Loop Local

Legal

Privacy Policy

Last updated: 2 February 2026

This Privacy Policy explains how Anchorbid Ltd trading as Loop Local (“Loop Local”, “we”, “us”) collects, uses, shares, and protects personal data when you use our Services.

Who we are (data controller)

Loop Local is operated by Anchorbid Ltd, a company registered in England and Wales (company number: 16516484).

Registered office: Office 1, Izabella House, 24–26 Regent Place, Birmingham, B1 3NJ, United Kingdom.

Anchorbid Ltd is the data controller for personal data processed through the Services.

Contact

If you have questions or want to exercise your privacy rights, contact us at hello@looplocal.co.

Data Protection Officer

We are not required to appoint a Data Protection Officer under UK GDPR or EU GDPR. If you have questions or wish to exercise your rights, you can contact us using the details above.

What we collect

The categories of personal data we may collect include:

  • Account data: email address, login identifiers, account role (e.g. merchant/staff), and related authentication data.
  • Profile data (optional): information you choose to provide such as birthday, gender, home area, interests, and preferences.
  • Loyalty activity: check-ins/visits, stamps/points earned, rewards redeemed, campaign participation, and related activity history.
  • Merchant and location data: business details and location information you provide (including address and map coordinates).
  • Device and usage data: IP address, browser/device information, pages and actions, and diagnostic logs.
  • Push notification tokens: where enabled, device push tokens and related identifiers (for example platform and device ID) to deliver notifications.
  • Payments and billing: subscription status and billing identifiers from our payment provider (for example Stripe). We do not store full card details on our servers.
  • AI feature interactions: if you use our AI features, we may process your prompts/questions and store the questions and outputs for quality, debugging, and product improvement. Where possible, we minimise personal data in AI inputs.

How we use personal data

  • to provide and operate the Services (accounts, loyalty tracking, redemptions, and dashboards);
  • to prevent fraud and keep the Services secure;
  • to provide customer support and respond to requests;
  • to improve and develop the Services (including analytics and feature performance);
  • to process payments and manage subscriptions;
  • to send service messages (for example security notices, changes, and transactional updates);
  • where you opt in (or where otherwise permitted by law), to send marketing communications (you can opt out at any time).

Where UK GDPR or EU GDPR applies, we rely on one or more of the following legal bases:

  • Contract: to provide the Services you request.
  • Legitimate interests: to operate, secure, and improve the Services, detect fraud, prevent misuse, and ensure platform reliability. We have assessed that these interests do not override your rights and freedoms.
  • Consent: for certain optional features (for example marketing and non-essential analytics, where required).
  • Legal obligation: where we must comply with law.

How we share personal data

We may share personal data with trusted processors and service providers to run the Services, such as:

  • Supabase (authentication and data storage) and our hosting and infrastructure providers.
  • Stripe (payments, billing, and subscriptions).
  • AI providers (to generate AI responses in Merchant analytics and tooling). Where possible, we send aggregated business metrics rather than direct customer identifiers.
  • Maps and CDN providers (for example OpenStreetMap tile servers and static asset CDNs used by mapping components), which may receive your IP address and device data when maps load.
  • Diagnostics and product analytics (for example Sentry or PostHog) if enabled in your deployment.

We may also share data if required by law, to enforce our terms, or to protect rights, safety, and security.

International transfers

Some of our service providers may process data outside the UK and/or European Economic Area. Where this occurs, we take steps designed to ensure appropriate safeguards are in place, such as relying on adequacy regulations where applicable, or using the UK International Data Transfer Addendum and/or EU Standard Contractual Clauses.

Cookies and local storage

We use cookies and similar technologies to keep you signed in and to provide core functionality.

  • Strictly necessary: required for core features such as authentication, security, and session management (for example cookies set by Supabase).
  • Analytics (optional): where enabled and where required by law, we ask for your consent before using analytics tools (for example PostHog). These tools may set cookies or use local storage to recognise your browser and measure usage.

You can change your cookie preferences at any time using the Cookie settings link in the website footer.

The web app also stores limited app state in browser local storage (for example loyalty progress and interface preferences).

Data retention

We keep personal data only as long as necessary for the purposes described above, including to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements.

In general:

  • Account data is retained while your account is active and for a limited period after closure (for example to allow reactivation, handle support requests, or address security issues).
  • Billing and transaction data may be retained for up to six years to comply with legal and accounting obligations.
  • Usage, analytics, and diagnostic data is generally retained for shorter periods unless needed for security investigations, reliability, or dispute resolution.

Security

We implement reasonable technical and organisational measures to protect personal data. No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.

Automated decision-making

We do not use personal data to make automated decisions that produce legal or similarly significant effects on individuals.

Your rights

Depending on your location and applicable law (including UK GDPR and EU GDPR), you may have rights to access, correct, delete, restrict, object to processing, and request portability of your personal data. You may also have the right to withdraw consent where processing is based on consent.

Direct marketing: you have the right to object at any time to processing of your personal data for direct marketing purposes.

If you are in the UK, you can also complain to the Information Commissioner’s Office (ICO). We encourage you to contact us first so we can try to resolve your concerns.

Children

The Services are not intended for children. If you believe a child has provided personal data to us, contact us and we will take appropriate steps.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “Last updated” date.