Skip to main content
Legal

Privacy Policy

Last updated: June 2026

Quick note from us

This document explains what data we collect, why we collect it, and what you can do about it. Each section opens with a plain-language summary so kids and parents can both follow along. The full text underneath is the legally binding version.

If anything is unclear, write to us at support@loopyty.com. Our Terms explain the rules of using Loopyty. This document is only about data.

1. Who's in charge of your data

Loopyty AS is the "data controller" — that's the legal word for "the company responsible for what happens to your data."

Loopyty AS
Norwegian organisation number: 933 519 708
Email for privacy questions: support@loopyty.com

We follow the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (Personopplysningsloven).

2. What we collect, why, and on what legal basis

We only collect what we need. Here's the full list — what, why, and the legal reason we're allowed to.
What we collect
Why
Legal basis (GDPR)
Account info: name, username, email, phone, birthday, address
To create your account, verify you're a real person, and let us contact you
Contract (Art. 6(1)(b))
Optional family info: kids' first names, ages, interests
To personalise the experience and help the home base manage things together
Consent (Art. 6(1)(a)) — you can skip this and remove it any time
Listings, photos, and reviews you post
To show your stuff on the platform so others can buy it
Contract (Art. 6(1)(b))
Payment & payout info (handled by Stripe — we only see the basics)
To take payments, send payouts, and prevent fraud
Contract + Legal obligation (Art. 6(1)(b) and (c))
Identity verification (KYC) info for sellers
Required by anti-money-laundering law before Stripe can pay you out
Legal obligation (Art. 6(1)(c))
Sales records (who sold what to whom, when, for how much)
Bookkeeping, tax reporting, and dispute handling
Legal obligation (Art. 6(1)(c)) — Norwegian Bookkeeping Act § 13, EU DAC7
How you use Loopyty: pages visited, clicks, device type, approximate location
To make Loopyty work, improve it, and keep it safe
Legitimate interest (Art. 6(1)(f)) for basic functionality and security; consent for analytics & marketing cookies (Art. 6(1)(a))
Messages to support, reports you submit
To help you and to investigate issues
Contract + Legitimate interest
Marketing emails
To tell you about new features and tips
Consent — you can unsubscribe any time using the link in every email

If we ever want to use your data for something not on this list, we'll ask you first.

3. Who we share data with

We don't sell your data. We share it only with companies that help us run Loopyty, and only for that purpose.

We share data with:

  • Stripe — handles payments and payouts. Stripe is the controller of payment data it collects directly.
  • Google Cloud Platform — hosts the platform and stores data securely.
  • Shipping partners — currently Helthjem. When you sell, we share the seller's pickup address; when you buy, we share the buyer's name and delivery address. The shipping partner uses this only to collect and deliver the parcel and acts as a separate controller from that point.
  • Email and customer-support tools — to send transactional emails and answer your questions.
  • Google Analytics (Google) — measures how the site is used, only if you've accepted analytics cookies.
  • PostHog (EU-hosted) — product analytics and session replay to understand and improve the experience; data is stored in the EU and we only set these if you've accepted analytics cookies.

These partners are data processors. They follow our instructions and have signed data processing agreements with us as required by GDPR Article 28.

We may also share data with:

  • Tax authorities, where required by law (for example, under DAC7 if your sales pass certain thresholds — we'll tell you what we report).
  • Police or public authorities, where we're legally obliged to.
  • A buyer in a transaction — they need the relevant address and shipping info to complete the sale.
  • A future buyer of Loopyty AS, if the company is sold or merged — your data would transfer with it under the same protections.

We do not sell your data to advertisers.

4. Where your data goes (international transfers)

Some of our partners are based outside Europe. When data leaves the EU/EEA, we make sure it's still protected.

Stripe and Google may process some data in the United States or other countries outside the EU/EEA. When that happens, we rely on one of the legal mechanisms GDPR allows:

  • the EU–US Data Privacy Framework (where the partner is certified), or
  • EU Standard Contractual Clauses (SCCs) plus extra safeguards where needed.

You can ask us for a copy of the safeguards by emailing support@loopyty.com.

5. How long do we keep data

Only as long as we need to. Some things we have to keep for tax law; the rest we delete when you do.
Type of data
How long
Account info
While your account is open, then deleted within 90 days of closure (unless we need to keep something for the reasons below)
Sales and payment records
5 years after the transaction (Norwegian Bookkeeping Act § 13)
KYC/identity verification
5 years after the business relationship ends (anti-money-laundering law)
Messages and support tickets
Up to 3 years, then deleted
Marketing data (if you've consented)
Until you unsubscribe or close your account
Cookies
See section 9
Data needed for an ongoing dispute or legal claim
Until the matter is resolved

When data is no longer needed, we delete it or anonymise it (so it can't be linked back to you).

6. Your rights

You're in charge of your data. Here's everything you can ask us to do.

Under GDPR, you have the right to:

  • Access — get a copy of the data we hold about you.
  • Rectification — correct anything that's wrong or out of date.
  • Erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention rules.
  • Restriction — ask us to pause processing while we sort something out.
  • Portability — get your data in a common machine-readable format, or have it sent to another service.
  • Object — tell us to stop processing data we use under "legitimate interest," including for marketing.
  • Withdraw consent — at any time, where we rely on consent (this won't undo what we did before withdrawal).
  • Not be subject to automated decisions that have a legal or similarly significant effect on you. We don't currently make decisions like that, but we'll tell you if that ever changes.

To use any of these rights, email support@loopyty.com. We'll respond within 30 days (sometimes sooner). We may ask you to confirm your identity first, so no one else can pretend to be you.

If you think we're handling your data wrongly, you can complain to Datatilsynet (the Norwegian Data Protection Authority) at datatilsynet.no, or to the data protection authority where you live.

7. Kids on Loopyty

Loopyty is a child-friendly platform — but the account belongs to a parent or guardian. We treat children's data with extra care.

Accounts are for grown-ups. You must be 18 or older to open and run a Loopyty account. If kids in your family want to join in — choosing toys, picking photos, writing reviews — that's the whole point of Loopyty. They should always check with home base first, and home base is responsible for what gets posted.

Children's data we may process:

  • First names, ages, and interests of your kids — only if you choose to add them. This is fully optional. You can leave it blank, fill it in later, or remove it at any time.
  • Photos in listings — please don't upload photos that show identifiable children's faces. A child's hand holding a toy is fine; a clear face shot is not.

Why we ask for kids' info (if you give it). To show toys that are likely to be a good fit (right age, right interests). That's it. We don't share children's information with advertisers, and we don't build profiles on kids.

Article 8 GDPR. Norway sets the age at which a child can consent to digital services at 13. Because all Loopyty accounts are held by an adult home base, this isn't usually relevant — but if we ever discover that an account is being used by someone under 18 without a home base, we'll suspend it and contact the parent or guardian.

Removing children's data. Email support@loopyty.com any time, and we'll delete any information about your kids straight away.

8. How we keep data safe

We use industry-standard security measures. Stripe and Google handle the most sensitive parts.

On our side:

  • Encrypted connections (HTTPS) for everything you do on Loopyty.
  • Access controls — only team members who need to see the data can view it.
  • Regular review of who has access to what.
  • Backups and recovery plans.

Payments — Stripe. Card numbers and bank details are stored by Stripe, not by us. Stripe is certified to PCI Service Provider Level 1, the highest standard in the payments industry. Card numbers are encrypted with AES-256, and Loopyty never sees your full card number.

Hosting — Google Cloud Platform. GCP is one of the most secure cloud platforms available.

If something goes wrong. If there's a data breach likely to put you at risk, we'll notify Datatilsynet within 72 hours and notify you directly without undue delay, as the GDPR requires.

9. Cookies and similar technologies

Some cookies are necessary for Loopyty to work. Others are optional and only run if you say yes.

Necessary cookies keep you logged in, remember your settings, and keep the platform secure. We use these without asking — we have to, for the platform to work.

Optional cookies help us understand how Loopyty is used so we can improve it. We use Google Analytics and PostHog for this, and we only set these cookies if you've accepted them in our cookie banner. You can change your mind at any time using the "Cookie settings" link in the footer, or by clearing your browser cookies.

Session replay. With your consent, PostHog also records on-screen interactions (clicks, scrolling, navigation) so we can spot problems and improve the experience. Sensitive content — names, addresses, email and payment details — is masked and never recorded, and this data is stored in the EU.

Retention. Most cookies expire within 24 months. Session cookies disappear when you close the browser.

We follow the EU ePrivacy Directive and Norwegian electronic communications law (Ekomloven) on cookies and tracking.

10. Changes to this Privacy Policy

If we change something important, we'll tell you.

We may update this policy from time to time. If a change meaningfully affects your rights or how we use your data, we'll let you know by email or in the app at least 30 days before it takes effect. Smaller wording changes will just be posted here with a new "last updated" date.

11. Contact us

Questions about your data? Want to use one of your rights? Write to us.

Loopyty AS
Org. no. 933 519 708
Email: support@loopyty.com

For complaints you'd rather take to a regulator: Datatilsynet — datatilsynet.no.

Thanks for trusting us with your data. We'll look after it.