Privacy Policy

Loofta Pay is a non-custodial Solana-based payment platform. Authentication is handled by Privy, Inc.; transaction data and user profiles are stored in our own database (Supabase); and certain features rely on third-party services described in Section 4. This policy applies to the Loofta Pay web application and all associated services.

a) Information you provide directly

• Email address — when you sign up or log in using email-based authentication via Privy.
• X (Twitter) account details — if you choose to log in using your X account via Privy (username and profile identifier).
• Username — if you set a custom Loofta username in settings.
• Wallet addresses — Solana wallet addresses associated with your account, including addresses of embedded wallets created by Privy on your behalf.

b) Information generated by your use of the Service

• Transaction records — sender/recipient identifiers, amount, timestamp, transaction hash, and status for all payments you send or receive through the Service.
• Payment links — metadata associated with payment links you create, including any message or emoji attached.
• Deposit and withdrawal records — including third-party protocol identifiers and transaction hashes.
• Rewards and referral activity.

c) Technical information collected automatically

• Browser and device type, operating system, and language preference.
• IP address and approximate geographic location (country/region level).
• Pages visited, features used, and interaction events — collected via Vercel Analytics in an aggregated, privacy-preserving manner.
• Cloudflare Turnstile signals — behavioral signals used to distinguish human users from bots. No personal data is sold or shared from this process.

d) Information from third parties

• Privy user identifier — a unique identifier assigned by Privy that we use to link your identity to your Loofta account.
• Compliance signals — wallet address risk signals from Range Protocol used to screen withdrawal addresses.

We use the information we collect to:

• Create and manage your Loofta account.
• Authenticate you via Privy when you log in.
• Process, record, and display payment transactions you initiate or receive.
• Enable you to find other users by email or username to send payments.
• Screen wallet addresses against sanctions lists and risk databases as required by law.
• Provide customer support and respond to your inquiries.
• Detect and prevent fraud, abuse, and unauthorized use of the Service.
• Send transactional notifications related to your account or payments (we do not send marketing emails without your consent).
• Analyze aggregated, anonymized usage patterns to improve the Service.
• Comply with applicable legal obligations.

We share limited data with the following third-party service providers, strictly to the extent necessary to operate the Service:

We do not sell your personal information to any third party. We do not share your data with advertisers. We may disclose information to law enforcement or regulators if required by applicable law, court order, or to protect the safety of users or the public.

All transactions processed through the Service are recorded on the Solana blockchain, which is a public, immutable ledger. This means:

• Transaction details including wallet addresses, amounts, and timestamps are permanently and publicly visible to anyone who queries the Solana blockchain.
• We cannot delete, modify, or obscure blockchain records.
• Payment links contain a short identifier that may be shared publicly; the link itself reveals only the payee's identifier and requested amount, not their full wallet address unless the payer views the chain.

You should be aware of the public nature of blockchain transactions before using the Service. Our non-custodial architecture means your wallet address is the primary identifier for your funds on-chain.

We may share your information in the following circumstances:

• With service providers listed in Section 4 as necessary to operate the Service.
• With other users to the minimum extent required to complete a transaction (e.g., a payer can see that their payment was sent to your username or wallet address).
• In connection with a merger, acquisition, or sale of all or a portion of our assets — in which case your information would be subject to the acquirer's privacy policy.
• If required by law, regulation, legal process, or governmental request.
• To protect the rights, property, or safety of Loofta, our users, or the public.

We retain your account information and transaction history for as long as your account is active, plus a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements.

If you request deletion of your account, we will delete or anonymize your personal information within 30 days, subject to our obligation to retain certain records under applicable law (e.g., AML regulations may require us to retain transaction records for up to 5 years).

Blockchain transaction data is permanent and cannot be deleted, as described in Section 5.

We implement industry-standard technical and organizational security measures to protect your information, including:

• Encryption of sensitive keys at rest using Google Cloud KMS (Key Management Service).
• HTTPS encryption for all data in transit.
• Access controls limiting internal access to personal data.
• Supabase row-level security policies to ensure users can only access their own data.
• Cloudflare Turnstile to prevent bot abuse and unauthorized automated access.

No security system is impenetrable. We cannot guarantee the security of your information, and you use the Service at your own risk. You are responsible for securing your own wallet credentials and login methods.

The Service uses minimal cookies and browser storage:

• Essential session cookies — set by Privy to maintain your authenticated session. These are strictly necessary and cannot be disabled without breaking login functionality.
• Local storage — the application may store non-sensitive state (e.g., UI preferences, wallet connection state) in your browser's local storage.
• Cloudflare Turnstile — may set a cookie to remember a successful bot challenge.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Vercel Analytics is cookieless.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or equivalent laws:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data, subject to legal retention obligations.
• Right to restriction — request that we restrict processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on your consent, withdraw it at any time.

To exercise any of these rights, email us at privacy@loofta.xyz or contact@loofta.xyz. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Our legal bases for processing include: performance of a contract (operating the Service for you), compliance with legal obligations, and our legitimate interests in fraud prevention and service improvement.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete — request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale — we do not sell your personal information.
• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.

To make a CCPA request, contact us at contact@loofta.xyz. We will verify your identity before processing the request.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child under 18, please contact us immediately at contact@loofta.xyz and we will delete such information promptly.

Loofta operates globally and your information may be transferred to, stored in, and processed in the United States and other countries where our service providers maintain infrastructure. By using the Service, you consent to such transfers.

Where we transfer personal data from the EEA or UK to countries not deemed to provide an adequate level of data protection, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and, where required, notify you through the application or by email. We encourage you to review this policy periodically.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: