Privacy Policy
Last updated: June 9, 2026


Loft Solutions ("we", "us", or "our") operates the Rope Retail platform and related services. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our services, visit our websites, or interact with us as a customer, partner, or end consumer.

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR/AVG) and applicable Dutch and European data protection laws.

1. Data Controller

Loft Solutions
Data Protection Officer: Bas Hoogzaad
Email: bas@loftsolutions.nl

2. What Personal Data We Collect

Depending on how you interact with our services, we may collect the following categories of personal data:

2.1 Customer and Business Data

Identity data: Name, company name, job title
Contact data: Email address, phone number, postal address
Account data: Username, authentication credentials (hashed), role, permissions
Financial data: Invoice details, payment references, VAT number, IBAN (where applicable)

2.2 End Consumer Data (processed on behalf of our customers)

Order data: Name, delivery address, email, phone number
Transaction data: Order history, payment status, shipping information
Communication data: Customer service interactions, chat messages


2.3 Technical and Usage Data

Device data: IP address, browser type, operating system
Usage data: Pages visited, features used, session duration
Cookie data: As described in our Cookie Policy

3. How We Use Your Data

We process personal data for the following purposes:

Purpose                                                                                                                        Legal Basis (GDPR Art. 6)
Providing and maintaining our SaaS platform                                                   Performance of contract
Processing orders and transactions on behalf of our customers                 Performance of contract / Legitimate interest
Customer support and communication                                                               Performance of contract / Legitimate interest
Invoicing and financial administration                                                                 Legal obligation / Performance of contract
Security monitoring and fraud prevention                                                          Legitimate interest
Platform improvement and analytics                                                                   Legitimate interest
Compliance with legal obligations (tax, fiscal records)                                    Legal obligation
Marketing communications (only with consent)                                               Consent

4. Data Sharing and Third Parties

We do not sell personal data. We may share data with the following categories of recipients, only to the extent necessary:

Recipient Purpose Location
Google Cloud Platform Infrastructure hosting (compute, database, storage) EU (Netherlands)
Firebase (Google) Authentication services EU
Payment processors (e.g., Mollie) Payment processing EU (Netherlands)
Email service providers (e.g., Postmark) Transactional email delivery EU/US (DPA in place)
Shipping carriers (e.g., DHL, QLS) Order fulfillment and delivery EU
Marketplace platforms (e.g., BOL.com, TikTok Shop, Amazon) Marketplace order processing EU/International (DPA in place)
ERP systems (e.g., Exact Online) Financial administration EU (Netherlands)
All third-party processors are bound by Data Processing Agreements (DPAs) that ensure GDPR-compliant handling of personal data. We only share the minimum data necessary for each specific purpose.

5. International Data Transfers

Our primary infrastructure is hosted within the European Union (Google Cloud region europe-west4, Netherlands). We strive to keep all personal data within the EU/EEA.

Where data transfers to countries outside the EU/EEA are necessary (e.g., certain SaaS sub-processors), we ensure appropriate safeguards are in place, such as:

  • EU Standard Contractual Clauses (SCCs)
  • EU-U.S. Data Privacy Framework adequacy decisions
  • Binding Corporate Rules where applicable

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Category                                                                   Retention                                                                                 Period Basis
Customer account data                                                   Duration of contract + 90 days                                          Contractual necessity
Financial and fiscal records                                            7 years                                                                                      Dutch fiscal law (AWR)
Order and transaction data                                             7 years                                                                                     Dutch fiscal law
Access and audit logs                                                       90 days to 2 years                                                                Security and accountability
Marketing consent records                                             Until consent is withdrawn                                                Consent
End consumer data (on behalf of customers)           As determined by our customer (data controller)         Data Processing Agreement

Upon termination of a contractual relationship, personal data is deleted or anonymized within 90 days, unless legal retention obligations apply.

7. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit: All data is transmitted via TLS 1.2+ (HTTPS)
  • Encryption at rest: AES-256 encryption on all databases and storage (Google Cloud managed)
  • Access control: Role-based permissions with the principle of least privilege; multi-factor authentication (MFA) enforced for all internal systems
  • Secrets management: Credentials stored in Google Cloud Secret Manager, never in source code
  • Audit logging: Administrative actions are logged for accountability
  • Network security: VPC networking, rate limiting, DDoS protection, security headers
  • Endpoint security: Full-disk encryption and built-in malware protection on all company devices
  • Code security: Mandatory code review, dependency scanning, parameterized queries

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:
  • Right of access (Art. 15) — You can request a copy of your personal data
  • Right to rectification (Art. 16) — You can request correction of inaccurate data
  • Right to erasure (Art. 17) — You can request deletion of your data, subject to legal retention requirements
  • Right to restrict processing (Art. 18) — You can request restriction of processing in certain circumstances
  • Right to data portability (Art. 20) — You can request your data in a structured, commonly used format
  • Right to object (Art. 21) — You can object to processing based on legitimate interest or for direct marketing
  • Right to withdraw consent (Art. 7) — Where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, please contact our Data Protection Officer:

Data Protection Officer
Bas Hoogzaad
Email: bas@loftsolutions.nl

We will respond to your request within 30 days. In complex cases, this period may be extended by an additional 60 days, in which case we will inform you of the extension and the reasons.

9. Cookies

Our websites and applications use cookies and similar technologies. We categorize cookies as follows:

  • Essential cookies: Required for the website to function properly (always active)
  • Analytics cookies: Help us understand how visitors use our websites (require consent)
  • Marketing cookies: Used to deliver relevant advertisements (require consent)
You can manage your cookie preferences at any time through the cookie banner on our websites. We use Google Analytics 4 with Consent Mode to respect your preferences.

10. Data Processing on Behalf of Customers

When our customers (retailers) use the Rope Retail platform, they act as data controllers for their own customer data. Loft Solutions acts as a data processor, processing end consumer data strictly in accordance with our customers' instructions and the applicable Data Processing Agreement (DPA).

If you are an end consumer and wish to exercise your data rights, please contact the retailer from whom you purchased directly. If you need assistance, you may also contact us and we will direct your request to the appropriate data controller.

11. Children's Data

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of significant changes by posting the updated policy on our website with a revised "Last updated" date.

13. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 8500

We encourage you to contact us first so we can try to resolve your concern directly.

14. Contact


Loft Solutions
Data Protection Officer: Bas Hoogzaad
Email: bas@loftsolutions.nl
Store logo

Volg ons

Contact


Voorwaarden

Algemene voorwaardenPrivacy PolicyRetourbeleidKlachten

Neem contact met ons op