Privacy Policy
Effective Date: May 15, 2026
1. Introduction
Loom Technology, LLC, a Delaware Company ("Loom," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit loom.technology, submit a consultation request or newsletter subscription, apply for a role at Loom, or engage with our AI advisory and consultancy services.
Our core commitment: no data sharing
Loom does not sell, rent, or lease your personal information to third parties. We do not share your data for marketing purposes, and we do not "share" personal information for cross-context behavioural advertising as defined under California law. This is our foundational privacy commitment.
2. Information we collect
2.1. Information you provide directly
- Consultation requests (/consult): name, work email, company, company size, optional phone number, services of interest, and the description of what you are trying to do.
- Newsletter subscriptions (/newsletter): email address.
- Job applications (when you apply for a role on /careers): name, email, optional phone and LinkedIn URL, cover letter, and the resume PDF you upload.
- Engagement data: any data you share with us during the course of an advisory or implementation engagement, governed by the engagement contract and our Data Processing Agreement.
2.2. Information collected automatically
- Bot-mitigation signals: when you submit a form, Cloudflare Turnstile evaluates whether the request is automated. Turnstile uses a small set of cookies and behavioural signals strictly for that purpose.
- Server logs: each form submission is logged on our submission Worker with the truncated IP prefix (e.g., the first three octets of an IPv4 address), the form type, the outcome (accepted or rejected with reason), and a timestamp. Raw email addresses, names, and message bodies are not written to logs.
- Cookies: see §6.
3. Purposes and legal bases for processing
We process your personal data for the following purposes, on the following legal bases:
- Responding to your inquiry (consultation, newsletter) — legal basis: consent and legitimate interest.
- Evaluating your job application — legal basis: steps necessary prior to entering an employment contract, and your consent.
- Performing an engagement — legal basis: contract performance.
- Site security and bot mitigation — legal basis: legitimate interest.
- Legal and accounting obligations — legal basis: legal obligation.
4. Retention
- Newsletter subscriptions: indefinitely until you unsubscribe. Unsubscribe requests are honoured within 30 days.
- Consultation requests: 24 months from receipt, after which the record is deleted unless an engagement has begun.
- Job applications and resumes: 12 months after the position is filled, after which the record is deleted unless you opt in to further consideration. Resumes are stored encrypted in Cloudflare R2 with access restricted to Loom recruiters using multi-factor authentication.
- Server logs: rolling 90 days unless extended for an active security investigation.
5. Sub-processors
We use the following third-party processors to operate this site and our submission pipeline. Each sub-processor is bound by a data-processing agreement that restricts use of personal data to the services they provide us.
| Sub-processor | Purpose | Data categories |
|---|---|---|
| Cloudflare, Inc. | Static hosting (Pages), object storage (R2), serverless compute (Workers), bot mitigation (Turnstile), DNS, edge CDN | All form data; resume PDFs; static assets; truncated IP prefixes |
| Google LLC (Google Fonts) | Web font delivery via CDN | Visitor IP (incidental to the CDN request) |
We will provide at least 30 days' advance notice on this page before adding a new sub-processor. Active engagement clients are also notified by email per the engagement DPA.
6. Cookies
Loom uses a small number of cookies, organised into categories:
- Strictly necessary: required for the site to function — bot-mitigation cookies from Cloudflare Turnstile on form pages. Cannot be turned off; without them the forms will not accept submissions.
- Preferences: optional cookies that remember non-essential choices (e.g., theme). Currently none are set, but the category exists in the consent banner so that future preferences can be opt-in.
- Analytics: optional cookies for measuring site usage. Currently none are set. If we add an analytics tool, it will be disclosed here and gated behind your consent.
- Marketing: none. Loom does not run marketing cookies and will not start.
For visitors from the EU, EEA, UK, and California, a consent banner appears on first visit allowing you to accept or decline non-essential cookies. You can change your choice at any time using the "Cookie Settings" link in the page footer.
7. Your rights
Depending on your location, you may have the rights listed below. To exercise any of them, contact privacy@loom.technology. We will verify your identity and respond within the timeframe required by the applicable law (generally 30–45 days).
7.1. California (CCPA / CPRA)
- Right to know what personal information we have collected, the sources, purposes, and recipients.
- Right to delete personal information we have collected.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing (we do not sell or share — see §1, but the right is preserved).
- Right to limit use of sensitive personal information (we do not collect sensitive personal information as defined under CPRA).
- Right to non-discrimination for exercising any of these rights.
7.2. Virginia, Colorado, Connecticut, Utah, Texas, and other US states
Similar rights to those above apply under the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and the Texas Data Privacy and Security Act. We honour all of them.
7.3. European Economic Area, United Kingdom (GDPR / UK GDPR)
When we are the controller of your data, you have the rights of access, rectification, erasure, restriction, portability, and objection. You may also lodge a complaint with your local data protection authority.
8. Security
We use administrative, technical, and physical security measures to protect your personal information, including TLS in transit, encryption at rest in Cloudflare R2, MFA on all administrative accounts, and least-privilege access controls. No system is perfectly secure; we do not guarantee that personal information will never be compromised.
9. International transfers
Loom operates from the United States. If you submit personal data from outside the US, it will be transferred to and processed in the US. Where required (e.g., transfers from the EEA/UK), we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.
10. Children's privacy
The site is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us and we will delete it.
11. Changes to this Policy
We will post any changes here and update the Effective Date. Material changes (e.g., a new sub-processor, a new category of data collection) will be announced with at least 30 days' notice.
12. Contact
Privacy questions: privacy@loom.technology
Accessibility issues: accessibility@loom.technology
Copyright notices (DMCA): see our DMCA page.