This page describes which companies, services and other parties store, process or exchange data in order to provide you with either loomio.org or a private Loomio service managed by Loomio Cooperative.
We describe what data is exchanged, when and why. We also link to relevant policy documents including GDPR compliance statements and privacy policies.
Personally Identifying data and user content
Parties listed here store, process or receive personally identifying data and user generated content on behalf of Loomio.
Search engines and members of the public
If your group makes content "public", the names & profile photos of participants in the content along with the content itself, will be indexed by search engines and available to the general public.
Members of your group
The members of your group receive your name, profile picture and any user content shared with the group. If your group is on a paid subscription, the coordinator of the group has access to the email addresses of the group members.
It's worth noting that the security of information entered into your Loomio group is dependent upon the security of the email services, personal computers and security practices of your group's members.
Intercom is our customer support system, which we use to keep in touch with you and track support requests. They receive names and email addresses, location information, and group names and usage metadata.
If you don't want these details going to Intercom, you can install privacy badger or something similar in your browser.
If a group coordinator decides to use the Slack integration, we send user content and names of group members to Slack.
We use Chargify to manage subscriptions and process credit card transactions. If you sign up for a paid loomio.org subscription, Chargify receives your name and email address and your group's name and id. You will then be asked to provide your credit card details and billing address directly to Chargify. Loomio does not hold your credit card details .
Heroku provide servers and services (known as an Application platform) to run loomio.org. Heroku is owned and operated by Salesforce. They are trusted with securely hosting our application database and running our core systems.
Salesforce has certified certain of its services under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework
Salesforce GDPR page
Heroku Security Privacy and Compliance page
We use Cloudflare for
- DNS hosting
- DDOS protection
- Request caching for www.loomio.org.
This helps to protect the system from malicious attacks and provides performance improvements.
Privacy & Security Policy
Amazon Web Services
We use AWS for
- private managed host Loomio servers
- file storage on loomio.org with S3
- outbound email via SES
"All AWS Services GDPR ready" - Amazon.
We use DigitalOcean for
- Inbound email for loomio.org
- Metrics, analytics and reporting
- Error/Exception reporting
- Testing and staging servers
When users request translations of content written by users who speak other languages via the translate button, we send that content to Google Translate for machine translation. Translated data is not used for any other purpose than providing the translation, and it is not retained for longer than necessary to do so.
Google Translate FAQ - Data Confidentiality
Google reCAPTCHA is a service which can detect malicious use of Loomio and keeps our users and systems protected from some kinds of automated online abuse.
We use reCAPTCHA on our signup form when you signup without a third party sign in. Your IP address and metadata from your browser are shared with Google.
Potentially personally identify data
Services listed here receive your IP address, browser information and associated metadata. In some cases you will have already provided personally identifying information to these companies, which we receive from them, however we do not transmit your personally identifying data to them.
Facebook, Google and Slack sign in
YouTube (owned by Google)
We use the "No Cookie" Youtube service to host help and marketing videos. This means that only your IP address is known to Google when you use this service.