Privacy Policy

“Loft,” “we,” or “us” refers to the operator of the Loft platform, available at tryloft.co and related subdomains. If you have any questions about this policy or your data, email privacy@tryloft.co.

This policy applies to the Loft web application (the “Service”) and any data we collect from you in the course of providing it. It does not apply to third-party websites or services we link to.

Information you provide directly

• Account information: your name, email address, role (brand or creator), company or agency name, and password (only if you sign up with email — never stored in plain text).
• Profile information: profile photo, social media links, payment handles you choose to provide (e.g. PayPal, Venmo), and any other details you add to your profile.
• Content you upload: videos, photos, captions, campaign briefs, messages, and any other content you submit through the Service.
• Communications: messages you send through the in-app chat, emails to our support address, and feedback you give on submissions.

Information collected automatically

• Usage data: pages you visit, actions you take, and timestamps. We use this to operate the product, debug issues, and understand what features matter.
• Device and log data: IP address, browser type, OS, device identifiers, and standard server logs.
• Cookies and similar technologies: we use cookies to keep you signed in, remember which workspace you last viewed, and (where applicable) measure aggregate usage. You can clear or block cookies in your browser, but some features won't work.

Information from third parties

• Sign-in providers: when you sign in with Google, we receive your name, email address, and profile photo from Google. We do not access your Google contacts, calendar, or other data.
• Payment processors: if a brand or creator uses an integrated payment provider (e.g. Stripe), the processor handles the transaction. We receive only confirmation metadata — never your full card numbers or bank credentials.

• To operate, maintain, and improve the Service.
• To authenticate you, provision your workspace, and connect brands with creators they've invited.
• To send transactional emails (campaign invites, approval notifications, invoice emails) and product updates you've consented to.
• To respond to support requests and communicate with you about the Service.
• To detect, prevent, and address fraud, abuse, and security incidents.
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information to third parties, and we do not use your content to train machine learning models without explicit consent.

We share information only in the following circumstances:

• Between brands and creators: when a brand invites a creator to a campaign, the brand sees the creator's name, email, profile photo, and any work the creator submits to that campaign. Creators see the brand's name, logo, and campaign brief. We don't share data across campaigns or with brands you haven't accepted an invite from.
• Service providers: we use vendors to host infrastructure, deliver emails, process payments, and operate the Service. Current providers include Supabase (database and authentication), Vercel (hosting), Resend (transactional email), and Stripe (payments, where applicable). Each provider is contractually obligated to use your data only to provide their service to us.
• Legal requirements: we may disclose information when required by law, subpoena, or court order, or to protect the rights, property, or safety of Loft, our users, or the public.
• Business transfers: if Loft is involved in a merger, acquisition, or sale of assets, your information may be transferred. We'll notify you before your data becomes subject to a different privacy policy.

Loft is operated from the United States. Our database is hosted in AWS's us-west-2 region (Oregon). If you access the Service from outside the US, you understand and consent to your information being transferred to and processed in the US.

Depending on where you live, you may have the following rights with respect to your personal information:

• Access: request a copy of the personal information we have about you.
• Correction: ask us to fix inaccurate or incomplete information. You can edit most of this yourself in your account settings.
• Deletion: ask us to delete your account and the personal information associated with it. Some data may be retained for legal, billing, or security reasons (see retention below).
• Portability: request a copy of your data in a machine-readable format.
• Opt-out of marketing: you can unsubscribe from non-transactional emails at any time using the link in every email. Transactional emails (campaign invites, payment notifications) cannot be turned off while you're using the Service.

To exercise any of these rights, email privacy@tryloft.co from the address associated with your account. We'll respond within 30 days.

California residents: the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you the additional right to opt out of any “sale” or “sharing” of your personal information. We do not sell personal information, but you can still submit a request to confirm this at the address above.

EU/UK residents: Loft is not currently established in the EU or UK and does not target users there. If you reach us from the EU/UK and we collect your data, we rely on legitimate interests and your consent as the legal bases for processing under GDPR. You have the right to object, withdraw consent, and lodge a complaint with your local data protection authority.

We retain your information for as long as your account is active and for a reasonable period after deletion to comply with legal obligations, resolve disputes, and enforce our agreements. Typical retention windows:

• Account and profile data: until you delete your account.
• Submitted content (videos, briefs, messages): until you or the other party to the campaign deletes it, or until the campaign is archived.
• Financial records (invoices, payout confirmations): 7 years, as required for tax and accounting purposes.
• Server logs: up to 90 days, then anonymized or deleted.

We protect your information with industry-standard measures: HTTPS for all traffic, encrypted storage at rest, hashed passwords, and role-based access controls inside our infrastructure. No system is perfectly secure, so we can't guarantee absolute security — but we work hard to reduce risk. If we ever experience a breach affecting your data, we'll notify you and the appropriate authorities as required by law.

The Service is not intended for users under the age of 16. We don't knowingly collect personal information from anyone under 16. If you believe a minor has provided us with personal information, email privacy@tryloft.co and we'll delete it.

We may update this policy from time to time. When we make material changes, we'll notify you by email or with an in-app banner before the new version takes effect. Continued use of the Service after the effective date means you accept the updated policy.

Questions, requests, or concerns? Email us at privacy@tryloft.co. We read every message and aim to respond within a few business days.