Last updated: 2021-11-03
Loomio is a New Zealand registered company, however our data infrastructure is located in the United States, European Union, Australia and New Zealand. That means your data is transferred to the country where the data infrastructure is resident. The EU has strong privacy laws and a core tenet of the GDPR is that if you transfer any personal data of EU residents out of the EU, you must protect it to the same level as guaranteed under EU law. There are two factors to this:
- The practices that businesses take handling personal data; and
- The laws of the countries where you transfer the EU personal data to
We are serious about treating our customers fairly. We respect your privacy and will never sell your data to third parties, nor put advertising into Loomio. You have control of your data and right to privacy. The security measures we put in place are to protect your personal data. These principles apply to all of our customers, regardless of where you are in the world.
- We never have and never will sell customer data.
- We don’t run ads for other services in our products.
- We limit the data we collect: if we don’t need it, we don’t ask for it.
- We limit the permissions our apps request on your devices.
- We put a lot of security measures into place including in-transit encryption, encryption at-rest, and requiring employees and contractors to sign non-disclosure agreements.
- When you email us at firstname.lastname@example.org, someone from our team will get back to you. You are always speaking with a human! No bots.
We do work with sub-processors. You can see a list of current sub-processors at Loomio Subprocessors and Company Processors. With each vendor, we assess their commitment to privacy and ensure they have GDPR-compliant data processing agreements in place that include the controller-processor Standard Contractual Clauses.
We have incorporated a Data Processing Addendum (DPA) to our Terms of Service. You can find the DPA linked within the Uptime, Security and Privacy section. This addendum is in effect when the General Data Protection Regulation applies to your use of Loomio services to process Customer Data as defined in the DPA. The DPA includes the European Commission’s Standard Contractual Clauses (both controller-processor and controller-controller) to extend GDPR privacy principles, rights, and obligations everywhere personal data is processed. If you prefer to have an executed copy of the Data Processing Addendum, contact us to request a signed DPA with your organization name, and name and email address of the person with authority to sign on behalf of your organization. We provide the same privacy rights and protection to all customers, regardless of whether they choose to execute a DPA.
In the CCPA, there is an important distinction between what are referred to as “service providers”, “businesses”, and “third parties”. You can see how the regulation defines these words by visiting the California Attorney General’s website: https://www.oag.ca.gov/privacy/ccpa.
Under the CCPA, Loomio is a “service provider.” That means when we process data you provide, we do so solely for the purpose you signed up for. Our business model is simple: we charge a recurring subscription fee to our customers. We do not sell personal information or use your data for any other commercial purposes unless with your explicit permission.
Loomio offers Private host and Self-host support services where you can have your own private instance of Loomio running on servers of your choice. All content and personal data is resident in the country where the server is located. You can choose a private cloud service such as AWS or Digital Ocean, or a server within your organization's firewall.
If you have any concerns about the use of Loomio cloud-based services and the transfer of data outside your country, contact us to request information about Loomio's private host or self-hosted support services.