Data Processing Agreement

Last updated: March 5, 2026

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between LoomR ("Processor", "we") and the Merchant ("Controller", "you") and governs the processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

1. Scope and Definitions

This DPA applies to all personal data processed by LoomR on behalf of the Controller in connection with the LoomR platform. "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the GDPR.

2. Categories of Data Processed

• Customer personal data: name, email address, phone number
• Task data: task reference, products, amounts, dates
• Video content: personalized video recordings and GIF previews
• Engagement data: email opens, clicks, video views
• Merchant account data: brand name, contact information, billing details

3. Processing Instructions

LoomR processes personal data only as instructed by the Controller and only to the extent necessary to provide the LoomR service. Processing activities include:

• Parsing forwarded emails to extract customer and task data
• Sending WhatsApp prompts to merchants for video recording
• Storing and delivering personalized video messages
• Sending customer notification emails with video links
• Tracking email engagement (opens, clicks) for analytics

4. Sub-Processors

The Controller authorizes the use of the following sub-processors. LoomR will notify the Controller of any changes to this list at least 30 days in advance.

5. Security Measures

LoomR implements the following technical and organizational measures:

• TLS encryption in transit for all API endpoints and data transfers
• Encryption at rest for database storage (Supabase/AWS managed encryption)
• Row Level Security (RLS) policies ensuring tenant data isolation
• Webhook HMAC signature verification for all inbound webhooks
• Structured audit logging for security-relevant actions
• Role-based access control (RBAC) with owner/admin/editor/viewer hierarchy
• Service-role key isolation — browser clients never receive privileged keys

6. Data Subject Rights

LoomR will assist the Controller in responding to data subject requests including:

• Right of access — data export available via account settings
• Right to erasure — account deletion with 90-day grace period, then full purge
• Right to rectification — data correction via settings or support request
• Right to data portability — JSON export of all merchant data

Data subjects (customers) may submit rights requests via our privacy request form or by emailing hello@loomr.ai. We will respond within 30 days.

7. Breach Notification

In the event of a personal data breach, LoomR will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

8. Data Retention and Deletion

• Active accounts: data retained for the duration of the service agreement
• Account deletion: 90-day grace period for data export, then full purge including video assets
• Video content: stored on Cloudinary and deleted upon account termination
• Audit logs: retained for 12 months for security compliance

Deletion Process

Upon account deletion request, the merchant's subscription status changes to "pending_deletion" with a 90-day grace period. During this period, merchants may export their data and cancel the deletion. After 90 days, all merchant data is permanently deleted including database records, Cloudinary video assets, and associated customer data.

9. International Transfers

Where personal data is transferred outside the European Economic Area, LoomR ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) with sub-processors and reliance on adequacy decisions where available.

10. Audit Rights

The Controller may audit LoomR's compliance with this DPA upon reasonable notice. LoomR will cooperate with such audits and provide necessary information to demonstrate compliance.

11. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, LoomR will delete or return all personal data as described in Section 8, unless retention is required by applicable law.