Privacy Policy

1. Who We Are

Loom is a project and resource management platform developed and operated by Konnecta Systems ("we", "us", or "our"). Each client organisation is assigned a dedicated subdomain.

Konnecta Systems acts as the data controller for personal data processed through the Loom platform, and as a data processor on behalf of the organisations ("Clients") that subscribe to and configure Loom for their employees and contractors.

For any privacy-related enquiries, please contact us at hello@loom-eu.com.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected, stored, or processed through:

• The Loom web application (accessible via tenant-specific subdomains)
• Email notifications sent from notifications@loom-eu.com
• Any supporting infrastructure used to deliver the Loom service

It does not apply to third-party websites or services that may be linked from within Loom.

3. Personal Data We Collect

What Loom collects depends entirely on which product your organisation uses:

• Loom Reporting users (consortium coordinators and their invited partners): Loom collects only your account credentials, basic profile information, and the aggregated cost and project data you or your partners submit for reporting purposes. No salary records, identity documents, or HR data are processed for these users.
• Loom Platform users (employees and contractors of organisations that use Loom for internal HR and project management): the full range of categories below applies, as configured by your organisation's administrator.

If you are only using Loom Reporting, only the Account & Authentication Data and Usage & Audit Data sections below are directly relevant to you.

Identity & Contact Information

• First name, middle name, last name, preferred call name
• Gender
• Date of birth encrypted
• Work and personal email addresses
• Work and personal phone / mobile numbers encrypted
• Residential and work address encrypted
• Nationality
• Profile photo
• Biography / bio

Government & Identity Documents

Collected only where required by law or your organisation's HR policies:

• Passport number encrypted
• National ID number encrypted
• Social Security / Tax number encrypted
• VAT number encrypted

Professional & Employment Information

• Employment contracts and type
• Team memberships and roles
• Project assignments and participation history
• Competencies and qualifications
• Years of work experience
• ORCID ID and research career stage (if applicable)
• CV / résumé file encrypted

Time & Leave Data

• Timesheet entries, submissions, and approvals
• Leave requests, balances, and approvals
• Absence records

Financial Information

• Bank account details (IBAN, SWIFT/BIC, account name) encrypted
• Salary payment records
• Invoices and cost statements
• Expense reports and receipts
• Trip / travel records and reimbursements

Account & Authentication Data

• Username and hashed password (for local accounts)
• Microsoft Azure AD / Entra ID user identifiers (for SSO accounts)
• Two-factor authentication status
• Login history and last-seen timestamps
• Session tokens

Usage & Audit Data

• IP address and approximate location at login
• Browser type and operating system
• Actions performed within the application (audit trail)
• Timestamps for all significant events

Files & Attachments

• Meeting attachments
• Support request attachments
• Invoice and contract documents
• Expense receipt scans

4. How We Use Your Data

We use personal data collected through Loom for the following purposes:

• Service delivery: Providing project management, timesheet, leave, and HR features to your organisation.
• Authentication & access control: Verifying your identity, managing role-based permissions, and maintaining secure sessions.
• Notifications: Sending email notifications about approvals, reminders, password resets, and system events.
• Financial processing: Generating invoices, recording payroll data, and processing expense reports on behalf of your employer.
• Compliance & audit: Maintaining an audit trail of data changes and user actions as required by your organisation or applicable law.
• Security monitoring: Detecting and preventing unauthorised access, fraud, and misuse of the platform.
• Platform improvement: Using anonymised usage data and error logs to diagnose bugs and improve performance.
• Legal obligations: Retaining records as required under applicable law (e.g., employment law, tax law).

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects without human oversight.

5. Legal Basis for Processing (GDPR)

Where the GDPR applies (for users in the European Economic Area and the United Kingdom), we rely on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to deliver the Loom service under the agreement between Konnecta Systems and your organisation, and to fulfil employment-related obligations.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable law (e.g., payroll records, audit obligations).
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and error tracking — provided these do not override your fundamental rights.
• Consent (Art. 6(1)(a)): Where we rely on consent (e.g., optional data fields), you may withdraw consent at any time without affecting prior processing.
• Special categories (Art. 9(2)(b)/(h)): Processing of sensitive data (e.g., health-related leave) carried out on the basis of employment law or for occupational health purposes, as directed by your organisation.

6. Sharing and Disclosure

We do not sell your personal data. We may share data with the following categories of recipients:

Your Organisation (the Client)

Data entered into Loom is accessible to authorised personnel within your organisation (managers, HR, finance) according to the roles and permissions configured by your organisation's Loom administrator.

Third-Party Service Providers

We engage sub-processors to help deliver the service:

• Email delivery: Postmark for all transactional email notifications, including password resets, approval alerts, and system messages.
• Authentication: Microsoft Azure Active Directory / Entra ID for Single Sign-On.
• Error monitoring: Sentry, for crash reporting and application diagnostics.
• Infrastructure: Hosting and infrastructure providers operating the servers on which Loom runs.

Legal Requirements

We may disclose personal data if required by law, court order, or lawful request by a public authority, and only to the extent necessary.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections.

7. International Data Transfers

Loom is operated primarily within the European Economic Area. Where personal data is transferred outside the EEA (for example, to Microsoft Azure services or Sentry), we ensure that appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions issued by the European Commission
• Other transfer mechanisms permitted under applicable data protection law

8. Security

We take the security of your personal data seriously and implement the following technical and organisational measures:

• TLS / HTTPS encryption for all data in transit (HSTS enforced)
• Application-level encryption for sensitive database fields
• Password hashing using industry-standard algorithms; passwords are never stored in plain text
• Role-based and permission-based access control
• Two-factor authentication (2FA) support
• Account lockout after repeated failed login attempts
• Full audit trail of data access and modifications
• Restricted access to sensitive fields (e.g., SSN, IBAN) via Gatekeeper permissions
• Regular security reviews and monitoring via Sentry

No system is 100% secure. If you believe your data has been compromised, please contact us immediately at security@loom-eu.com.

9. Data Retention

We retain personal data for as long as:

• Your account or your organisation's subscription is active
• Required to comply with legal obligations (e.g., employment records, tax records)
• Necessary to resolve disputes, enforce agreements, or protect legitimate interests

When data is no longer required, we take reasonable steps to delete or anonymise it securely. Specific retention schedules may be defined by your organisation in accordance with their own retention policies. Please contact your organisation's administrator for details applicable to your account.

10. Cookies and Session Data

Loom uses cookies and similar technologies to maintain your authenticated session and ensure the secure operation of the platform.

Session Cookie

A session cookie is set upon login to identify your authenticated session. This cookie expires after 24 hours of inactivity (or when you log out). It does not track you across third-party websites.

JWT Tokens

Loom uses JSON Web Tokens (JWTs) with a 2-hour validity period for API access, and refresh tokens valid for up to 30 days to maintain seamless sessions.

Static Content Caching

Browser caching is used for static assets (images, scripts, styles) to improve performance. These caches do not contain personal data.

11. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your data, subject to legal retention requirements.
• Right to restriction: Request that we restrict processing of your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
• Right to lodge a complaint: You have the right to lodge a complaint with your national supervisory authority (e.g., the Hellenic Data Protection Authority — HDPA — in Greece).

To exercise any of these rights, please contact your organisation's Loom administrator or reach us directly at hello@loom-eu.com. We will respond within 30 days.

Note that some requests may be subject to verification of your identity and may be limited where processing is required by law or by your employment relationship.

12. Children's Privacy

Loom is an enterprise application intended for use by adults in a professional employment context. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor's data has been entered into the platform, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to the platform, our data practices, or applicable law. When we make material changes, we will notify you via the email address associated with your account or by posting a notice within the Loom platform. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of Loom after the effective date of an updated policy constitutes acceptance of the revised terms.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us:

• Email: hello@loom-eu.com
• Website: www.konnecta.io
• Company: Konnecta Systems

If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.