Legal
Privacy policy
Last updated June 26, 2026.
This Privacy Policy describes how Loomlr collects, uses, shares, and protects personal data, and the rights available to you. Please read it alongside our Terms of Service.
1. Who we are and how to contact us
Loomlr is an AI product photography service for fashion and ecommerce teams (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our website, create an account, or use the Service.
The Service is operated by David Silva, a sole proprietor established in Portugal, with a place of business at [BUSINESS ADDRESS] (“Loomlr”, “we”, “us”, or “our”). For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, we are the data controller of the personal data described in this policy, except where we act as a processor on behalf of our business customers (see “Scope and our role” below).
If you have any questions about this policy or how we handle your data, you can reach us at hello@loomlr.ai. We have not appointed a statutory Data Protection Officer; privacy enquiries are handled directly by the operator at the same address.
2. Scope and our role
This policy applies to personal data we process about: visitors to our marketing site; people who create or administer a Loomlr account or workspace; members invited to a workspace; external reviewers who open a shared review or gallery link; and individuals depicted in content uploaded to the Service.
When we are a controller
We act as a controller for account, billing, marketing, analytics, and support data — that is, data we decide how and why to process to run Loomlr as a business.
When we are a processor
When you (or the organisation you belong to) upload products, reference images, prompts, and other workspace content, we generally process that content as a processor on your behalf and on your instructions, so that we can generate and store the imagery you request. You are responsible, as controller, for having a lawful basis and any necessary permissions for the personal data you put into the Service. Where you require a separate Data Processing Agreement (DPA), contact us at hello@loomlr.ai.
3. The information we collect
Information you provide
- Account & profile: email address, password (stored only as a salted hash), and optionally your name and a profile image. If you sign in with Google, we receive your name, email address, and profile photo from Google.
- Workspace & organisation: workspace/ organisation name, team and role assignments, invitations you send (including invitee email addresses), and settings.
- Content you upload or generate: product images and metadata, reference images (including images of people — see below), poses, backgrounds, outfits, prompts and instructions, generated images and videos, comments, and project data.
- Billing: your plan, credit balance and transactions, and subscription status. Card and payment details are collected and processed directly by our payments provider (Polar) — we do not store full card numbers.
- Reviews & collaboration: if you open a shared review or gallery link, we may collect your name, email address, and any feedback or approval decisions you submit, and we may send a one-time code to verify your email.
- Support & communications: messages, bug reports (including any screenshots you attach), and other correspondence you send us.
Information collected automatically
- Usage & device data: pages and features used, generation requests, actions taken, approximate timing, browser and device type, and similar diagnostic information.
- Log & security data: we process IP addresses transiently to operate, secure, and rate-limit the Service and to prevent abuse. IP addresses used for abuse-prevention rate limiting are held only in memory for short windows and are not stored in our database.
- Cookies & local storage: see “Cookies and similar technologies” below.
- Marketing attribution: referral codes, share links, and campaign parameters (e.g. UTM tags) and the referring page, where present.
Information from third parties
- Google (if you use Google sign-in or the optional Google Drive import/export feature).
- Polar (our payments provider) — subscription and order status, customer identifiers, and renewal information.
- Shopify (if you connect a store) — shop details and product catalogue data you choose to sync.
4. Images of people, likeness, and biometric-type data
Loomlr lets you upload reference photos of faces and bodies to create reusable AI models and “digital twins”. Images that depict an identifiable person are personal data, and facial or body imagery may be treated as special-category or biometric data under certain laws (for example the GDPR, the UK GDPR, and US state biometric laws such as Illinois’ BIPA).
Your responsibility for the people you depict
You must have the legal right and all necessary consents to upload and process images of any individual, and to create AI imagery depicting them, before you add such content to the Service. Do not upload images of a person without their permission, and never upload images of minors as model or face references.
How we handle this content
- We process face and body images solely to perform the generation and editing you request and to store the assets in your workspace.
- We do not use this content to perform facial recognition, to identify individuals, to build a biometric identification database, or to train general-purpose AI models.
- Where the law requires explicit consent to process biometric or special-category data, you are responsible, as the controller of that content, for obtaining it from the data subject. By uploading such content you confirm you have done so.
- You can delete models, faces, and reference images at any time, and deleting them removes the associated files from storage as described in “How long we keep your information”.
5. How we use AI to process your content
Loomlr generates imagery and video using third-party AI models. When you request a generation or edit, the relevant inputs — such as your prompts and the reference images you select — are transmitted to our AI subprocessors (currently Google’s Gemini and Vertex AI models, accessed directly and via OpenRouter) so they can produce the requested output.
- These providers process your inputs to return a result to us under contractual terms that restrict their use of submitted content to providing the service. We do not authorise them, or ourselves, to use your content to train general-purpose foundation models.
- AI provenance: in line with applicable transparency expectations, images and videos generated by Loomlr are tagged as AI-generated using embedded metadata (IPTC/XMP “Digital Source Type” and creator tags), and certain plans also apply a visible watermark.
- AI output can be inaccurate or unexpected. You are responsible for reviewing generated content before you publish or rely on it, and for any disclosures that the content is AI-generated where required.
6. How and why we use your information
We use personal data for the purposes below. Where the GDPR or UK GDPR applies, the legal basis for each purpose is shown in brackets.
- Provide and operate the Service — create your account, run generations, store assets, enable collaboration and integrations. [Performance of a contract]
- Billing and credits — process subscriptions, top-ups, and credit accounting, and prevent payment fraud. [Performance of a contract; legal obligation]
- Security, abuse prevention, and reliability — authenticate users, rate-limit, detect misuse, and keep the Service available. [Legitimate interests; legal obligation]
- Support and service communications — respond to requests and send essential notices (e.g. account, security, billing, and account-deletion reminders). [Performance of a contract; legitimate interests]
- Product analytics and improvement — understand how features are used and improve them. [Consent, where required; otherwise legitimate interests]
- Marketing and attribution — measure campaigns and, where you have opted in, send marketing. [Consent; legitimate interests]
- Legal and compliance — comply with law, enforce our Terms, and establish, exercise, or defend legal claims. [Legal obligation; legitimate interests]
Where we rely on legitimate interests, we balance those interests against your rights. You may object to processing based on legitimate interests as described in “Your privacy rights”.
9. International data transfers
We host data within the European Union where practical (for example, object storage and product analytics are configured to EU regions). Some of our subprocessors are located in, or may process data in, countries outside the EU/EEA and the UK, including the United States.
Where we transfer personal data outside the EEA, the UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards — principally the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum) — together with supplementary measures where needed. You may request more information about these safeguards by contacting us at hello@loomlr.ai.
10. How long we keep your information
We keep personal data only for as long as necessary for the purposes described in this policy, then delete or anonymise it.
- Account and workspace data is retained while your account is active.
- Account deletion: you can request deletion from within the Service. Deletion runs after a 30-day grace period (during which you can cancel), and we send a reminder before it completes. On completion we delete your account, workspace, projects, models, products, generated assets, chat history, and the associated files in storage.
- Billing and transaction records are retained as required to meet tax, accounting, and legal obligations, typically for several years.
- Limited records — such as audit, security, and webhook-idempotency markers — may be retained where needed to meet legal obligations or to establish, exercise, or defend legal claims.
11. How we protect your information
We use technical and organisational measures appropriate to the risk, including encryption in transit, hashing of passwords, access controls and role-based permissions, scoped and time-limited access links for stored media, and abuse-prevention rate limiting. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.
If we become aware of a personal-data breach that is likely to affect you, we will notify the relevant supervisory authority and affected individuals where required by applicable law.
12. Your privacy rights (EU/EEA, UK, and Switzerland)
Subject to applicable law, you have the right to: access your personal data; correct inaccurate data; request erasure; restrict or object to certain processing; data portability; and, where processing is based on consent, to withdraw that consent at any time (without affecting prior processing). You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
To exercise your rights, contact us at hello@loomlr.ai. We may need to verify your identity and will respond within the timeframes required by law (generally one month under the GDPR). Some content you upload is controlled by the organisation whose workspace you belong to; in that case we may direct your request to that organisation.
You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA country of your habitual residence or place of work, or with the supervisory authority in Portugal. In the UK, you may complain to the Information Commissioner’s Office (ICO).
13. Notice to California residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you certain rights regarding your personal information.
- Right to know / access the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients.
- Right to delete personal information we have collected, subject to exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the “sale” or “sharing” of personal information, and to limit the use of sensitive personal information.
- Right to non-discrimination for exercising your rights.
We do not sell your personal information, and we do not “share” it for cross-context behavioural advertising as those terms are defined under the CPRA. The categories of personal information we collect, our purposes, and the recipients are described throughout this policy. To exercise your rights, contact us at hello@loomlr.ai; you may use an authorised agent, and we will not discriminate against you for exercising your rights.
14. Notice to other regions
Depending on where you live, other privacy laws may give you similar rights (for example, Brazil’s LGPD, Canada’s PIPEDA, and other US state laws such as those of Virginia, Colorado, and Connecticut). We honour applicable rights of access, correction, deletion, and opt-out. To make a request, contact us at hello@loomlr.ai.
15. Children’s privacy
Loomlr is a business tool intended for use by organisations and adults. It is not directed to children, and we do not knowingly collect personal data from anyone under 18 as a Loomlr account holder. You must also not upload images of minors as model or face references. If you believe a child has provided us personal data, contact us at hello@loomlr.ai and we will delete it.
16. Third-party sites and services
The Service may link to or integrate with third-party sites and services (such as Shopify, Google, and Polar). Their privacy practices are governed by their own policies, not this one. We encourage you to review the privacy notices of any third party you interact with.
17. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice (for example, by email or an in-product notice). Your continued use of the Service after an update takes effect constitutes acceptance of the revised policy.
18. How to contact us
For any privacy question or request, or to exercise your rights, contact:
David Silva
Peniche, Portugal
hello@loomlr.ai
This document is provided for transparency about our data practices and does not constitute legal advice.