Privacy Policy

Introduction

LoomAPI ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you use our age and risk verification API service.

This policy applies to all users of LoomAPI, including platform operators who integrate our service and end users who undergo verification.

What Data We Process

LoomAPI operates with a zero-retention policy for personally identifiable information (PII) and biometric data. We process:

• Verification metadata: Verification IDs, status, confidence scores, timestamps
• Technical data: IP addresses, user agents, request headers (for rate limiting and security)
• Billing data: Usage metrics, tenant identifiers (processed via Stripe for metered billing)

We do NOT store: Raw verification evidence, ID document images, biometric templates, face data, or any PII beyond what is strictly necessary for service operation.

How We Use Your Data

• Providing age and risk verification services
• Enforcing rate limits and quotas
• Processing metered billing via Stripe
• Maintaining service security and preventing abuse
• Generating audit logs and compliance reports

Data Sharing

We share data only with:

• Stripe: For payment processing and usage-based billing
• Verification providers: When you configure Veriff or similar services (data flows through but is not stored by LoomAPI)
• Legal authorities: When required by law or court order

Data Retention

Verification metadata is retained for compliance and audit purposes as required by applicable regulations. JWT tokens expire after 24 hours by default. Raw evidence and PII are not retained beyond the verification session.

Your Rights

Depending on your jurisdiction, you may have the right to:

• Access your personal data
• Request deletion of your data
• Object to processing
• Data portability

To exercise these rights, contact us at privacy@loomapi.com.

We will respond to your request within 30 days, or as required by applicable law.

International Data Transfers

LoomAPI operates globally and may transfer data to countries outside your jurisdiction. We ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Adequacy decisions where applicable
• Compliance with applicable data protection laws

Children's Privacy

LoomAPI is designed for age verification and does not knowingly collect personal information from children under 13 (or the applicable age in your jurisdiction). Our service is intended to verify that users are of legal age, not to collect information from minors.

Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest
• Regular security audits and vulnerability assessments
• Access controls and authentication mechanisms
• Monitoring and logging of access to sensitive data
• Incident response procedures

Cookies and Tracking

LoomAPI's website may use cookies and similar technologies for analytics and functionality. We do not use cookies for advertising or cross-site tracking. You can control cookies through your browser settings.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or through our website. The "Last updated" date at the top indicates when this policy was last revised.

Contact

For privacy-related questions, concerns, or to exercise your rights, please contact us:

• Email: privacy@loomapi.com
• General inquiries: hello@loomapi.com