Last updated: July 28, 2025

Loop Biotech B.V., located at Vulcanusweg 279, 2624 AV Delft, the Netherlands, is responsible for the collection and processing of personal data through its websites, communication tools, physical factory visits, events, and all other business activities. We handle personal data in strict accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), where applicable. All communication regarding this policy must be submitted in writing to info@loop-biotech.com.

When you interact with our services, such as visiting our website, placing an order, subscribing to our communications, attending a tour, or speaking with our team at a trade event, we may collect personal data. This includes your name, company name, email address, phone number, billing and delivery address, payment details, and technical data such as your IP address, browser type, device information, and navigation patterns. We do not collect sensitive personal information such as data relating to health, religion, or ethnicity, and any such data received unintentionally will be deleted immediately.

In addition, when you visit our production facility or participate in company-organized events or guided tours, you may be photographed or filmed. These images or recordings may be used by Loop Biotech for internal documentation, training purposes, and external communications including marketing materials, social media, websites, printed brochures, press materials, or presentations. Individuals will not be named, tagged, or otherwise identified without prior written consent. If you do not wish to appear in any such material, it is your responsibility to inform us in writing before or during your visit. Requests for removal of identifiable images can be submitted at any time to info@loop-biotech.com.

We process your personal data for several purposes: to fulfil your orders, process payments, provide customer support, improve our services, communicate with you about your purchase, and send relevant marketing materials if you have opted in. Data is also used for analytical purposes and to secure and optimise our platform. We never use your personal data for profiling or automated decision-making that has legal consequences. The legal bases for processing data are the performance of a contract, compliance with legal obligations, legitimate interest, or your explicit consent, depending on the activity involved. If we rely on consent, you have the right to withdraw it at any time, without affecting the lawfulness of earlier processing.

We may also use personal data for direct marketing, both digitally and in person. For example, if you sign up for our newsletter, we may track engagement metrics such as open rates and click behaviour to analyse and improve communication performance. If you visit our website and consent to cookies, we may use remarketing tools from platforms like Meta, Google, or LinkedIn to show you relevant ads. In certain cases, and only with explicit consent, we may use hashed contact data to create anonymised custom audiences on advertising platforms. Personal data obtained at trade fairs, via physical forms, QR codes, or brochures may be used for follow-up communication if appropriate consent has been obtained. At no point do we sell, trade, or rent your data to third parties.

We retain your personal data only for as long as necessary. Transactional data related to orders and payments is stored for up to seven years in line with Dutch tax requirements. Inactive user accounts are removed after 24 months of non-use. Web analytics data is stored in anonymised form for no longer than twelve months. Once the applicable retention period expires, data is deleted or anonymised in a secure and irreversible manner.

Your data may be shared with verified external processors who support our operations, such as payment providers, logistics partners, IT hosting services, analytics tools, and CRM platforms. These parties are contractually bound to process your data only under our instructions and in full compliance with applicable privacy regulations. All third parties must sign a Data Processing Agreement (DPA) and demonstrate appropriate technical and organisational security measures. Where we transfer data outside the European Economic Area, including to countries such as the United States or Canada, we do so only when legal safeguards are in place, including Standard Contractual Clauses (SCCs), participation in the EU–U.S. Data Privacy Framework, or equivalent mechanisms under applicable law.

Cookies and similar tracking technologies are used on our website for functionality, performance optimisation, and — if you consent — targeted marketing. A compliant cookie banner is presented on first visit, allowing you to accept, reject, or customise preferences. The platform uses a certified Consent Management Tool in line with European and German legislation, including §25 TTDSG. You may change or withdraw your cookie preferences at any time via the settings in the website footer. Please refer to our separate Cookie Policy for full details.

We apply a comprehensive range of technical and organisational measures to protect your data. These include secure European servers, encryption of all data in transit, hashed passwords, two-factor authentication for internal access, role-based access control, and regular system audits. While no online platform is ever entirely immune from risk, we take all appropriate steps to mitigate and respond to potential threats.

In the unlikely event of a data breach involving personal data, we follow strict internal protocols and, where necessary, notify the competent supervisory authority within 72 hours. If legally required, affected individuals will also be informed without undue delay. All incidents are documented in accordance with legal requirements.

You have the right to access your data, request correction or deletion, restrict processing, object to direct marketing, request data portability, or withdraw previously given consent. All such requests must be submitted in writing to info@loop-biotech.com. We reserve the right to reject requests that are manifestly unfounded, excessive, or repetitive. We may require identity verification before acting on any request and will respond within the period required by law.

Loop Biotech does not knowingly collect or process data from individuals under the age of 16. If we become aware that data from minors has been submitted, it will be deleted without delay. Use of our website and services implies confirmation that the user is 16 years of age or older.

We reserve the right to amend this Privacy Policy at any time to reflect changes in the law, technology, or our business operations. The most recent version will always be published on our website. Continued use of our services constitutes acceptance of the current policy.

This Privacy Policy is governed exclusively by Dutch law. Any disputes arising from its interpretation or execution shall be submitted to the competent court in The Hague, the Netherlands.

If you have any questions, concerns, or complaints about how we process personal data, you may contact us at info@loop-biotech.com.