Privacy Policy
Last updated: February 25, 2026
Scope
This Privacy Policy explains how ActLoom processes personal data when you access or use our website, platform, and related services.
It applies to account owners, invited users, prospects, and visitors who interact with ActLoom-controlled properties.
Data controller
ActLoom acts as data controller for account, billing, and product-operations data processed to operate the service.
Where ActLoom processes customer-submitted compliance data on behalf of a customer organization, ActLoom acts as a processor under applicable agreements.
Data we collect
We collect data necessary to provide and secure the service, administer subscriptions, and support product operations.
- Account data: name, email, role, authentication and session metadata
- Organization data: company profile, workspace settings, team membership
- Compliance workflow data: AI-system records, assessment entries, notes, evidence links, incident metadata
- Billing and transaction data: subscription plan, invoices, payment status (processed via payment partners)
- Technical and usage data: logs, device/browser data, error diagnostics, performance telemetry
Purpose and legal basis
We process personal data under one or more legal bases under GDPR and related EU laws.
- Contract performance: provide access, run workflows, generate reports, manage subscriptions
- Legitimate interests: service security, abuse prevention, reliability, product improvement
- Legal obligations: tax/accounting duties, lawful requests, regulatory obligations
- Consent: optional cookies and similar technologies where required
Sharing and recipients
We share data only with recipients necessary to operate the service and meet legal obligations.
- Infrastructure and hosting providers
- Authentication, email, and payment service providers
- Customer-authorized integrations
- Professional advisors (legal, audit, accounting) where required
- Public authorities or regulators where legally required
International transfers
Where data is transferred outside the EEA/UK, we implement appropriate safeguards such as Standard Contractual Clauses and supplementary measures where applicable.
Transfer mechanisms depend on provider location and applicable law at the time of processing.
Retention
We retain data for as long as required to provide the service, fulfill contractual obligations, support auditability, and comply with legal requirements.
Retention periods vary by data type, and data is deleted or anonymized when no longer required.
- Account and workspace data: retained while account is active
- Billing records: retained per accounting and tax requirements
- Operational logs: retained for security and troubleshooting windows
Security
We apply technical and organizational safeguards designed to protect data against unauthorized access, alteration, disclosure, and loss.
No system is completely risk-free, but we continuously improve security controls and incident response procedures.
Your rights
Depending on your location and applicable law, you may exercise rights over your personal data.
- Access and portability
- Rectification
- Erasure
- Restriction of processing
- Objection to processing based on legitimate interests
- Withdrawal of consent where processing relies on consent
Cookies and similar technologies
ActLoom uses necessary cookies for core functionality and optional categories for analytics or marketing where enabled.
You can manage preferences at any time via the Cookie Preferences control.
Children's data
ActLoom is intended for business use and is not directed to children. We do not knowingly collect personal data from children in connection with the service.
Updates to this policy
We may update this policy to reflect legal, technical, or business changes. Material updates will be communicated through the service or other appropriate channels.
Contact
For privacy requests or questions, contact team@actloom.com. If unresolved, you may have the right to lodge a complaint with your local supervisory authority.