Overview

Loamly offers two deployment modes: a managed proxy for 100% AI traffic verification, and a JavaScript tracker for website analytics. This page covers data handling for both.

TL;DR: We never store IP addresses, request bodies, or response content. The managed proxy only logs AI bot visits. The JavaScript tracker logs all pageviews for analytics.

How it works

When you point your domain's DNS to Loamly:

User Request → Your Domain (A: 37.16.7.18)
    → Loamly Proxy (Frankfurt, EU)
    → SSL Termination (Let's Encrypt)
    → RFC 9421 Signature Verification
    → Forward to Your Origin (unchanged)
    → Response back to User

What happens at each step

Step	What happens	Data accessed
SSL Termination	Caddy provisions and renews Let's Encrypt certificates automatically	Domain name only
Signature Check	We inspect HTTP headers for RFC 9421 signatures from AI bots (ChatGPT, Perplexity, etc.)	Headers only
Verification	Cryptographic verification using embedded public keys (JWKS)	Signature headers
Forward	Request forwarded to your origin server unchanged	Pass-through
Logging	If AI bot detected, we log: URL, timestamp, bot type, verification result	Metadata only

Pass-through architecture

We never buffer, cache, or modify your request bodies or response content. Every byte passes through unchanged.

Data handling

What we collect

Managed Proxy (Edge Worker)

AI bot requests only. Human traffic passes through unlogged.

Landing page URL
Timestamp
AI bot type (ChatGPT, Perplexity, Claude, Gemini)
Verification result (signature valid/invalid)
Country (derived from IP, IP discarded)
User-Agent header

JavaScript Tracker (t.js)

All pageviews — both human and AI traffic, for analytics.

Page URL, referrer, UTM parameters
Timestamp, session duration
Country (derived from IP, IP discarded)
Device type, browser (from User-Agent)
AI source classification (ChatGPT, Claude, etc.)

Data retention

Free tier: 90 days
Grow tier: Forever (no deletion — your data stays as long as you're a customer)

What we don't collect

No IP addresses stored — Hashed for deduplication, then discarded
No request bodies — Form submissions, API payloads pass through unread
No response bodies — HTML, JSON, images not cached or logged
No cookies — Uses sessionStorage, not cookies
No PII — No names, emails, or personal data collected

Privacy by design

Both deployment modes are GDPR compliant. No consent banner required for basic analytics.

Open source

Loamly is fully open source under the MIT license:

Main repository: github.com/loamly/loamly
Edge verification: packages/edge — Cloudflare Worker for RFC 9421 signature verification
JavaScript tracker: packages/tracker — Website analytics with AI detection

RFC 9421 verification uses Ed25519 cryptographic signatures. We verify against OpenAI's public keys (JWKS). Zero false positives.

Instant rollback

Removing Loamly takes 30 seconds. Just change your DNS record back to your original server:

# To remove Loamly:
# Change your A record from:
example.com  A  37.16.7.18

# Back to your origin:
example.com  A  [your-original-ip]

# Or CNAME to your host:
example.com  CNAME  your-site.vercel.app

DNS propagation typically takes 5-30 minutes. There's no lock-in, no migration process, no data to export.

Compliance

Standard	Status
GDPR	✅ Compliant — EU data residency (Frankfurt), no PII stored
CCPA	✅ Compliant — No personal information sold or shared
SOC 2	Not yet — Happy to answer security questionnaires
HIPAA	N/A — We don't handle health data

Infrastructure

Proxy: Fly.io (Frankfurt, Germany)
Database: Supabase (Zurich, Switzerland)
SSL: Let's Encrypt (auto-renewed)

FAQ

Can you see my customer data?

No. Request and response bodies pass through without being read or stored. We only inspect HTTP headers for AI bot signatures.

Can you modify my website content?

No. We're a transparent proxy. Your HTML, CSS, JavaScript, and API responses are forwarded byte-for-byte unchanged.

What if Loamly goes down?

Our proxy runs on Fly.io with automatic failover. In the unlikely event of an outage, you can point your DNS back to your origin within minutes. We target 99.9% uptime.

Do you cache my content?

No. We don't cache anything. Every request goes directly to your origin. Your origin's caching headers are passed through unchanged.

Can I self-host the proxy?

Yes. Contact us for the self-hosted deployment guide if you require on-premise infrastructure. The verification logic is already open source.

How do I verify you're not logging everything?

Our verification code is open source. For enterprise customers, we offer audit logs and can provide infrastructure access for security reviews.

Questions?

Email hello@loamly.ai for security questionnaires, DPA requests, or technical questions.