Privacy Policy

1. Who this applies to

This policy applies to everyone who visits our website or uses the LootCollect dashboard, wherever you are located, with specific sections for users in the European Economic Area (EEA), the United Kingdom, and the United States.

2. Information we collect

Information you provide

• Account data — your email address and password (stored only as a salted hash), or, if you sign in with Google or Discord, the account identifier, name, and avatar those providers share with us.
• Schedule data — the target URLs, request parameters, and run frequency you configure.
• Communications — messages you send us for support.

Information collected automatically

• Usage and log data — run attempts and their results, timestamps, response codes, error messages, and basic technical logs (e.g. IP address, browser type) generated when you use the Service.
• Essential cookies — a single authentication cookie that keeps you signed in. See our Cookie Policy.

We do not intentionally collect special-category data (e.g. health, biometrics) or payment card details.

3. How we use your information

• To create and operate your account and authenticate you.
• To run your scheduled tasks and show you logs and status.
• To operate, secure, debug, and improve the Service and prevent abuse.
• To communicate with you about the Service and respond to support requests.
• To comply with legal obligations and enforce our Terms of Service.

Legal bases (EEA / UK users)

Where the GDPR or UK GDPR applies, we rely on:

• Performance of a contract — to provide the Service you sign up for.
• Legitimate interests — to secure, maintain, and improve the Service and prevent fraud/abuse, balanced against your rights.
• Consent — where required (e.g. optional communications); you may withdraw it at any time.
• Legal obligation — where we must process data to comply with the law.

4. Cookies

We use only strictly necessary cookies. We do not use advertising or cross-site tracking cookies. Details are in our Cookie Policy.

5. How we share information

We do not sell your personal data. We share it only with:

• Service providers (processors) who help us run the Service, including our cloud hosting and database providers, our email provider (Resend), and our automation infrastructure provider. These act on our instructions under contract.
• Identity providers (Google, Discord) if you choose to sign in with them.
• Authorities or third parties where required by law, to protect our rights, or in connection with a merger, acquisition, or asset sale.

6. International data transfers

We and our providers may process data in countries outside your own, including the United States. Where we transfer personal data out of the EEA or UK, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum) or reliance on an adequacy decision.

7. Data retention

We keep account data for as long as your account is active and as needed to provide the Service. Run logs and attempt records are retained for operational and troubleshooting purposes and then deleted or anonymized. We may retain limited data longer where required to meet legal obligations or resolve disputes. You can ask us to delete your account at any time (see Section 8/9).

8. Your rights (EEA / UK)

Subject to applicable law, you have the right to:

• Access a copy of your personal data;
• Rectify inaccurate data;
• Erase your data (“right to be forgotten”);
• Restrict or object to certain processing;
• Data portability;
• Withdraw consent at any time; and
• Lodge a complaint with your local data protection authority.

To exercise these rights, contact us at [email protected].

9. Your rights (United States)

Depending on your state (e.g. California under the CCPA/CPRA, and similar laws in Virginia, Colorado, Connecticut, and others), you may have the right to know, access, correct, and delete your personal information, and to opt out of the “sale” or “sharing” of personal information and targeted advertising. We do not sell or share your personal information as those terms are defined under these laws, and we do not use it for cross-context behavioral advertising. We will not discriminate against you for exercising your rights. To make a request, email [email protected]; you may use an authorized agent, and we will verify requests as required by law.

10. Security

We use reasonable technical and organizational measures to protect your data, including hashed passwords, encrypted transport (HTTPS), and access controls. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

11. Children’s privacy

The Service is not directed to children. You must be at least 16 (EEA/UK) or 13 (United States), or older where your local law requires. We do not knowingly collect data from children below these ages; if you believe we have, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. We will post the new version here with an updated date and, where appropriate, notify you of material changes.

13. Contact us

Questions or requests: [email protected]. Data controller: [Operating Entity Name], [registered address]. If you are in the EEA or UK and we are required to have a representative, our representative is [EU/UK Representative — name & contact].