Privacy Policy

The short version

Loot is built for Canadian freelancers. Your financial data is yours. We collect what we need to run the service, we are transparent about where it goes, and we do not sell it. Ever.

This Privacy Policy is also embedded as Section 11 of our Terms & Conditions. The two documents are kept in sync.

1. Who we are

Loot (“we,” “us,” “our”) is a financial management tool for Canadian freelancers. We help you track invoices, payments, and client relationships.

Contact for privacy inquiries: privacy@getloot.ca

Mailing address:14 Eastaff St., St. John’s, NL A1E 2J4

2. What we collect

We collect personal information necessary to provide you with Loot’s services:

Account information

Your name, email address, login credentials, and (if you subscribe to a paid plan) a display name used as the sender identity on invoice and quote emails sent on your behalf.

Financial data

Invoice details, payment records, and client names and contact information that you enter into Loot.

Usage data

How you interact with Loot: features used, session duration, and gamification activity (Streaks, Drops, Haul data). This helps us improve the product.

Payment information (your own subscription)

If you subscribe to a paid Loot plan, Stripe processes your payment to Loot. We do not store your credit card number. Stripe’s privacy practices for your subscription payment are governed by their own privacy policy.

Payment account connection

If you choose to accept client payments through Loot, you can connect your own Stripe account through our service. We store your Stripe account identifier so that Payment Links generated for your invoices route through your connected account. We do not store your Stripe login credentials, your bank account details, or any client payment card data. All payment processing happens directly between your client and Stripe; the funds settle into your Stripe balance and pay out to your bank account on Stripe’s schedule.

Expense records

If you use the Spending Journal feature, we collect the amount, category, date, and optional description of business expenses you log. This information is stored in association with your account and is used to display monthly spending summaries and to qualify your habit streak.

Technical data

Browser type, device information, IP address, and similar technical identifiers collected automatically when you use Loot.

3. How we use your information

We use your personal information to:

• Provide and maintain Loot’s core services (invoicing, payment tracking, client management)
• Calculate and display your gamification data (Streaks, Drops, Haul summaries)
• Process your subscription payments through Stripe
• Generate Stripe Payment Links on invoices you create, routed through your connected Stripe account. When you connect your Stripe account through Loot, we use that connection to issue Payment Links so your clients can pay you directly. Your clients’ payment card data is collected and processed by Stripe on your connected account. We receive confirmation of a successful payment and mark the corresponding invoice in Loot. We do not handle, store, or have access to your clients’ payment card information, and we do not hold or transfer the funds at any point
• Send you service-related communications (such as subscription confirmations and account notifications)
• Send invoice and quote notification emails to your clients on your behalf when you mark an invoice or quote as sent. These emails include your display name, the invoice or quote amount, and use your email address as the Reply-To address so your client can respond to you directly
• Send automated payment reminder emails to your clients on your behalf when an invoice is past due. Payment reminders are triggered automatically based on the invoice due date and reference only the specific invoice the client has already received. Like invoice notifications, these reminders include your display name, the invoice amount, and your email address as the Reply-To header. Payment reminders are a feature of paid plans.
• Track business expenses you log through the Spending Journal feature and display monthly spending summaries on your dashboard
• Improve Loot based on aggregated, anonymized usage patterns
• Comply with Canadian tax and legal requirements

We do not use your data to serve ads. We do not sell your personal information to third parties.

4. Where your data is stored

Loot uses third-party infrastructure providers to deliver the service:

• Supabase (database): hosted on Amazon Web Services (AWS) in the United States.
• Vercel (application hosting): servers located in the United States.
• Stripe (payment processing): headquartered in the United States.

This means your data is transferred to and stored in the United States. While Loot is built for Canadian freelancers and designed around Canadian financial workflows, our infrastructure providers operate US-based servers. We do not claim Canadian data residency.

These providers maintain their own security certifications and compliance programs. We have chosen providers with strong security track records, but we are transparent: your data crosses the border.

5. Your rights under PIPEDA

As a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

Access

You can request a copy of the personal information we hold about you.

Correction

You can ask us to correct inaccurate or incomplete personal information.

Withdrawal of consent

You can withdraw your consent to our collection, use, or disclosure of your personal information. Note that withdrawing consent may limit your ability to use Loot’s services.

Deletion

You can request that we delete your personal information, subject to legal retention requirements. You can also delete your account yourself at any time from your account settings.

Complaint

You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe your privacy rights have been violated. Quebec residents may also file a complaint with the Commission d’accès à l’information du Québec (CAI) under Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25).

• Office of the Privacy Commissioner of Canada: priv.gc.ca
• Commission d’accès à l’information du Québec: cai.gouv.qc.ca

To exercise any of these rights, contact us at privacy@getloot.ca. We will respond within 30 days.

6. How we protect your data

We take reasonable measures to protect your personal information:

• Encrypted connections (HTTPS/TLS) for all data in transit
• Database-level encryption for data at rest (provided by Supabase)
• Authentication and access controls on all accounts
• Row-level security on all per-user data
• Regular review of our security practices

No system is perfectly secure. We are honest about that. We take it seriously and we do our best.

7. Third-party services

Loot integrates with the following third-party services. Each has its own privacy policy:

• Supabase: database and authentication infrastructure
• Vercel: application hosting and deployment
• Stripe: Payment processing in two distinct contexts. First, Stripe processes your Loot subscription payments. Second, when you connect your own Stripe account to Loot, Stripe processes the payments your clients make on your invoices through Payment Links. In the second context, Stripe is your payment processor (you are the merchant), and Loot is the Connect platform that issues the Payment Links on your behalf. Funds from client payments settle directly into your Stripe balance and are paid out to your bank account on Stripe’s schedule. Loot does not hold these funds. Stripe’s privacy practices in both contexts are governed by their own privacy policy. Connecting your Stripe account through Loot is also subject to the Stripe Connected Account Agreement.
• Resend: email delivery for invoice and quote notifications, automated payment reminders, and service communications. When you send an invoice or quote through Loot, Resend delivers the notification email to your client. When an invoice becomes past due, Resend delivers an automated reminder on your behalf. These emails include your display name, the invoice or quote amount, and your email address (as the Reply-To header) so your client can reach you directly.

We only share the minimum personal information necessary for each service to function. We do not share your financial data (invoice details, client information, payment records) with any third party except as required to provide the service or comply with law.

8. Cookies and tracking

Loot uses essential cookies to keep you logged in and maintain your session. We do not use advertising cookies or third-party tracking pixels.

If we introduce analytics tools in the future, we will update this policy and notify you.

9. Data retention

We retain your personal information for as long as your account is active. If you delete your account, we will delete your personal information within 30 days, except where we are required by law to retain it (for example, tax-related records may be retained as required by the Canada Revenue Agency).

10. Children

Loot is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors.

11. Changes to this policy

If we make changes to this privacy policy, we will notify you by email or through the Loot application before the changes take effect. We will update the effective date at the top of this page.

12. Contact us

Questions about this privacy policy or your personal information?

Email: privacy@getloot.ca

Mailing address:14 Eastaff St., St. John’s, NL A1E 2J4

You can also contact the Office of the Privacy Commissioner of Canada at priv.gc.caif you have concerns about how we handle your personal information. Quebec residents may contact the Commission d’accès à l’information du Québec at cai.gouv.qc.ca.

13. Security breaches and notification

We take the security of your personal information seriously. If we experience a security breach that creates a real risk of significant harm to you (such as unauthorized access to your financial data, client information, or account credentials), we will:

Notify you directly

We will contact you by email at the address on your account as soon as we are reasonably able to do so, and in no event more than 72 hours after we have determined that a breach has occurred and that it creates a real risk of significant harm.

Our notification to you will include:

• What happened and what personal information was involved
• What we are doing about it
• What you can do to protect yourself
• How to reach us with questions

Report to the OPC

We will also report the breach to the Office of the Privacy Commissioner of Canada, as required by PIPEDA. Quebec residents: we will also report to the Commission d’accès à l’information du Québec as required under Quebec Law 25.

What we keep on file

We maintain an internal record of all privacy breaches, whether or not they trigger mandatory notification, as required by law.

If you believe your Loot account has been compromised, please contact us immediately at privacy@getloot.ca or change your password through the app.