for significant changes (like new data collection), we'll notify you through the app.

contact us

questions, concerns, or data requests? reach us at info@paumeapp.com.

paume labs llc
info@paumeapp.com