Skip to content

Privacy policy

This Privacy Policy (“Privacy Policy”) applies to the processing of personal data of users (“user” or “you”) by Bending Spoons S.p.A. (“we” or “us”), the parent company of Loomly LLC, in connection to the use of Loomly's website https://loomly.com/ (“Website”), app, services and platform (“Services”). We provide this Privacy Policy in accordance with Regulation (EU) 2016/679 – General Data Protection Regulation (“GDPR”), the Italian Legislative Decree 196/2003 (as amended), and other applicable local laws, as amended or replaced (collectively, “Applicable Privacy Laws”).

This Privacy Policy does not apply to the processing activities regulated in the Data Processing Agreement (“DPA”), and in particular to the processing of the personal data connected to the content uploaded on our platform, such as the social media content and related scheduling (“Social Media Content”)—except as specified in Section 2 (Categories of Personal Data that We Collect, Purposes and Legal Bases for Our Processing), and unless you are acting in your purely personal capacity. For these processing activities, the data controllers are the owners of the calendars.

If you are a California resident, please see Section 10 (Additional Information for California Consumers) below.

  1. Data Controller and Data Protection Officer

The Data Controller is Bending Spoons S.p.A., based in via Nino Bonnet 10, 20154 Milan, Italy, VAT, tax code and number of registration with the Milan Monza Brianza Lodi Company Register 08931860962, and REA number MI 2056926. 

For any requests about how we use your personal data, you can contact us or our Data Protection Officer at this link

  1. Categories of Personal Data that We Collect, Purposes and Legal Bases for Our Processing

Below is a list of the categories of personal data that we process, along with the purposes and the legal grounds for processing it. Please be aware that not all the information listed may be considered as personal data in your jurisdiction under all circumstances.

Purpose

Legal Basis

Categories of Processed Data

a) To enable you to use our Services ("Service Delivery”).

For example, we may process your data to enable you to perform the following activities:

  • Create and schedule social media content
  • Invite Collaborators to the calendars
  • Connect social media accounts
  • Target Audience
  • View metrics of your posts

Our contractual relationship provides the legal basis for processing this data for this purpose (article 6(1)(b) GDPR).

First name and last name, IDs, email address (“Identifiers and Contact Data”).

Company name, company type, preferred time zone and format, address, VAT, transaction data, and subscription details (details about the payments made and the products and services purchased). We do not store card details on our servers.

Social accounts linked to your account. If you decide to link your Loomly account to other accounts (such as Slack, Team, Zapier, or Canva), we will process the details of such accounts. 

Social Media Content, including the calendars you create, the names and emails of your collaborators, the content you input, and the criteria you select for your posts. 

Technical data such as IP address, login data, browser type and version, hardware information, language, location, browser plug-in types and versions, operating system and website, attribution, and other technology on the devices used to access the Services or originating from another platform used to access the Services, technical identification IDs (e.g. session storage ID) (“Technical Data”).



b) To improve and develop our products and services (“Service Improvement”).

For example, we may process your data by conducting statistical analysis or other research activities to optimize our features and provide you with new ones.

Our legitimate interest to improve our products and services provides the legal basis for processing this data for this purpose (article 6(1)(f) GDPR).

As for the collection of personal data by means of analytics tracking technologies, please see Section 12 (Cookies).

Identifiers and Contact Data.

The interaction with and use of the Services, including metadata related to the Social Media Content—such as whether an image was uploaded, which platform the content was posted on, and the number of users connected to a social account. 

Technical Data.

c) To ensure the quality and the proper functioning of the Services, by analyzing, preventing or correcting failures and bugs, as well as the illicit use or misuse of the Services ("Troubleshooting”).

Our legitimate interest to ensure the quality and the smooth functioning of the Services (article 6(1)(f) GDPR).



Identifiers and Contact Data.
Technical Data.

d) To enforce our Terms of Service and enhance the safety and integrity of our Services and users (“Service Integrity”). 

Our legitimate interest to enforce our Terms of Service, and maintain the safety and integrity of our Services provides the legal basis for processing this data for this purpose (article 6(1)(f) GDPR).

Identifiers and Contact Data.

Social Media Content.

Technical Data.

e) To analyze your usage information, including your preferences, interests and behaviors when you use our Services (“Profiling”). For example, we process your data in the following activities: 

  • Conduct user experience research activities (such as A/B testing)
  • Customize offers and experience
  • Conduct surveys, statistical analysis or other research activities to improve our products and services
  • Maintain, optimize, and develop new features
  • Measure the effectiveness of our advertising campaigns and make them more relevant
  • Customize information and marketing communications

Our legitimate interest to improve and customize our Services provides the legal basis for processing this data for this purpose (article 6(1)(f) GDPR).

The collection of personal data by means of profiling and third-party analytics tracking technologies is based on your consent (article 122 Italian Privacy Code). For more details, please see Section 12 (Cookies).

Identifiers and Contact Data.

Technical Data and other technical information we may receive from third-party advertising networks and platforms.

Your interaction with and use of our Services, and your subscription status.

Inferences we generate about your use of our Services.

If you participate in our surveys, audio-visual data and your answers to our surveys.

f) To carry out marketing activities, and send you information and marketing communications about our Services such as tips, offers, and newsletters through emails and push notifications, or to conduct user research activities ("Marketing”).

Your consent provides the legal basis for processing this data for this purpose (article 6(1)(a) GDPR).

Where your consent is not required, for example, where we use your email to send you information about products and services related to or similar to the Services (so called “Soft Opt-In”), the legal basis is our legitimate interest (article 6(1)(f) GDPR).

Identifiers and Contact Data.

Technical Data and other technical information we may receive from third-party advertising networks and platforms.

In case of personalized marketing, inferences we generate about your use of our Services, and your answers to our surveys.

g) To comply with our legal obligations, including requests from public authorities, and to prove that we have complied with them, such as in the event of a request from a public authority ("Compliance”).

When this activity is required by a specific legal obligation, your personal data may be used to the extent required to comply with the legal obligation itself (article 6(1)(c) GDPR). When the applicable law leaves some discretion in assessing the appropriate way to comply with it, your personal data is used based on our legitimate interest to prove our compliance (Article 6(1)(f) GDPR).

Any kind of information that may be required by law or under the instructions of public authorities, including Social Media Content.

h) To send you administrative or technical updates and to process and respond to customer support communications and any other requests or communications from you ("Customer Support”).

Our contractual relationship provides the legal basis for processing this data for this purpose (article 6(1)(b) GDPR).

If you provide us with your consent, we can also directly access your account for the purpose of providing you support with your request (article 6(1)(a) GDPR).

Identifiers and Contact Data.

Content of your communication or request.

Account features and subscription status.

i) To establish, exercise or defend our rights and those of our employees, and to carry out corporate transactions or operations (“Defense”). For example, we may process your data in case of bankruptcy, merger, acquisition, reorganization, sale of assets or assignments, and due diligence related to any such transactions.

Our legitimate interest to establish, exercise, or defend our rights and to carry out corporate transactions or operations provide the legal basis for processing this data for this purpose (article 6(1)(f) GDPR).

Any information necessary to ensure the performance of these purposes.

j) To install third-party tracking technologies to serve personalized ads ("Targeted Advertising”).

You can find more information on how these third parties process your personal data by reading their privacy policies listed in Section 12 (Cookies).

Your consent provides the legal basis for processing this data for this purpose (article 6(1)(a) GDPR).

The collection of personal data by means of third-party profiling tracking technologies is based on your consent (article 122 Italian Privacy Code). For more details, please see Section 12 (Cookies).


Technical Data, information about your interactions with the app, advertising data (such as ad conversion information and advertisements seen), your ad tracking choices and consent to receive personalized ads (if granted), and inferences about your interests and preferences.

 

  1. Data Storage and Protection

Personal data may be processed by both automated and non-automated means and may be stored at our premises and on our service providers’ servers. We adopt appropriate technical and organizational measures designed to prevent the loss, improper use and alteration of your personal data. In some cases, we may also adopt data encryption and pseudonymization measures. However, transmissions over the Internet are never 100% secure.

Personal data processed for Service Delivery purposes will be kept for no more than three (3) years from your last interaction with our Services, or from the expiration of your subscription. If you use the Services after your subscription has expired, the retention period starts from this most recent interaction. Upon the expiration of the mentioned retention period, unless specific legal obligations require that the data is retained for longer, your account is deleted and your data is either deleted or anonymized.

Personal data processed for the purposes of Service Improvement, Service Integrity, Profiling, and Marketing will be kept for no more than three (3) years from your last interaction with our Services, or from the expiration of your subscription. If you use the Services after your subscription has expired, the retention period starts from this most recent interaction. 

Personal data processed for the purposes of Troubleshooting will be kept for no more than one (1) year from your last interaction with our Services, or from the expiration of your subscription. If you use the Services after your subscription has expired, the retention period starts from this most recent interaction. 

Personal data processed for Customer Support purposes will be kept for no more than five (5) years from the submission of your request and the collection of your data. 

Personal data processed for Compliance purposes will be kept for no more than five (5) years from your last interaction with our Services, or from the expiration of your subscription. If you use the Services after your subscription has expired, the retention period starts from this most recent interaction.

Personal data processed for Defense purposes will be kept for no more than ten (10) years from your last interaction with our Services, or from the expiration of your subscription. If you use the Services after your subscription has expired, the retention period starts from this most recent interaction. 

Regarding personal data processed for Targeted Advertising purposes, you can find more information visiting Section 12 (Cookies) below.

Upon the expiration of the mentioned retention periods, unless specific legal obligations require that the data is retained for longer, the data is either deleted or anonymized.

  1. Your Choices With Regard to the Use of Your Personal Data

To access the Services, it is mandatory for you to provide your personal data for the purposes of the Service Delivery, Compliance, and Customer Support. If you choose not to provide your personal data, you will not be able to enjoy our Services.

Where we rely on your consent to process your personal data, providing your personal data is optional, and you have the right to withdraw your consent at any time. If you choose not to provide your personal data, you will still be able to enjoy our Services. 

Where we rely on our legitimate interest as the legal grounds to process your personal data you may, at any time, exercise your right to object to such processing as explained in Section 7 (Your Rights) below.

You can freely decide whether to accept cookies and other tracking technologies not strictly necessary for the functioning of the Website as indicated in Section 12 (Cookies) below.

  1. Recipients of Your Personal Data

We may disclose your personal data to the following categories of recipients:

  • Vendors carrying out activities related or instrumental to our business and operations, either as outsourced data processors appointed in writing in accordance with Applicable Privacy Laws (such as IT or storage service providers) or as autonomous data controllers (such as advertising networks and platforms)
  • If we carry out a corporate transaction or operation (for example, in case of merger, acquisition, reorganization, sale of assets or assignments, and due diligence related to any such transactions), personal data may be transferred to another owner, and disclosed to our advisers and any prospective purchaser's advisers, as part of such transaction or operation
  • Public, judicial and/or police authorities, within the limits established by applicable laws
  • Other parties as necessary, in the event we believe that your actions are inconsistent with our user agreements or policies, if we believe that you have violated the law, or if we believe it is necessary to protect our rights, property, and safety or that of our users, the public, or others
  • Professional advisors where necessary to obtain advice or otherwise protect and manage our business interests
  • Our corporate affiliates under common control and ownership

If you give your consent to install tracking technologies, you will allow third parties to collect personal data about you in order to show you customized and personalized advertising. If you want more information, please see Section 12 (Cookies) below.

Personal data will not be disclosed for any reason other than those stated above, unless such disclosure is deemed necessary for the fulfillment of a legal obligation or if we request your consent.

  1. International Transfers 

We may transfer personal data from the European Economic Area (“EEA”) to other countries outside the EEA. Such data transfers are based on appropriate safeguards in accordance with Applicable Privacy Laws, including (a) the standard contractual clauses developed by the European Commission; (b) the decisions of adequacy of the European Commission; or (c) binding corporate rules.

Please contact us to receive more information on the appropriate safeguards. 

  1. Your Rights

Depending on where you are located, you may have certain rights in relation to your personal data. At any time and free of charge, you may exercise those rights, as specified and subject to certain limitations and exceptions under Applicable Privacy Laws. These include the following:

  • Right of access. You have the right to obtain information about the processing of your personal data and to access it.
  • Right to rectification. You have the right to ask for the update, rectification or integration of your personal data.
  • Right to erasure. You have the right to request the deletion of your personal data.
  • Right to restriction of processing. You have the right to request the restriction of the processing of your personal data.
  • Right to data portability. You have the right to obtain a portable electronic copy of your personal data.
  • Right to object. Where we rely on our legitimate interest to process your personal data, you have the right to object to such processing, wholly or partly, on grounds related to your particular situation. In particular, you are entitled to object to the processing of your personal data for direct marketing purposes, including profiling.
  • Right to withdraw your consent. Where we rely on your consent to process your personal data, you have the right to withdraw your consent, although the processing carried out before your withdrawal of consent will remain valid.

You also have the right to lodge a complaint before the competent national Data Protection Authority, or other applicable regulator in the jurisdiction where you reside.

To exercise your rights, you can submit a request following these steps:

  • Reach our Help Center available on Loomly’s Website at the following link
  • Open the Chat on the bottom-right of the page
  • Click on “Send us a message”
  • Click on “Continue”
  • Select the “Privacy request” category and submit your request

We may take reasonable steps to verify your identity prior to responding to your request, such as by asking you for information that matches information we have on file about you. If you are submitting a rights request as an authorized agent, we may ask you to provide proof of your authorization to make the request, or we may contact the individual who is the subject of the request for confirmation, in accordance with Applicable Privacy Laws. 

  1. Children’s Personal Data

Our Services are not intended for anyone under the age of 16. We do not knowingly collect or process personal data from children. If you believe we have received personal data from children under the age of 16, please contact us. If we learn that a user is under the age of 16, we will take reasonable steps to delete any processed data and close such user’s account.

  1. Third-party Websites and Services

The Services may include links to other websites or services operated by third parties. The activities described in this Privacy Policy do not apply to data processed by such third-party websites and services. We have no control over, and we are not responsible for, the actions and privacy policies of third parties and other websites and services.

Moreover, any collection, use, and management of personal information by the social network are governed by that platform’s privacy policy. For example, if you choose to connect your YouTube account to our Service, this connection uses YouTube API Services, you will be subject to the Google Privacy Policy that will apply to you.

Should you wish to revoke access to any service you have linked, you can access and alter the applicable security settings through the following links:

  1. Additional Information for California Consumers 

This section provides additional disclosures required by the California Consumer Privacy Act (“CCPA”) and serves as our California notice at collection. If you reside in California, this section applies to you.

a) Additional Information Related to Collection, Use, and Disclosure of Personal Information

We collect personal information from several sources: directly from you (for example, when you make purchases or participate in a survey or contest), automatically when you use the Services (for example, browser information), and from other sources (for example, ad networks). We also generate inferences about you based on your use of the Services and other information we collect.

In the preceding 12 months, we have collected the following categories of personal information: identifiers, internet or other electronic network activity information, characteristics of protected classifications under California or U.S. federal law, commercial information (such as purchases you make), approximate geolocation information (such as country), audio and visual information (e.g., if you participate to our surveys), inferences, and other information that relates to or is reasonably capable of being associated with you. For details about the personal information we collect, please see Section 2 (Categories of Personal Data that We Collect, Purposes and Legal Bases for Our Processing) above. We collect personal information for the business and commercial purposes listed in the chart in Section 2 (Categories of Personal Data that We Collect, Purposes and Legal Bases for Our Processing).

We may disclose your personal information with the categories of third parties as described in Section 5 (Recipients of Your Personal Data) above. In the preceding 12 months, we have disclosed the following categories of personal information for the business purposes described in Section 2 (Categories of Personal Data that We Collect, Purposes and Legal Bases for Our Processing): identifiers, internet and electronic network activity information, commercial information, approximate geolocation information, and other information that we have inferred about you or that relates to or is reasonably capable of being associated with you.

We disclose the following categories of personal information to third parties for the purpose of engaging in targeted advertising (these disclosures may be considered “sales” or “sharing” under certain State Laws):

Categories of Personal Information “Shared,” “Sold,” or used for Targeted Advertising

Categories of Third Parties

  • Identifiers
  • Internet and electronic network activity
  • App usage and diagnostic information
  • Inferences

Advertising and marketing partners

 

We don’t knowingly sell or share personal data about users under the age of 16.

We don’t collect information that’s considered “sensitive” under the CCPA.

We retain personal data as described under previous Section 3 (Data Storage and Protection).

b) Rights of California Consumers

Right to Opt Out of Sales, Sharing, Targeted Advertising

Some of the activities described in this Privacy Policy may be considered “sales” or “sharing” of your personal information or use of your information for “targeted advertising” under the law that applies to you. You or your authorized agent may opt out of these activities by following the prompts behind the “Cookie Preferences” link in the Website footer. You may need to renew your opt-out choice if you use a different browser or device to access our Services, or if you clear your cookies. For more information, see also the instructions in Section 12 (Cookies).

Access, Correction, Deletion, Non-Discrimination

Subject to certain limitations, the CCPA provides California consumers the right to:

  • Request more details about the categories and specific pieces of personal information that we process, including in a portable format where feasible
  • Request the deletion of their personal information
  • Request the correction of inaccurate personal information
  • Not to be discriminated against for exercising these rights

For details about how to exercise your rights, please see Section 7 (Your Rights).

California consumers can also designate an authorized agent to exercise these rights on their behalf, but we will require proof that the person is authorized to act on their behalf and may also still ask them to verify their identity with us directly.

  1. Changes to this Privacy Policy

We may modify, integrate or update, in whole or in part, this Privacy Policy, and we will notify users of any modification, integration or update in accordance with Applicable Privacy Laws. If we make modifications, we will notify you by revising the date at the bottom of this Privacy Policy and, under certain circumstances, we may also notify you by additional means such as pop-up or push notifications within our Website or email.

  1. Cookies

What are cookies and tracking technologies?

When we use the word “cookies” in this Privacy Policy, we mean any tracking technology that stores or accesses information on the user’s device, including any SDK, tracking pixel, HTML5 local storage, local shared object, and fingerprinting technique. 

Cookies are usually classified by:

(A) Purpose (Technical cookies, Analytics cookies, Profiling cookies)

(B) Publisher (First-party cookies, Third-party cookies), and 

(C) Duration (Session cookies, Permanent cookies) 

This classification is important because different legal requirements apply based on how the cookie is classified. 

Below you will find the types of cookies and tracking technologies as classified with some practical examples.

A. By purpose

Technical cookies

Technical cookies are used solely for the purpose of transmitting messages over an electronic communication network, or to provide a service specifically requested by the user. 

In other words, technical cookies are essential for the correct functioning of the Website and to provide the service offered to and requested by the user. 

For example, technical cookies can be used to monitor sessions, to store specific server access information related to the user configuration, to facilitate the use of online content, or to keep track of items in a shopping cart or information used to fill in a form.

Technical cookies include the functional cookies you might find mentioned while browsing the Website.

Technical cookies do not need your consent. 

Analytics cookies

Analytics cookies may be used to assess the effectiveness of an information society service provided by a publisher, to evaluate and improve the design of a website or to help measure its traffic. 

In other words, analytics cookies may be used to track the traffic and performance of a website, by collecting aggregate data on the number of visitors and how they interact with the website to improve its services. 

For example, analytics cookies may collect information about how users access a website, including the number of visitors, possibly grouped by geographical area, time slot, how long visitors stay on the site for, what parts of the site they visit or other characteristics, the number of pages visited or the number of users who viewed a particular section.

Please consider that if analytics cookies are properly anonymized, they can be installed without your previous explicit consent.

Profiling cookies

Profiling cookies may be used to trace specific actions or recurring behavioral patterns in the use of the offered functionalities back to specific, identified or identifiable individuals for the purpose of grouping the different profiles within homogeneous, multi-sized clusters. This is aimed in turn to enable a company to provide increasingly customized services beyond what is strictly necessary for the delivery of the service and also send targeted advertising messages in line with the preferences expressed by the user during their web-browsing activities.

In other words, profiling cookies may be used to convey behavioral advertising, measure the effectiveness of ads, or to customize the services offered in line with the user’s monitored behavior.

For example, profiling cookies can be used to create user profiles and offer content in line with the user’s interests, or to send targeted ads or messages. 

Profiling cookies include the performance, marketing and social media cookies you might find mentioned while browsing the Website.

Profiling cookies need your explicit consent. 

B. By publisher

First-party cookies

Cookies are installed directly by the website that the user is browsing. In other words, the publisher of the website installs the cookies directly without using any third-party publishers and processes the information thereby acquired.

Third-party cookies

Third-party cookies are set by external providers other than those of the website that the user is browsing. In other words, the publisher of the website installs the cookies indirectly, using third-party publishers and processes the information thereby acquired.

For the purposes of this Privacy Policy, third party cookies include any tracker which, although directly published by us, is provided by third parties which receive or otherwise process for their own purposes the information acquired through these cookies when you visit our website. For further information, please refer to the privacy policy of such third parties as indicated in the cookie table.

The data collected by these third parties is governed by their own specific privacy policies, terms and conditions, or cookie policies to which we have no control over. 

When our Website hosts third-party non-anonymized analytics cookies and/or profiling cookies, you will be asked to consent to such third-party cookies when landing on our Website for the first time, via a specific cookie banner.

C. By duration

Session cookies

Session cookies expire when the user's browsing session expires.

Permanent cookies

Permanent cookies last longer than a single browsing session.

Types of cookies we use

Technical Cookies

Provider

Cookies

Expirations

Google, LLC

_gcl_, _gcl_gb, _gat, _gcl_aw, _gcl_au, _gcl_dc, _gat_, _gid, _gac_, _ga, _ga_, _gat_gtag_

Session, Session, Session, Session, 3 Months, Session, Session, Session, Session, Session, 2 years, Session

Intercom, Inc

intercom-

Session

Mutiny

mutiny.user.session, mutiny.user.token

Session, Session

Stripe, Inc

^__stripe_.*

Session

Bending Spoons S.p.A.

LOCAL_STORAGE_ID_pico_lsid

Local Storage Item

Analytics Cookies

Provider

Cookies

Expirations

HubSpot, Inc

__hstc, hubspotutk, __hssc, __hssrc

13 Months, 13 months, 30 Minutes, Session

Microsoft Corporation

_clsk, _clck

Session, Session

Mixpanel, Inc

__mp_opt_in_out_, mp_

Session, Session

Segment, Inc

__tld__

Session

Profiling Cookies

Provider

Cookies

Expirations

Facebook, Inc

_fbc, _fbp

Session, Session

Google, LLC

__ar_v4, _te_

Session, Session

Microsoft Corporation

_uetvid, _uetsid

Session, Session

 

Cookie settings

You can disable (in whole or in part) technical cookies through the specific functions of your browser. Please note, however, that if you don’t allow technical cookies, you may not be able to use the Website, view its contents and take advantage of its services. Inhibiting technical cookies may result in some services or features of the Website not being available or not working properly and you may be required to modify or manually enter certain information or preferences each time you visit the Website.

The choices you make with respect to the Website’s cookies will be recorded in a cookie. However, in some circumstances this cookie may not work properly: in such cases, we recommend that you delete the cookies you do not like and inhibit their use through the features of your browser.

Your cookie preferences will need to be reset if you use different devices or browsers to access the Website. 

You can find information on how to manage cookie settings on certain browsers via the following links:


For more information about how to limit the use of third-party cookies installed in your browser, please visit www.youronlinechoices.com. Once arrived on the Website, by accessing the "Your ad choices" section, you will be able to view the list of third parties that install cookies on your browser and manage your consent granularly ("On/Off"). Moreover, by expanding the "Info" section, you will be able to access more information about each third party and its privacy and cookie policies.

With regards to your rights under Applicable Privacy Laws, please refer to Section 7 (Your Rights) above.

Last updated: June 18, 2025