Legal
Privacy Policy
This policy covers two things: how we handle data on this website (loomaru.com), and how our revenue recovery service processes data on behalf of merchants.
Effective date: April 21, 2026 · Last updated: April 21, 2026
1Overview
Loomaru is operated by Vadim Sharapov, sole proprietor, based at Zikova 1023, Prague, Czech Republic. As an EU-based provider, we are directly subject to the General Data Protection Regulation (GDPR).
This Privacy Policy covers two distinct contexts:
- This website (loomaru.com) — where we are the data controller for visitor information.
- Our revenue recovery service — where we act as a data processor on behalf of our merchant clients, who are the data controllers.
For full data processing terms governing the revenue recovery service, see our Terms & Conditions, Section 4.
Part A — This Website (loomaru.com)
2Website (loomaru.com)
When you visit loomaru.com, we act as the data controller for any personal data collected. The legal basis for processing depends on the type of data:
- Analytics and advertising cookies: Consent (GDPR Art. 6(1)(a), ePrivacy Art. 5(3)). These are only activated after you accept tracking via our cookie consent banner.
- Contact form / booking submissions: Legitimate interest (GDPR Art. 6(1)(f)) — you initiate the contact, and we process your information to respond and provide the requested service.
- Strictly necessary cookies: Exempt from consent under ePrivacy Art. 5(3) — these are required for the website to function (e.g., theme preference stored in localStorage).
3Data We Collect on the Website
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Name, email, company | Booking a call / contact form | Legitimate interest | Until purpose fulfilled + 12 months |
| Website URL (for scan) | Revenue intelligence report | Legitimate interest | 90 days (report expiry) |
| Analytics data | Website usage, performance | Consent | Per third-party retention policy |
| Ad conversion data | Measuring ad effectiveness | Consent | Per third-party retention policy |
| Theme preference | Dark/light mode | Strictly necessary (ePrivacy exempt) | localStorage, no expiry |
4Third-Party Services (Website)
loomaru.com relies on categories of third-party service providers, described below. The first table lists back-end providers that are not user-facing (hosting, managed data infrastructure, embedded scheduling). The second table lists consent-gated tracking tags that may be placed on your device only after you accept the matching consent category. For the per-cookie detail, see our Cookie Policy, §3.
Category-level disclosure.We disclose back-end providers at category level to protect the operational integrity of the Service. The current named list of sub-processors is available to Controllers and regulators on written request under a confidentiality undertaking, together with each provider's DPA, SCCs, and DPF-adherence reference where applicable.
Back-end providers (category level)
| Category | Purpose | Region | Safeguard |
|---|---|---|---|
| Managed application hosting | Hosting of loomaru.com and the merchant dashboard. | EU & US regions | DPA with EU SCCs and approved framework. |
| Managed data & identity platform | Account database, authentication, consent audit log. | EU region | DPA with EU SCCs. |
| Embedded scheduling provider | Booking a call. Loads only when you navigate to the booking URL. | EU & US regions | DPA with EU SCCs and approved framework. |
Consent-gated tracking tags (listed pending deployment)
None of the tracking tags below are loaded today. They appear here so the disclosure is accurate at the moment each one ships — and each will only ever fire after the matching consent category is granted. Because these tags are served directly by their publishers into your browser, we disclose them by name as required by the ePrivacy Directive.
| Service | Provider | Purpose | Category | Privacy |
|---|---|---|---|---|
| Google Analytics 4 | Google LLC | Website analytics, visitor behavior | Analytics (consent required) | Policy |
| Meta Pixel | Meta Platforms, Inc. | Advertising conversion tracking | Advertising (consent required) | Policy |
| Google Ads | Google LLC | Advertising conversion tracking | Advertising (consent required) | Policy |
Part B — Revenue Recovery Service
6Revenue Recovery Service
When a merchant subscribes to Loomaru's revenue recovery service, we act as a data processoron behalf of the merchant (the data controller). We process personal data from the merchant's customers solely under the merchant's instructions and for the purpose described in our Data Processing Terms.
If you are a shopperwho purchased from one of our merchant clients: the merchant is the controller of your data. Your rights regarding your purchase data should be exercised with the merchant directly, through their privacy policy and contact channels. If you have questions about how Loomaru processed your data on the merchant's behalf, you may also contact us at vadim@loomaru.com.
7Data Processed by the Service
When a merchant's end-customer completes a purchase, a defined subset of the order record is received from the merchant's Store, reconciled in transient memory, and forwarded to the advertising destinations the merchant has designated. The exact subset is determined per-destination by each destination's published specification and the merchant's configured profile.
7.1Pseudonymized identity fields
These fields are normalized per the designated destination's specification and then transformed using industry-standard one-way cryptographic hashing before transmission. The original values are never stored or logged.
- Email address
- Phone number (country-aware normalization)
- First name
- Last name
- City
- State / province
- Postal code
- Country code (ISO 3166-1 alpha-2)
7.2Raw fields (not hashed)
Some destinations' interfaces require these in raw form for event matching. They are not stored or logged by Loomaru.
- Network identifiers (IP address, user agent)
- Referring click identifier — derived from tracking parameters present in the landing URL, used by the destination for attribution.
7.3Order fields (non-personal)
- Order value and currency
- Product identifiers and quantities
- Order identifier (used for reconciliation)
- Order timestamp
8How Service Data Flows
The Service receives order data from the merchant's Store, reconciles and pseudonymizes the identity fields in transient memory, and forwards matched conversion signal to the advertising destinations the merchant has designated. Typical end-to-end processing time is under three seconds. No Customer Data is retained at rest.
What is NOT sent to any destination: raw email, raw phone number, raw name, or raw address. These are always pseudonymized before transmission. Empty or null fields are omitted entirely — never sent as empty hashes.
What is NOT stored by Loomaru: customer identity fields (pseudonymized or raw), network identifiers, order payloads, or destination-specific request bodies. None of this is written to any database, file, queue, cache, or log.
9Sub-Processors
For the revenue recovery service, Loomaru engages sub-processors from the following category:
| Category | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Managed compute & configuration infrastructure | Transient event processing, configuration storage, non-PII operational telemetry. | Global with EU processing available | DPA with EU SCCs. |
Named list on request. The current named list of sub-processors, their addresses, and their individual DPA / SCC / DPF references are available to Controllers and regulators on written request under a confidentiality undertaking.
Ad Destinations are not sub-processors. Each advertising destination receives data under the merchant's direct controller relationship with that destination. Loomaru forwards data to each destination on the merchant's instruction.
For the loomaru.com website, additional back-end providers are described at category level in Section 4 above.
10International Transfers
Loomaru is based in the EU (Czech Republic) and is directly subject to GDPR. No Article 27 representative is required.
Website datamay be transferred to the United States by the consent-gated tracking providers listed in Section 4, and — for merchants who book a call — by the embedded scheduling provider. All such transfers are covered by a combination of EU Standard Contractual Clauses and approved frameworks (including the EU-US Data Privacy Framework where the counter-party is self-certified). Data stored in our managed data & identity platform remains in the EU region.
Service datais processed at the nearest available compute location of our infrastructure sub-processor, some of which may be outside the EU/EEA. Every such transfer is covered by written sub-processor agreements with EU Standard Contractual Clauses (Module Two and Module Three) and approved framework safeguards. Processing is transient — no Customer Data is stored at any compute location. Any onward transfer to an advertising destination occurs under the merchant's direct relationship with that destination, covered by that destination's published transfer mechanism.
11Data Retention
| Data | Retention |
|---|---|
| Customer Data (revenue recovery service) | None — transient processing only, typically under 3 seconds. |
| Operational logs (service) | Up to 7 days. Contains no PII — only event types, merchant identifiers, order identifiers, and upstream response codes. |
| Merchant configuration (service) | Duration of service agreement. Deleted upon termination. |
| Website contact / booking data | Until purpose fulfilled, plus 12 months for follow-up. |
| Revenue intelligence reports | 90 days from generation. |
| Consent audit log | 36 months from the consent event, automatically purged by a daily job. The 36-month horizon is three times our 12-month consent validity window — long enough to support a regulator's typical two-year enforcement lookback and any ongoing complaint proceeding, short enough to comply with the Art. 5(1)(e) storage-limitation principle. Stored fields: a cryptographically randomized pseudonymous identifier, a truncated IP prefix (/24 for IPv4, /64 for IPv6), a user-agent family string (browser name + major version + OS family only), the referring site origin (scheme + host only), and a UTC timestamp. Nothing else. |
12Your Rights
12.1EU / EEA / UK Residents
Under GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data
- Restriction — request that we limit processing
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — at any time, without affecting the lawfulness of prior processing
You also have the right to lodge a complaint with your supervisory authority. For the Czech Republic, this is the Office for Personal Data Protection (UOOU).
12.2California Residents (CCPA/CPRA)
Under the CCPA/CPRA, California residents have the right to:
- Know — request what personal information we collect, use, and disclose
- Delete — request deletion of personal information
- Correct — request correction of inaccurate personal information
- Opt out — of the sale or sharing of personal information
- Non-discrimination — we will not discriminate against you for exercising your rights
We do not sell or share personal information as defined by the CCPA. The analytics and advertising services on this website are consent-gated and do not fire until you accept tracking.
12.3Shoppers of Our Merchant Clients
If you purchased from a store that uses Loomaru's revenue recovery service: the merchant is the data controller for your purchase data. Please exercise your rights with the merchant directly. If you contact us, we will direct you to the appropriate merchant and, where possible, assist the merchant in responding to your request.
Note that Loomaru does not store your purchase data — processing is transient. We cannot retrieve, modify, or delete data that we do not retain.
12.4How to Exercise Your Rights
Contact us at vadim@loomaru.com with your request. We will respond within 30 days (GDPR) or 45 days (CCPA). We may ask for verification of your identity before processing the request.
13Children
Loomaru's website and service are not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us immediately at vadim@loomaru.com and we will delete it promptly.
14Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated via email (for merchant clients) or a notice on this page. The "Last updated" date at the top reflects the most recent revision.
For changes affecting the Data Processing Terms, we will provide at least 30 days' notice before the changes take effect, giving merchants the opportunity to review and, if necessary, terminate the service.
California residents
California's Consumer Privacy Act (CCPA, as amended by the CPRA) grants you specific rights and disclosures beyond what is covered above. See our California Privacy Notice for the full California-specific disclosure pack.
15Contact
Loomaru
Vadim Sharapov, sole proprietor
Zikova 1023, Prague, Czech Republic
Privacy & legal inquiries: vadim@loomaru.com
Supervisory authority: Office for Personal Data Protection (UOOU), Czech Republic