Skip to main content
Loomaru
Book a Call

Trust & Security

Loomaru is built for stores whose legal, security, and procurement teams need to sign off before anything ships. Below are the commitments those teams ask about most — what we do, who handles your data, and what we refuse to.

How we protect your data

  • All transit encrypted with TLS 1.2+; data at rest encrypted with provider-managed keys.
  • No persistent storage of customer identity data — events are processed in transient memory and discarded.
  • Secrets and credentials live in encrypted, access-controlled key stores; never in logs.
  • Principle-of-least-privilege access, audit logging on every data touch, and an incident response runbook.
Read our DPA

Who processes your data

  • Sub-processors are disclosed at category level on /privacy, with each category's purpose, region, and transfer safeguard.
  • All processors operate under written data-processing agreements that match the commitments in our DPA.
  • The named sub-processor list is available to controllers and regulators on written request under confidentiality; material changes are notified with thirty days to object.
See sub-processors

Consent and privacy architecture

  • Do-Not-Track, Global Privacy Control, and platform-level consent signals are honored end-to-end.
  • The recovery layer is consent-aware: events from declined visitors are never forwarded.
  • Merchants control their own consent configuration — we operate under it, we don't override it.

Uptime and incident response

  • 99.9% uptime commitment across every region we serve (documented in Terms §9 Service Level), with continuous external monitoring.
  • Active incidents are communicated directly to affected merchants; material incidents trigger the breach-notification obligations in the DPA.
  • Root-cause notes are shared with affected merchants within 24 hours of resolution.

Data retention and deletion

  • Diagnostic reports auto-expire 90 days from generation — enforced at the database, not just the URL.
  • On cancellation, every encrypted record we hold for the merchant is purged within 24 hours.
  • Operational logs are kept only as long as regulatory obligations require, and never include PII.
Cookie & retention policy

What we refuse to do

  • We don't resell, share, or relicense merchant data — to anyone, ever.
  • We don't train machine-learning models on merchant data.
  • We don't share with unauthorized third parties; the sub-processor register is kept current and any addition is notified in advance.
  • We don't gate the cancellation path — one message refunds and detaches the service within 24 hours.

About

Small, owner-operated.

Loomaruis built and run by a small crew led by Vadim Sharapov. You're talking to the person who wrote the recovery layer — not a support script. Based in Prague, operating under the registered address in §1 of the Terms. Contact: vadim@loomaru.com.

Where the rest of this lives

Procurement and legal questions usually escalate quickly into one of three documents — links below go directly to the relevant section. If you need an answer that isn't covered, write to vadim@loomaru.com.