Privacy Policy

Introduction

Loom Security, Inc. is the data controller responsible for your personal information collected through this Website. Our principal place of business is in the United States, and we are incorporated under the laws of the State of Delaware.

This Privacy Policy applies to information collected through this Website only. It does not apply to information collected through our CINQUE product or platform — which is governed by the data processing agreements and privacy terms between Loom Security and its enterprise customers.

By using our Website, you consent to the data practices described in this policy. If you are accessing our Website on behalf of a company or other legal entity, you represent that you have the authority to bind that entity to this policy.

Information We Collect

We collect information in two ways: information you provide to us directly, and information collected automatically when you use our Website.

Information you provide directly

When you interact with our Website — for example, by submitting a contact form, requesting a demo, or signing up for our newsletter — you may provide us with:

• Name (first and last)
• Business email address
• Job title and company name
• Your role or function within your organization
• Information about your security challenges or interests you choose to share

Information collected automatically

When you visit our Website, certain information is collected automatically by our servers and analytics tools, including:

• IP address and approximate geographic location (country and city level)
• Browser type, version, and operating system
• Pages viewed, time spent on pages, and navigation paths
• Referring URLs (the page you came from before visiting ours)
• Device type and screen resolution
• Date and time of your visit

Information from third parties

We may receive information about you from third-party sources, such as business data providers, analytics partners, or publicly available sources, which we may combine with information we collect directly from you.

How We Use Your Information

We use the information we collect for the following purposes:

• Responding to your inquiries — to follow up on demo requests, contact forms, and general questions
• Sending marketing communications — with your consent, to share blog posts, product updates, event invitations, and other content we believe may be relevant to you
• Improving our Website — to understand how visitors use our Website so we can improve content, navigation, and overall experience
• Analytics and research — to analyze Website traffic and usage patterns in aggregate or de-identified form
• Security and fraud prevention — to protect the integrity of our Website and prevent unauthorized access or abuse
• Legal compliance — to comply with applicable laws, regulations, legal processes, or enforceable governmental requests
• Business communications — to send transactional or administrative messages such as changes to our policies or service announcements

We will not use your personal information for purposes materially different from those described in this policy without first providing you notice and, where required by law, obtaining your consent.

Legal Basis for Processing

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Consent — for marketing emails and non-essential cookies. You may withdraw consent at any time.
• Legitimate interests — for analytics, fraud prevention, and improving our Website, where our interests do not override your rights and freedoms.
• Performance of a contract — when processing is necessary to respond to a demo request or fulfill a contractual obligation.
• Legal obligation — where we are required by applicable law to process your data.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies (such as web beacons and pixels) to collect information about your browsing activity on our Website.

Types of cookies we use

• Strictly necessary cookies — required for the Website to function and cannot be switched off. They do not store personally identifiable information.
• Analytics cookies — help us understand how visitors interact with the Website, which pages are most popular, and where visitors come from. We use tools such as Google Analytics for this purpose.
• Marketing cookies — used to track visitors across websites and display relevant advertisements. These are only set with your consent.
• Preference cookies — allow the Website to remember choices you make (such as language preferences) to provide a more personalized experience.

Managing cookies

Most web browsers allow you to control cookies through your browser settings. You can choose to refuse all cookies, accept only certain types, or delete cookies that have already been set. Please be aware that disabling certain cookies may affect the functionality of our Website.

For information on how to manage cookies in specific browsers, please visit the browser developer's website. You may also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

Sharing Your Information

We do not sell, trade, or rent your personal information to third parties for their own marketing purposes. We may share your information in the following limited circumstances:

Service providers

We share information with third-party vendors and service providers who perform services on our behalf, such as:

• Email delivery and marketing automation platforms
• Website analytics providers
• Customer relationship management (CRM) software
• Cloud hosting and infrastructure providers

These service providers are contractually bound to use your information only as directed by us and in accordance with this Privacy Policy.

Business transfers

If Loom Security, Inc. is involved in a merger, acquisition, asset sale, or similar transaction, your personal information may be transferred as a business asset. We will notify you via email or prominent notice on our Website before your information becomes subject to a materially different privacy policy.

Legal requirements

We may disclose your information where required to do so by law or in response to valid legal process, such as a court order, subpoena, or government request. We may also disclose information when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

Specifically:

• Contact and inquiry data is retained for up to 3 years following your last interaction with us, unless you request deletion sooner
• Marketing consent records are retained for as long as you remain subscribed, plus 3 years to demonstrate compliance
• Website analytics data is retained in aggregate or de-identified form for up to 26 months

When we no longer need personal information, we securely delete or anonymize it in accordance with our data retention schedules.

Data Security

We implement appropriate technical and organizational measures to protect your personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption of data in transit using TLS (Transport Layer Security)
• Access controls limiting who within our organization can access personal data
• Regular review of our data collection, storage, and processing practices
• Vendor security assessments for third-party service providers who process personal data

Your Rights & Choices

Depending on your location, you may have certain rights with respect to your personal information:

Rights available to all users

• Opt out of marketing — you may unsubscribe from our marketing emails at any time by clicking the "unsubscribe" link at the bottom of any email, or by contacting us directly
• Cookie preferences — you may control non-essential cookies through your browser settings
• Contact us — you may contact us at any time with questions about how we handle your data

Rights for EEA, UK, and Swiss residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following additional rights:

• Right of access — to request a copy of the personal data we hold about you
• Right to rectification — to request correction of inaccurate or incomplete personal data
• Right to erasure ("right to be forgotten") — to request deletion of your personal data in certain circumstances
• Right to restriction — to request that we restrict processing of your personal data in certain circumstances
• Right to data portability — to receive your personal data in a structured, machine-readable format
• Right to object — to object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent — where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing

California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

• Right to know — you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business purpose for collecting it, and the categories of third parties with whom we shared it.
• Right to delete — you have the right to request deletion of personal information we have collected, subject to certain exceptions.
• Right to opt out of sale or sharing — we do not sell or share personal information as defined under California law. If this practice changes, we will update this policy and provide an opt-out mechanism.
• Right to correct — you have the right to request correction of inaccurate personal information.
• Right to non-discrimination — we will not discriminate against you for exercising your California privacy rights.

To submit a California privacy request, contact us at info@loomsecurity.io with "California Privacy Request" in the subject line. We will respond within 45 days as required by California law.

International Data Transfers

Loom Security, Inc. is based in the United States. If you are accessing our Website from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards as recognized under applicable law, including Standard Contractual Clauses (SCCs) approved by the European Commission where applicable.

By using our Website, you consent to the transfer of your information to the United States. If you do not consent to this transfer, please do not use our Website.

Third-Party Links

Our Website may contain links to third-party websites, including social media platforms, partner pages, and reference materials. This Privacy Policy does not apply to those external sites, and we are not responsible for their content or privacy practices.

We encourage you to review the privacy policies of any third-party sites you visit. The inclusion of a link to a third-party website does not constitute an endorsement of that site or its privacy practices.

Children's Privacy

Our Website is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a child under 16, please contact us immediately at info@loomsecurity.io and we will take prompt steps to delete it.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on our Website.

We encourage you to review this page periodically. Your continued use of the Website after changes are posted constitutes your acceptance of the revised policy. If you do not agree with a change, you should stop using the Website and may contact us to request deletion of your data.

Contact Us

Loom Security, Inc. is the data controller for personal information collected through this Website. If you have questions, concerns, or requests related to this Privacy Policy or the handling of your personal data, please contact us:

• All inquiries: info@loomsecurity.io

We aim to respond to all privacy-related requests within 30 days. For requests under GDPR, we will respond within the statutory timeframe. For California residents, we will respond within 45 days.