This policy is effective as of 12 February 2026. Contact legal@loomapi.com with questions.

Privacy Policy

Last updated: 12 February 2026

Introduction

LoomAPI is operated by Infinity Domain Solutions Ltd (we, us, our), registered in England and Wales with its registered office at 37 Lombard Street, 6th Floor, London, England, EC3V 9BQ. This privacy notice explains how we collect, use, and protect personal data when you use our age and risk verification API and related services. It applies to business customers and their authorised users.

We process personal data in accordance with UK data protection law, including the UK GDPR and the Data Protection Act 2018. For a full Data Processing Addendum (DPA), contact us.

What Data We Process

We process the following categories of data:

  • Account data: Email, name, and account preferences. This is held by our authentication provider (Clerk) and used to manage your account and access to the dashboard.
  • Billing data: Payment and subscription information is processed by Stripe. We do not store full card details; we receive billing-related identifiers and usage for invoicing.
  • API usage and metadata: Request IDs, verification status, timestamps, IP addresses, and user agents for rate limiting, security, and support. We do not store ID document images or biometric data; verification runs through third-party providers and we retain only metadata and short-lived tokens as needed for the service.
  • Support and communications: Emails and messages you send to us for support or enquiries.

We do not sell your personal data. We do not use it for marketing except where you have opted in or we have a legitimate interest (e.g. product updates relevant to your account).

Purposes and Lawful Bases

We process personal data to provide the Service, run our business, and comply with law. Our lawful bases under UK GDPR include:

  • Contract: Performance of our contract with you (account management, API access, billing).
  • Legitimate interests: Security, fraud prevention, improving the Service, and communicating about your account where appropriate.
  • Legal obligation: Where we must retain or disclose data to comply with law.

Sub-processors

We use the following sub-processors to operate the Service. Each is chosen with regard to security and data protection:

  • Clerk: Authentication and account management for the dashboard.
  • Stripe: Payment processing and billing.
  • Vercel (or hosting provider): Hosting of our web and API infrastructure.
  • Database provider: Storage of account and API metadata.
  • Monitoring and logging: Operational logging and error tracking where deployed.

We may update this list. For enterprise customers we can provide a sub-processor list and, where required, a signed DPA. Contact founder@loomapi.com for details.

Retention

We retain personal data only as long as necessary for the purposes above. Account data is retained while your account is active and for a reasonable period after closure for legal and support purposes. API and usage metadata may be retained for billing, security, and compliance. We do not retain ID document or biometric data. You can request deletion of your account data; we will comply subject to legal retention requirements.

International Transfers

Some of our sub-processors are located outside the UK. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as UK-approved transfer mechanisms (e.g. adequacy decisions, standard contractual clauses). Details can be provided on request.

Your Rights (Data Subject Rights)

Under UK data protection law you have the right to access your personal data, request rectification, request erasure (in certain cases), restrict processing, object to processing, and data portability where applicable. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

To exercise your rights or ask questions about our processing, contact us at founder@loomapi.com. We will respond within the timeframe required by applicable law (typically one month under UK GDPR).

Cookies and Tracking

Our website and dashboard may use cookies for authentication and analytics. See our Cookie Policy for details and how to change preferences.

Changes to This Policy

We may update this privacy notice from time to time. The "Last updated" date at the top will be revised. Material changes that affect how we use your data will be communicated via email or through the Service where appropriate.

Contact

For privacy-related questions or to exercise your rights: founder@loomapi.com.