Privacy Policy

Who We Are
Scope of This Policy
Personal Data We Collect
Mobile Application: Permissions and Device Data
How We Use Your Data
Legal Basis for Processing (GDPR)
Sharing and Disclosure
International Data Transfers
Security
Data Retention
Cookies, Tokens and Session Data
Your Rights
Children's Privacy
Changes to This Policy
Contact Us

1. Who We Are

Loom is a project and resource management platform developed and operated by Konnecta Systems ("we", "us", or "our"). Each client organisation is assigned a dedicated subdomain.

Konnecta Systems acts as the data controller for personal data processed through the Loom platform, and as a data processor on behalf of the organisations ("Clients") that subscribe to and configure Loom for their employees and contractors.

For any privacy-related enquiries, please contact us at hello@loom-eu.com.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected, stored, or processed through:

The Loom web application (accessible via tenant-specific subdomains)
The Loom mobile application for iOS and Android, currently used for capturing and submitting business expense reports
Email notifications sent from notifications@loom-eu.com
Any supporting infrastructure used to deliver the Loom service

References to "Loom", the "Service", or the "platform" in this policy include both the web and mobile applications unless otherwise specified.

It does not apply to third-party websites or services that may be linked from within Loom, nor to the underlying operating systems (iOS, Android) on which the mobile application runs.

3. Personal Data We Collect

What Loom collects depends entirely on which product your organisation uses:

Loom Reporting users (consortium coordinators and their invited partners): Loom collects only your account credentials, basic profile information, and the aggregated cost and project data you or your partners submit for reporting purposes. No salary records, identity documents, or HR data are processed for these users.
Loom Platform users (employees and contractors of organisations that use Loom for internal HR and project management): the full range of categories below applies, as configured by your organisation's administrator.

If you are only using Loom Reporting, only the Account & Authentication Data and Usage & Audit Data sections below are directly relevant to you.

Reporting-only users: you can skip to Section 5 (How We Use Your Data) — the HR, financial, and identity categories below do not apply to your use of Loom.

Identity & Contact Information

First name, middle name, last name, preferred call name
Gender
Date of birth encrypted
Work and personal email addresses
Work and personal phone / mobile numbers encrypted
Residential and work address encrypted
Nationality
Profile photo
Biography / bio

Government & Identity Documents

Collected only where required by law or your organisation's HR policies:

Passport number encrypted
National ID number encrypted
Social Security / Tax number encrypted
VAT number encrypted

Professional & Employment Information

Employment contracts and type
Team memberships and roles
Project assignments and participation history
Competencies and qualifications
Years of work experience
ORCID ID and research career stage (if applicable)
CV / résumé file encrypted

Time & Leave Data

Timesheet entries, submissions, and approvals
Leave requests, balances, and approvals
Absence records

Financial Information

Bank account details (IBAN, SWIFT/BIC, account name) encrypted
Salary payment records
Invoices and cost statements
Expense reports and receipts
Trip / travel records and reimbursements

Account & Authentication Data

Username and hashed password (for local accounts)
Microsoft Azure AD / Entra ID user identifiers (for SSO accounts)
Two-factor authentication status
Login history and last-seen timestamps
Session tokens (web) and OAuth refresh / access tokens (mobile)
Biometric authentication preference (Face ID / Touch ID / Android Biometrics) — biometric data itself never leaves your device and is managed by the operating system

Usage & Audit Data

IP address and approximate location at login
Browser type and operating system (web)
Mobile device model, OS version, app version, locale, and a non-advertising device identifier (mobile)
Actions performed within the application (audit trail)
Timestamps for all significant events
Crash logs and diagnostic data (via Sentry)

Files & Attachments

Meeting attachments
Support request attachments
Invoice and contract documents
Expense receipt scans

      Sensitive data note: Fields marked encrypted above are stored with application-level encryption in addition to standard database security controls. Access to sensitive employee data is further restricted by role-based permissions within Loom.
    

4. Mobile Application: Permissions and Device Data

The Loom mobile application (iOS and Android) is currently scoped to business expense reporting, including capturing receipts, recording expenses, and submitting them for approval. It accesses your Loom account through the same authenticated APIs as the web application, and only synchronises the data needed to deliver these features on your device.

Device Permissions We Request

The mobile app requests the following permissions. Each can be denied or revoked at any time through your device's system settings; some features will be unavailable if a required permission is denied.

Camera: Used to photograph and scan paper receipts when creating an expense entry. Images are uploaded to your Loom tenant only when you confirm the action.
Photo Library / Media (read & save): Used to attach existing receipt or supporting images to an expense, and optionally to save processed receipt images back to your device.
Microphone: Required by the underlying camera component on some devices in order to operate the camera. The Loom app does not record audio and does not transmit any audio data.
Location (when in use): Optional. Where you enable it, the app may capture your approximate location at the time of an expense or mileage entry to help calculate travel distances and pre-fill trip information. Loom does not track your location in the background.
Biometric authentication (Face ID / Touch ID / Android Biometrics): Optional. Used solely to unlock the app and authorise access to credentials stored in the secure device Keychain / Keystore. Biometric templates are stored and verified by the operating system and never transmitted to Loom or Konnecta Systems.
Network access: Required to communicate with your tenant's Loom API over HTTPS.

Data Processed on the Device

Receipt and document images you capture or select, before upload
Expense entries you create locally before submission
Authentication tokens (OAuth access and refresh tokens) stored in the secure Keychain / Keystore
User preferences (language, last-used tenant, biometric opt-in)
Cached reference data (e.g., expense categories) for offline use

Data Sent from the Mobile App to Loom

Expense reports, line items, descriptions, amounts, dates, currencies, and categories
Receipt and supporting document images attached to expense reports
Optional GPS coordinates and addresses for trip / mileage entries (only when you enable location)
Authentication exchanges with Microsoft Entra ID and the Loom API
Crash and diagnostic events (via Sentry — see Section 6)

      What the mobile app does not do: it does not access your contacts, calendar, SMS, call logs, or health data; it does not record audio; it does not track your location in the background; it does not contain advertising SDKs; and it does not share data with advertisers or data brokers.
    

Push Notifications

If push notifications are enabled in a future release, you will be asked to opt in at the system level. Until then, the Loom mobile app does not send push notifications. Transactional notifications continue to be delivered by email.

Children

The Loom mobile app is published as a business / productivity application and is not directed at children. See Section 13.

5. How We Use Your Data

We use personal data collected through Loom for the following purposes:

Service delivery: Providing project management, timesheet, leave, and HR features to your organisation.
Authentication & access control: Verifying your identity, managing role-based permissions, and maintaining secure sessions.
Notifications: Sending email notifications about approvals, reminders, password resets, and system events.
Financial processing: Generating invoices, recording payroll data, and processing expense reports on behalf of your employer.
Compliance & audit: Maintaining an audit trail of data changes and user actions as required by your organisation or applicable law.
Security monitoring: Detecting and preventing unauthorised access, fraud, and misuse of the platform.
Platform improvement: Using anonymised usage data and error logs to diagnose bugs and improve performance.
Legal obligations: Retaining records as required under applicable law (e.g., employment law, tax law).

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects without human oversight.

6. Legal Basis for Processing (GDPR)

Where the GDPR applies (for users in the European Economic Area and the United Kingdom), we rely on the following legal bases:

Contract performance (Art. 6(1)(b)): Processing necessary to deliver the Loom service under the agreement between Konnecta Systems and your organisation, and to fulfil employment-related obligations.
Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable law (e.g., payroll records, audit obligations).
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and error tracking — provided these do not override your fundamental rights.
Consent (Art. 6(1)(a)): Where we rely on consent (e.g., optional data fields), you may withdraw consent at any time without affecting prior processing.
Special categories (Art. 9(2)(b)/(h)): Processing of sensitive data (e.g., health-related leave) carried out on the basis of employment law or for occupational health purposes, as directed by your organisation.

8. International Data Transfers

Loom is operated primarily within the European Economic Area. Where personal data is transferred outside the EEA (for example, to Microsoft Azure services or Sentry), we ensure that appropriate safeguards are in place, such as:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions issued by the European Commission
Other transfer mechanisms permitted under applicable data protection law

9. Security

We take the security of your personal data seriously and implement the following technical and organisational measures:

TLS / HTTPS encryption for all data in transit (HSTS enforced; HTTPS is also enforced for all mobile API traffic via App Transport Security and Android Network Security Config)
Application-level encryption for sensitive database fields
Password hashing using industry-standard algorithms; passwords are never stored in plain text
Role-based and permission-based access control
Two-factor authentication (2FA) support
Account lockout after repeated failed login attempts
Full audit trail of data access and modifications
Restricted access to sensitive fields (e.g., SSN, IBAN) via Gatekeeper permissions
Regular security reviews and monitoring via Sentry
Mobile-specific: authentication tokens stored in the iOS Keychain or Android Keystore; optional biometric unlock; OAuth 2.0 / PKCE authorisation flow via the system browser; no persistent storage of plain-text passwords on the device

No system is 100% secure. If you believe your data has been compromised, please contact us immediately at security@loom-eu.com.

10. Data Retention

We retain personal data for as long as:

Your account or your organisation's subscription is active
Required to comply with legal obligations (e.g., employment records, tax records)
Necessary to resolve disputes, enforce agreements, or protect legitimate interests

When data is no longer required, we take reasonable steps to delete or anonymise it securely. Specific retention schedules may be defined by your organisation in accordance with their own retention policies. Please contact your organisation's administrator for details applicable to your account.

11. Cookies, Tokens and Session Data

Loom uses cookies and similar technologies on the web, and equivalent secure-storage mechanisms on mobile, to maintain your authenticated session and ensure the secure operation of the platform.

Session Cookie (web)

A session cookie is set upon login to identify your authenticated session. This cookie expires after 24 hours of inactivity (or when you log out). It does not track you across third-party websites.

JWT Tokens

Loom uses JSON Web Tokens (JWTs) with a 2-hour validity period for API access, and refresh tokens valid for up to 30 days to maintain seamless sessions.

Mobile Token Storage

On mobile devices, access and refresh tokens are stored in the iOS Keychain or Android Keystore — secure, OS-managed credential stores. Non-sensitive preferences (e.g., language, last tenant) are stored in the app's local storage. The mobile app does not use HTTP cookies for authentication and does not embed third-party tracking SDKs.

Static Content Caching

Browser caching is used for static assets (images, scripts, styles) to improve performance. These caches do not contain personal data.

      Loom does not use advertising, tracking, or analytics cookies from third parties. If you disable cookies in your browser, you will not be able to log in to the web platform.
    

12. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): Request deletion of your data, subject to legal retention requirements.
Right to restriction: Request that we restrict processing of your data in certain circumstances.
Right to data portability: Receive your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
Right to lodge a complaint: You have the right to lodge a complaint with your national supervisory authority (e.g., the Hellenic Data Protection Authority — HDPA — in Greece).

To exercise any of these rights, please contact your organisation's Loom administrator or reach us directly at hello@loom-eu.com. We will respond within 30 days.

Note that some requests may be subject to verification of your identity and may be limited where processing is required by law or by your employment relationship.

13. Children's Privacy

Loom is an enterprise application intended for use by adults in a professional employment context. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor's data has been entered into the platform, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to the platform, our data practices, or applicable law. When we make material changes, we will notify you via the email address associated with your account or by posting a notice within the Loom platform. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of Loom after the effective date of an updated policy constitutes acceptance of the revised terms.

15. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us:

Email: hello@loom-eu.com
Website: www.konnecta.io
Company: Konnecta Systems

If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

Contents