This Privacy Policy explains what personal information Loomerang collects, how we use it, who we share it with, how long we keep it, and the choices and rights you have.

It applies to the Loomerang website, mobile applications, and the related services we offer to consumers and to the independent designers who sell through Loomerang storefronts (together, the "Services").

If you only want the short version, here it is:

Loomerang is an online marketplace for independent designer-led apparel.

Two entities operate the Services, and the controller of your personal information depends on where you are:

(a) Outside India.

Brighter Technology, LLC, a Washington limited liability company with its registered office at 600 1st Ave, Ste 102 PMB 2207, Seattle, WA 98104, USA ("Loomerang US"), is the controller of personal information of consumers and designers located outside India.

(b) Inside India.

Techtobright Private Limited, a private limited company incorporated under the Companies Act, 2013, with its registered office at 47 Ardhendu Sekhar Naskar Sarani, Kolkata 700042, India ("Loomerang India"), is the Data Fiduciary (controller) of personal information of consumers and designers located in India and is the entity that operates the Services in India. Loomerang India is a separate legal entity from Loomerang US and is responsible for compliance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023.

(c) Joint and separate processing.

For some processing operations — for example, fraud screening that runs across the global platform — Loomerang US and Loomerang India act as joint controllers within the meaning of Article 26 GDPR. The essence of that arrangement is described in Section 16. For most processing, each entity is the sole controller for its region.

(d) Data Protection Officer.

Our Data Protection Officer can be reached at dpo@loomerang.com. The DPO is appointed jointly for Loomerang US and Loomerang India.

This Policy applies when you visit the Loomerang website, use the Loomerang mobile applications, communicate with our customer-support team, or interact with Loomerang content on third-party sites (for example, a Loomerang marketing email or a Loomerang ad). The Services serve two roles:.

Consumers — individuals who browse and purchase products on Loomerang.

Designers — independent creators who open a storefront and list products on Loomerang. Designers are independent businesses; they are not employees of Loomerang. Section 16 describes how data flows between Loomerang and designers, and which one of us is responsible for which processing.

"Personal information" in this Policy means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you.The term is intended to align with "personal data" under the GDPR and UK GDPR, "personal information" under the CPRA, "personal data" under the DPDP Act, and "personal information" under PIPEDA.

"Sensitive personal information" has the meaning given in Section 5.

We collect the following categories of personal information:

(a) Account and profile information.

(b) Transaction information.

(c) Payment information.

We do not store full payment-card numbers, expiration dates, or card-verification values; that information is collected directly by our payment processor (a PCI-DSS Level 1 service provider).

(d) Designer-only information.

(e) Device, log, and location information.

With your permission, we may also collect precise geolocation from your mobile device.

(f) Cookie and similar-technology data.

See Section 9.

(g) Communications.

Emails, SMS, support chats, and other messages between you and Loomerang, including recordings or transcripts where required by law and where you have been notified.

(h) Information from third parties.

Information we receive from social-login providers (where you choose to use one), from advertising and analytics partners, from anti-fraud services, from carriers and shippers, from designers (about their consumers, where the designer shares such information with us), and from public sources where lawful (e.g., business registries for designer onboarding).

We do not knowingly collect personal information from children. See Section 14.

We collect personal information from three sources:

(a) Directly from you.

When you create an account, place an order, open a storefront, contact support, post a review, or otherwise interact with the Services.

(b) Automatically through your use of the Services.

Through cookies, SDKs in our mobile apps, server logs, and similar technologies. See Section 9 for the cookie disclosure.

(c) From third parties.

As described in Section 3(h).

We do not ask consumers for special-category data within the meaning of Article 9 GDPR (e.g., racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation), and you should not submit such data to us.

If you choose to include such information in a product review, profile, or message, you should understand that you are doing so on your own initiative and within the meaning of Article 9(2)(e) GDPR (data manifestly made public by the data subject).

For designers we may, in limited circumstances and only where strictly necessary, collect government-issued identifiers (for tax reporting and sanctions screening) and bank-account details (for payouts).

These are treated as "sensitive personal information" under the CPRA (Cal. Civ. Code § 1798.140(ae)) and are processed only for the limited purposes described in Section 6 and not used for advertising, profiling, or any purpose unrelated to running the marketplace.

For users in India, "sensitive personal data or information" within the meaning of Rule 3 of the IT Rules, 2011 — including financial information such as bank-account details — is processed by Loomerang India under the DPDP Act and the IT Rules, 2011, and only for the purposes listed in Section 6.

We do not collect biometric data, health data, or genetic data through the Services.

We use personal information for the purposes set out below.

For each purpose, we have identified the legal basis under the GDPR and UK GDPR.

In other regions, the same purpose is supported by the equivalent local basis (consent, contract, legitimate interest, legal obligation, or statutory exemption under the DPDP Act or PIPEDA).

(a) To provide the Services.

Creating and managing your account, displaying storefronts, processing orders, handling returns, calculating and paying designer royalties, providing customer support.

Legal basis (GDPR/UK GDPR): performance of a contract (Article 6(1)(b)).

(b) To process payments and pay out designer royalties.

Legal basis: performance of a contract (Article 6(1)(b)) and compliance with legal obligations relating to tax and anti-money-laundering (Article 6(1)(c)).

(c) To prevent fraud and abuse, secure the Services, and enforce our Terms.

Legal basis: legitimate interests (Article 6(1)(f)) — our interest in operating a safe marketplace and protecting designers and consumers from fraud, balanced against the limited intrusion on the user.

We use techniques such as device fingerprinting and velocity checks, applied narrowly to the fraud-detection purpose.

(d) To comply with tax, accounting, sanctions, intellectual-property, consumer-protection, and other legal obligations.

Legal basis: legal obligation (Article 6(1)(c)).

(e) To send service messages.

Order confirmations, shipping updates, returns, security alerts, and changes to our Terms or this Policy.

Legal basis: performance of a contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)).

(f) To send marketing messages and personalize the Services.

Including curated emails, recommendations on the homepage, and search-ranking adjustments based on your past behavior on the platform.

Legal basis: consent (Article 6(1)(a)) for marketing emails to consumers in jurisdictions that require opt-in (EU, UK, Canada under CASL); legitimate interests (Article 6(1)(f)) elsewhere, subject to the right to object under Article 21(2) GDPR.

(g) To improve the Services and develop new ones.

Analytics on aggregated and pseudonymized usage data, A/B testing, and product research.

Legal basis: legitimate interests (Article 6(1)(f)).

We use pseudonymized data wherever possible.

(h) To respond to lawful requests from courts, regulators, and law-enforcement authorities.

Legal basis: legal obligation (Article 6(1)(c)).

(i) For corporate transactions.

Due diligence and integration in connection with a merger, acquisition, financing, or sale of all or part of our business.

Legal basis: legitimate interests (Article 6(1)(f)).

Personal information is shared under confidentiality and minimization undertakings.

We will not process your personal information for purposes that are materially different from those listed above without first either notifying you and obtaining your consent (where required) or relying on another lawful basis that we will identify to you in advance.

If you are a designer, the following additional terms apply.

(a) Information we collect from you.

Identity and tax information sufficient to onboard you and pay you, payout details, storefront content, sales and royalty records, and our communications with you.

(b) Why we collect it.

To run your storefront, to pay your royalties, to comply with tax-reporting obligations, to comply with sanctions and AML obligations, to provide analytics dashboards, to investigate intellectual-property complaints, and to enforce our designer terms.

(c) Storefront content is public.

The storefront name, theme, designer bio, product images, product descriptions, and pricing you publish are visible to anyone on the internet and may be indexed by search engines. Treat them as public.

(d) Your sales and royalty data.

We treat sales and royalty data for your storefront as confidential to you. We do not show it to other designers, do not sell it, and do not use it to coach competitors.

(e) The relationship between you and Loomerang for personal-information purposes.

For the personal information we collect from you about you (your account, your payouts, your tax forms), we are the controller.

For the personal information that flows through your storefront about your customers, for example, the name and shipping address attached to an order placed with you, or the messages a customer sends you through the platform, we and you are independent controllers, each responsible for our own processing under the agreement between us.

You are responsible for your own compliance with applicable privacy law, including for any direct-marketing list you build from your Loomerang sales.

(f) Public disclosures of designer identity.

Where law requires (for example, the INFORM Consumers Act, 15 U.S.C. § 45f, for high-volume third-party sellers in the United States), we will disclose your verified business name, business address, and contact information on the Loomerang storefront page and in order confirmations.

We share personal information only as described below:

(a) Service providers.

Hosting, content-delivery, analytics, payments, fraud-prevention, customer-support, email-delivery, SMS-delivery, marketing-attribution, mapping, and tax-compliance vendors.

Each is bound by a written data-processing agreement that restricts their use of personal information to the services they perform for us.

(b) Designers and consumers, in the ordinary course of a marketplace transaction.

When you place an order, we may share order details (including your geographical location) with the designer.

Designers see only the information that is commercially relevant to them; they do not see your card details or your other purchase history on Loomerang.

(c) Advertising and analytics partners.

We share online identifiers (cookie IDs, advertising IDs, hashed email addresses) with advertising platforms to deliver and measure ads.

In jurisdictions that classify this as a "sale" or "share" of personal information (California, Colorado, Connecticut, Texas, and other US states with comprehensive privacy laws), you can opt out using the controls in Section 12.

(d) Authorities.

Courts, regulators, law enforcement, and tax authorities, where we are legally required or permitted to disclose.

We require all government requests to be appropriately scoped and lawful, and we challenge requests we believe are not.

(e) Professional advisers and acquirers.

Lawyers, auditors, insurers, and prospective acquirers in the context of a corporate transaction, under confidentiality undertakings.

(f) With your direction.

Where you ask us to share information with a third party (for example, by connecting a social-login provider).

We do not sell personal information for money.

We share certain online identifiers with advertising partners as described in Section 8(c), which is treated as a "sale" or "share" under some US state laws.

We use cookies, pixels, SDKs, and similar technologies to operate the Services, remember your preferences, secure your session, measure how the Services are used, and (with your consent where required) deliver targeted advertising.

(a) Cookie categories.

Our cookies fall into four categories: strictly necessary, functional, analytics, and advertising/targeting.

Strictly necessary cookies cannot be turned off without breaking the Services (they hold your shopping cart and your authenticated session, for example).

(b) Consent.

If you visit the Services from the European Economic Area, the United Kingdom, or another jurisdiction that requires opt-in consent for non-essential cookies (including under the ePrivacy Directive, as transposed locally, and the UK Privacy and Electronic Communications Regulations 2003), we ask for your consent before placing functional, analytics, or advertising cookies.

You can change your choices at any time using the "Cookie Preferences" link in the footer.

(c) Browser controls and Global Privacy Control.

You can also control cookies through your browser settings.

If your browser sends a Global Privacy Control ("GPC") signal, we treat it as a valid request to opt out of "sale" and "sharing" of your personal information for users in California, Colorado, and other US states whose laws recognize GPC.

(d) Do Not Track.

We do not currently respond to "Do Not Track" browser signals, because there is no industry consensus on what they require.

We do honor the GPC signal, as described in Section 9(c).

(e) Third-party cookies.

Our advertising partners may set their own cookies through the Services.

The Network Advertising Initiative (www.networkadvertising.org/choices) and the Digital Advertising Alliance (www.aboutads.info/choices) provide opt-out tools that cover many of these partners.

(f) Cookie list.

A current list of the cookies we use, the purpose of each, the provider, and the retention period is available at [Insert URL of cookie list].

Loomerang is a global marketplace.

Personal information is transferred between the United States, the European Economic Area, the United Kingdom, India, and Canada as part of running the Services.

(a) Transfers from the EEA, the UK, and Switzerland.

Where we transfer personal information from the EEA, the UK, or Switzerland to a country that the European Commission, the UK Secretary of State, or the Swiss Federal Data Protection and Information Commissioner has not deemed to provide adequate protection, we use the European Commission's Standard Contractual Clauses (Decision 2021/914) or the UK International Data Transfer Addendum, supplemented as needed by additional safeguards informed by a transfer-impact assessment of the kind described in EDPB Recommendations 01/2020 (post-Schrems II).

(b) Transfers to the United States.

Where we rely on the EU-US Data Privacy Framework or the UK-US Data Bridge, we will identify in our public certification the categories of data covered.

Where we do not rely on those frameworks, we use the SCCs as described in Section 10(a).

(c) Transfers from India.

Loomerang India processes personal data of Indian Data Principals locally and transfers it outside India only to countries not restricted by the Central Government under Section 16 of the DPDP Act.

Where required, transfers are made under appropriate contractual safeguards between Loomerang India and the recipient.

(d) Transfers from Canada.

Loomerang transfers personal information of Canadian users to the United States and to other jurisdictions for processing, including through service providers, as permitted by PIPEDA.

We use contractual measures to provide a comparable level of protection and we identify Canadian data in our internal records.

(e) Copies of safeguards.

You may obtain a copy of the relevant safeguards by contacting us at the address in Section 17.

We may redact commercial terms.

We keep personal information only for as long as we have a lawful basis to do so.

The retention periods below describe what we apply by default; we may retain longer where required by law (e.g., tax records) or shorter where you exercise a deletion right.

Data category — Default retention period

When the retention period expires, we delete or anonymize the personal information.

Anonymization is performed in a manner intended to make re-identification reasonably impossible.

Your rights depend on where you live.

The summary in this section describes the rights that are likely to apply to you.

To exercise any right, contact us using the details in Section 17 or use the in-product privacy controls in your account settings.

We will verify your identity in a manner proportionate to the request before responding.

(a) European Economic Area, United Kingdom, and Switzerland.

You have the right to: access your personal data (Article 15 GDPR); rectify inaccurate data (Article 16); have data erased ("right to be forgotten", Article 17, subject to exceptions); restrict processing (Article 18); receive your data in a portable format (Article 20); object to processing based on legitimate interests, including direct marketing (Article 21); withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Article 7(3)); not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22); and lodge a complaint with the supervisory authority in your member state (Article 77).

A list of supervisory authorities is at edpb.europa.eu.

UK users may complain to the Information Commissioner's Office at ico.org.uk.

(b) California (and other US states with comprehensive privacy laws).

California consumers have the rights set out in the CPRA: the right to know what personal information is collected, used, shared, or sold (Cal. Civ. Code § 1798.110, § 1798.115); the right to correct (§ 1798.106); the right to delete (§ 1798.105); the right to opt out of "sale" or "sharing" of personal information (§ 1798.120); the right to limit use and disclosure of sensitive personal information (§ 1798.121); and the right to non-discrimination for exercising these rights (§ 1798.125).

To exercise these rights, use the "Your Privacy Choices" link in the footer or contact us at privacy@loomerang.com.

We honor the Global Privacy Control as a valid opt-out signal.

Consumers in Colorado, Connecticut, Virginia, Texas, Utah, Oregon, and other states with comprehensive privacy laws have similar rights, exercisable through the same channels.

Consumers in California also have a right to limit the use of sensitive personal information; see Section 5.

(c) India.

Under the DPDP Act, 2023, Indian Data Principals have the right to obtain a summary of personal data being processed by Loomerang India and the processing activities undertaken (Section 11); the right to correction, completion, updating, and erasure (Section 12); the right to nominate another individual to exercise rights in case of death or incapacity (Section 14); and the right to grievance redressal (Section 13).

To exercise these rights, contact our Indian Grievance Officer (Section 17).

We will acknowledge complaints within the timelines set out in the rules under the IT Act and the DPDP Act.

(d) Canada.

Canadian users have the rights set out in PIPEDA, including the right to access personal information held about them and to challenge its accuracy.

Quebec residents have additional rights under Law 25 (the Act to modernize legislative provisions as regards the protection of personal information), including a right to data portability.

Complaints may be directed to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or to the Commission d'accès à l'information du Québec.

(e) Brazil, Australia, and other regions.

If you are located in another jurisdiction with applicable privacy law, contact us — we will give effect to your rights under that law to the extent it applies to our processing.

(f) Response times.

We will respond to verifiable requests within 30 days (GDPR/UK GDPR), 45 days extendable by 45 days (CPRA), and the timelines specified by the DPDP Act and PIPEDA, whichever applies to you.

If we cannot fulfil a request, we will tell you why and what your further options are.

(g) No retaliation.

We will not discriminate against you for exercising any right described in this Policy.

We may use automated systems to: rank search results, recommend designers and products, detect fraud, screen sanctions, calculate shipping options, and personalize email content.

These systems use information described in Section 3.

We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing within the meaning of Article 22 GDPR.

Where our fraud-prevention system flags an account for review, a human reviews the flag before any restriction is imposed on a designer payout or before an account is closed.

You can ask us, using the details in Section 17, for a description of the logic involved in our material automated processing and to request human review of any decision you believe was automated.

The Services are not directed to children.

We do not knowingly collect personal information from a child under the age of 13 in the United States or under the age that constitutes a "child" under applicable law in your jurisdiction (16 in some EU member states under Article 8 GDPR; 13 in the UK under UK GDPR; 18 in India under the DPDP Act).

If we learn that we have collected personal information from a child without verifiable parental consent, we will delete it.

If you are a parent or guardian and you believe your child has provided personal information to us, contact us at the address in Section 17 and we will investigate.

For users in India, Loomerang India processes the personal data of children (any individual under 18) and persons with disabilities only with verifiable consent of a parent or lawful guardian, in accordance with Section 9 of the DPDP Act.

We protect personal information using a combination of technical and organizational measures: encryption in transit and at rest, network segmentation, access control on a least-privilege basis, multi-factor authentication for employees with access to systems containing personal information, vulnerability scanning, penetration testing, an incident-response plan, and an information-security program aligned with [ISO/IEC 27001 / SOC 2 / CIS — confirm certification status].

We take reasonable steps to verify that our service providers maintain comparable security measures.

No system is perfectly secure.

If you believe your account has been compromised, contact us immediately at support@loomerang.com.

If we become aware of a personal-data breach affecting your information, we will:

(a) notify the relevant supervisory authorities within the timelines required by applicable law (within 72 hours of becoming aware, where the breach is likely to result in a risk to the rights and freedoms of natural persons, under Article 33 GDPR; without undue delay under PIPEDA where the breach poses a "real risk of significant harm"; within the timeline specified under the DPDP Act and the rules thereunder; and as required under US state breach-notification laws);

(b) notify you directly when the breach is likely to result in a high risk to your rights and freedoms (Article 34 GDPR) or when a US state law requires direct notice; and

(c) describe the nature of the breach, the categories and approximate number of individuals concerned, the likely consequences, and the measures we have taken or propose to take, to the extent that information is available.

We maintain an internal log of all personal-data breaches as required by Article 33(5) GDPR.

Loomerang and the designers who sell on the platform are independent businesses.

For most processing each is the sole controller of its own data.

For a small number of operations — fraud screening that runs across designer storefronts; consolidated reporting for tax authorities — Loomerang and its partner entity may act as joint controllers within the meaning of Article 26 GDPR.

The essence of the joint-controller arrangement between Loomerang US and Loomerang India is:

Consumer-facing point of contact.

Each user may exercise their rights against either entity.

Each entity will route the request to the entity that holds the data and respond on behalf of both.

Allocation of responsibilities.

Loomerang India is responsible for compliance with the DPDP Act and the IT Act for users in India.

Loomerang US is responsible for compliance with US, EU, UK, and Canadian privacy law for users in those regions.

Each entity is responsible for the security of the systems it operates.

Liability.

Each entity is liable for its own processing.

We have entered into an intra-group data-processing agreement that allocates responsibility consistent with Article 26 GDPR and the DPDP Act.

A copy of the essence of the arrangement is available on request from privacy@loomerang.com.

Loomerang US (controller for users outside India):

Brighter Technology, LLC

600 1st Ave, Ste 102 PMB 2207

Seattle, WA 98104, United States

privacy@loomerang.com

Loomerang India (Data Fiduciary for users in India):

Brighter Technology India Private Limited

47, ARDHENDU SEKHAR NASKAR SARANI, CHAUL PATTY ROAD,

Beleghata, Kolkata, Beleghata, West Bengal, India, 700010

Grievance Officer:

Arka Majumdar

grievance@loomerang.com

Data Protection Officer (joint):

dpo@loomerang.com

Security:

security@loomerang.com

For any Queries:

support@loomerang.com

The Services may link to third-party websites, apps, and services — including designer social-media profiles, embedded videos, and external storefronts — that we do not control.

This Policy does not apply to those third parties; their own privacy policies do.

We encourage you to read them before sharing personal information with them.

We may update this Policy from time to time.

The updated Policy will be posted on the Loomerang website with the "Last updated" date.

Where the change is material, we will give you at least 30 days' notice by email or in-product banner before it takes effect.

If a change requires a new lawful basis (for example, a new processing activity that requires consent), we will ask for that lawful basis separately.

Continued use of the Services after the effective date of the updated Policy constitutes acceptance of the updated Policy, except where the change requires consent, in which case the change will take effect with respect to you only on receipt of your consent.

This section sets out additional disclosures required by specific jurisdictions.

(a) California — "Your Privacy Choices".

California consumers may opt out of "sharing" of personal information using the "Your Privacy Choices" link in the footer of the Loomerang website, by submitting the Global Privacy Control signal, or by contacting us at privacy@loomerang.com.

We do not knowingly share the personal information of California consumers under the age of 16 without affirmative consent.

(b) California — Shine the Light.

California Civil Code § 1798.83 permits California residents to request information about the personal information disclosed to third parties for their direct-marketing purposes.

Loomerang does not disclose personal information for third-party direct-marketing purposes.

(c) Nevada.

Nevada residents may opt out of certain "sales" of covered information by emailing privacy@loomerang.com.

(d) European Economic Area / United Kingdom.

Section 1 names our EU representative.

Section 12(a) describes your rights, including the right to lodge a complaint with the supervisory authority.

(f) India.

Section 17 names our Grievance Officer.

Indian Data Principals may also escalate to the Data Protection Board of India under Section 28 of the DPDP Act.

(g) Canada.

Canadian users may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Quebec residents may complain to the Commission d'accès à l'information du Québec.