Privacy Policy
Last updated: June 2026
Loomin ("we", "us", "our") is a company registered in Ireland and is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
1. Who we are (Data Controller)
The data controller is [YOUR_FULL_NAME], a sole trader registered in Ireland, trading as Loomin, with principal place of business at [YOUR_ADDRESS].
We have not appointed a Data Protection Officer as we do not meet the thresholds requiring one under Article 37 GDPR. For privacy-related enquiries, contact us at privacy@loomin.pro.
2. What data we collect
| Email address | Account creation and login |
| Full name (optional) | Display in the app |
| Brand and industry details | Personalising AI-generated content |
| Writing samples you upload | Training your brand voice profile |
| Content you generate | Saving drafts and scheduling |
| Usage events (action type, credit cost) | Enforcing credit limits and rate limits |
| Billing details (via Stripe) | Processing subscription payments |
| IP address and browser data | Security, fraud prevention, and session management |
3. Lawful basis for processing
We process your data on the following legal bases:
- Contract (Art. 6(1)(b)) — account creation, AI content generation, draft storage, scheduling, and subscription management.
- Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud and abuse prevention, rate limiting, and enforcing credit quotas. Our legitimate interest is protecting the integrity of the platform and other users. We have assessed that these interests are not overridden by your rights and freedoms.
- Legal obligation (Art. 6(1)(c)) — retaining billing and tax records as required by Irish and EU law.
- Consent (Art. 6(1)(a))— optional marketing communications. You can withdraw consent at any time by clicking "Unsubscribe" in any email or emailing us.
4. How we use your data
- To create and manage your account
- To generate AI content using your brand voice and knowledge
- To process payments and manage your subscription
- To send transactional emails (account confirmation, password reset)
- To enforce credit limits and rate limits
- To detect and prevent abuse or fraud
- To comply with legal obligations
We do not use your content or writing samples to train AI models, sell data to third parties, or serve advertising.
5. Third-party processors
We have Data Processing Agreements (DPAs) in place with each sub-processor below. We share only the minimum data necessary for each service.
| Supabase (US) | Database, authentication, and file storage. Data is stored in AWS us-east-1. |
| Anthropic (US) | AI content generation. Your brand data and prompts are sent to Anthropic's API. Anthropic does not use API data to train models (confirmed in their usage policy and DPA). |
| Stripe (US/IE) | Payment processing. Card details are held by Stripe; we never see or store them. |
| Pexels (US) | Stock photo search — your search query is sent. No personal data beyond the query. |
| Replicate (US) | AI image generation (Pro/Enterprise only) — your prompt is sent. |
All transfers to the US are covered by the EU–US Data Privacy Framework where applicable, or by Standard Contractual Clauses (SCCs) as a fallback.
6. Data retention
We retain your account data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it for legal or tax purposes (typically up to 7 years for billing records).
7. Cookies
We use strictly necessary cookies for authentication (session management via Supabase). We do not use advertising or tracking cookies. See our Cookie Policy for details.
8. Your rights (GDPR)
You have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Restriction — ask us to limit how we process your data
- Objection — object to processing based on legitimate interests
- Withdraw consent — at any time, where processing is based on consent
To exercise any right, email privacy@loomin.pro. We will respond within 30 days. You also have the right to lodge a complaint with the Data Protection Commission (Ireland) at dataprotection.ie.
9. Automated decision-making
Some aspects of the Service involve automated processing that produces effects on your account:
- Credit enforcement — when your credit balance reaches zero, AI generation is automatically blocked until credits reset.
- Rate limiting — more than 10 actions per minute triggers an automatic 60-second cooldown to prevent abuse.
- Trial expiry — access is automatically restricted when your 7-day trial ends without a paid subscription.
These are operational controls, not decisions based on profiling. You have the right to request human review of any decision that materially affects you by contacting privacy@loomin.pro.
10. Security and data breaches
We use industry-standard measures to protect your data: encryption in transit (TLS), encryption at rest (AES-256 via Supabase), row-level security on all database tables, and strict access controls. Only authorised systems can access user data.
In the event of a personal data breach, we will notify the Data Protection Commission within 72 hours where required by GDPR Article 33. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (GDPR Article 34).
11. Changes to this policy
We may update this policy as the Service evolves. We will notify you of material changes by email at least 14 days before they take effect.
12. Contact
Privacy questions or data requests: privacy@loomin.pro