Transactional

GDPR Compliance

Last updated: January 1, 2026

Our commitment to protecting your data under the General Data Protection Regulation.

Loopclub Ltd. ("Company," "we," "us," or "our") is committed to protecting the privacy and security of personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. This page explains how we comply with GDPR requirements.

Our Commitment to GDPR

We have implemented comprehensive technical and organizational measures to ensure our services meet GDPR requirements. Our commitment includes:

  • Processing personal data lawfully, fairly, and transparently
  • Collecting data for specified, explicit, and legitimate purposes
  • Minimizing data collection to what is necessary
  • Ensuring data accuracy and keeping it up to date
  • Limiting storage to the period necessary for processing
  • Implementing appropriate security measures
  • Demonstrating accountability for compliance

Our Role in Data Processing

When We Act as Data Controller

We act as the Data Controller for:

  • Your account registration and profile information
  • Billing and payment data
  • Communications with our support team
  • Website analytics and marketing data
  • Employment and recruitment data

As Data Controller, we determine the purposes and means of processing and are responsible for compliance with GDPR principles.

When We Act as Data Processor

We act as a Data Processor when you use Transactional to send emails or process data on behalf of your users. In this case:

  • You are the Data Controller for your end users' data
  • We process data only according to your documented instructions
  • We are bound by our Data Processing Agreement (DPA)
  • We implement appropriate security measures
  • We assist you in fulfilling data subject requests

Your Data Subject Rights

Under GDPR, you have the following rights regarding your personal data. These rights may be subject to certain conditions and exceptions.

Right to Access

Request a copy of all personal data we hold about you, including how it is processed and shared.

Right to Rectification

Request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure

Request deletion of your personal data when it is no longer necessary or you withdraw consent.

Right to Restriction

Request limitation of processing while accuracy is contested or processing is unlawful.

Right to Portability

Receive your data in a structured, machine-readable format and transfer it to another service.

Right to Object

Object to processing based on legitimate interests, profiling, or direct marketing.

Exercising Your Rights

To exercise any of these rights:

  1. Email our Data Protection team at privacy@usetransactional.com
  2. Include your account email and specify which right you wish to exercise
  3. Provide enough information for us to verify your identity
  4. We will respond within 30 days (or 90 days for complex requests)

There is no fee for exercising your rights, except for manifestly unfounded or excessive requests.

Lawful Basis for Processing

We process personal data under the following lawful bases:

Contract Performance (Article 6(1)(b))

  • Providing and maintaining our Services
  • Processing payments and managing subscriptions
  • Sending service-related communications
  • Providing customer support

Legitimate Interests (Article 6(1)(f))

  • Improving and optimizing our Services
  • Ensuring security and preventing fraud
  • Marketing to existing customers (with easy opt-out)
  • Analytics and business intelligence

Legal Obligation (Article 6(1)(c))

  • Tax and accounting requirements
  • Responding to legal process
  • Compliance with regulatory requirements

Consent (Article 6(1)(a))

  • Marketing communications to non-customers
  • Non-essential cookies and tracking
  • Special category data processing (if applicable)

International Data Transfers

When we transfer personal data outside the European Economic Area (EEA) or UK, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs)

We use the European Commission's Standard Contractual Clauses for transfers to countries without adequacy decisions. These include the supplementary measures recommended by the EDPB.

Adequacy Decisions

Where available, we transfer data to countries with adequacy decisions from the European Commission.

Additional Safeguards

  • Encryption of data in transit and at rest
  • Pseudonymization where appropriate
  • Transfer impact assessments
  • Contractual commitments from sub-processors

Data Processing Agreement (DPA)

Our Data Processing Agreement is available to all customers and covers:

  • Subject Matter: Processing of personal data to provide our Services
  • Duration: The term of your subscription
  • Nature and Purpose: Email delivery, analytics, and related services
  • Types of Data: Email addresses, names, email content, and metadata
  • Data Subjects: Your customers and contacts

DPA Commitments

Our DPA includes commitments to:

  • Process data only on documented instructions
  • Ensure personnel confidentiality obligations
  • Implement appropriate security measures
  • Engage sub-processors only with authorization
  • Assist with data subject requests
  • Delete or return data upon termination
  • Support audits and inspections
  • Notify you of data breaches without undue delay

To request a signed copy of our DPA, contact us at legal@usetransactional.com.

Sub-Processors

We use the following categories of sub-processors to deliver our Services:

  • Cloud Infrastructure: Hosting and compute services
  • Email Delivery: SMTP relay and deliverability services
  • Payment Processing: Billing and subscription management
  • Analytics: Usage and performance monitoring
  • Support Tools: Customer support and ticketing

A complete list of sub-processors is available in our DPA. We notify customers of new sub-processors at least 30 days before engagement.

Security Measures

We implement appropriate technical and organizational measures as required by Article 32 of GDPR:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Pseudonymization: Where appropriate for analytics and testing
  • Access Control: Role-based access with MFA and audit logging
  • Resilience: Multi-region deployment with automated failover
  • Testing: Regular penetration testing and vulnerability assessments
  • Incident Response: Documented procedures with 72-hour notification

Data Breach Notification

In the event of a personal data breach, we will:

  1. Notify affected Data Controllers without undue delay and within 72 hours where feasible
  2. Provide information about the nature of the breach, categories of data, and approximate number of data subjects affected
  3. Describe likely consequences and measures taken to address the breach
  4. Assist you in fulfilling your notification obligations to supervisory authorities and data subjects

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to data subjects. We can assist customers with their own DPIAs upon request.

Contact Our Data Protection Team

For GDPR-related inquiries, to exercise your data subject rights, or to request our DPA:

You also have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.