Privacy Regulations Reference

Last updated: 2021-11-03

The data privacy regulatory landscape is undergoing a lot of change. You probably have heard about the EU General Data Protection Regulation (GDPR) that went into effect on May 25, 2018. There are also other regulations in effect or in the works around the world. We’ve written up this reference document to put helpful information regarding our products and privacy regulations in one place. Please also view our full Privacy policy.

If you have any questions, comments, or concerns about our Privacy policy, your data, or your rights with respect to your information, please email us at

European Union General Data Protection Regulation (GDPR)

Loomio is a New Zealand registered company, however our data infrastructure is located in the United States, European Union, Australia and New Zealand. That means your data is transferred to the country where the data infrastructure is resident. The EU has strong privacy laws and a core tenet of the GDPR is that if you transfer any personal data of EU residents out of the EU, you must protect it to the same level as guaranteed under EU law. There are two factors to this:

  1. The practices that businesses take handling personal data; and
  2. The laws of the countries where you transfer the EU personal data to

Practices we have at Loomio

We are serious about treating our customers fairly. We respect your privacy and will never sell your data to third parties, nor put advertising into Loomio. You have control of your data and right to privacy. The security measures we put in place are to protect your personal data. These principles apply to all of our customers, regardless of where you are in the world.

Please read our Privacy Policy and our Security Overview in full. Some highlights:

  • We never have and never will sell customer data.
  • We don’t run ads for other services in our products.
  • We limit the data we collect: if we don’t need it, we don’t ask for it.
  • We limit the permissions our apps request on your devices.
  • We put a lot of security measures into place including in-transit encryption, encryption at-rest, and requiring employees and contractors to sign non-disclosure agreements.
  • When you email us at, someone from our team will get back to you. You are always speaking with a human! No bots.

We do work with sub-processors. You can see a list of current sub-processors at Loomio Subprocessors and Company Processors. With each vendor, we assess their commitment to privacy and ensure they have GDPR-compliant data processing agreements in place that include the controller-processor Standard Contractual Clauses.

Data processing addendum

We have incorporated a Data Processing Addendum (DPA) to our Terms of Service. You can find the DPA linked within the Uptime, Security and Privacy section. This addendum is in effect when the General Data Protection Regulation applies to your use of Loomio services to process Customer Data as defined in the DPA. The DPA includes the European Commission’s Standard Contractual Clauses (both controller-processor and controller-controller) to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed. If you prefer to have an executed copy of the Data Processing Addendum, contact us to request a signed DPA with your organization name, and name and email address of the person with authority to sign on behalf of your organization. We provide the same privacy rights and protection to all customers, regardless of whether they choose to execute a DPA.

California Consumer Privacy Act (CCPA)

In the CCPA, there is an important distinction between what are referred to as “service providers”, “businesses”, and “third parties”. You can see how the regulation defines these words by visiting the California Attorney General’s website:

Under the CCPA, Loomio is a “service provider.” That means when we process data you provide, we do so solely for the purpose you signed up for. Our business model is simple: we charge a recurring subscription fee to our customers. We do not sell personal information or use your data for any other commercial purposes unless with your explicit permission.

The CCPA also grants residents of California with additional rights related to their information. We grant those rights to all of our customers and detail them in our Privacy policy. Our Privacy policy also explains the information we collect in order to provide our services and clearly lists the only times we access or share your data.

Loomio Private host and Self-host support services

Loomio offers Private host and Self-host support services where you can have your own private instance of Loomio running on servers of your choice. All content and personal data is resident in the country where the server is located. You can choose a private cloud service such as AWS or Digital Ocean, or a server within your organization's firewall.

If you have any concerns about the use of Loomio cloud-based services and the transfer of data outside your country, contact us to request information about Loomio's private host or self-hosted support services.