GDPR Compliance
Last updated: July 10, 2026
Loqa, Inc. is committed to protecting the privacy and rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland under the General Data Protection Regulation (GDPR). For the consumer Loqa service, Loqa generally acts as controller; where an enterprise customer directs processing under a separate agreement, Loqa may act as that customer's processor. This page documents our processing activities, data protection agreements, breach procedures, and how you can exercise your rights.
1. Data Processing Agreement (DPA)
This Data Processing Agreement section applies when Loqa processes personal data on behalf of an enterprise customer that acts as the "Controller" under its agreement with Loqa. It does not replace the Privacy Policy for processing where Loqa acts as controller.
1.1 Scope of Processing
Loqa processes personal data solely to provide the messaging platform service, including:
- Account registration and authentication
- Message delivery, storage, and retrieval
- Server membership and role management
- User preferences and settings synchronization
- Optional voice and video communication
1.2 Processor Obligations
Loqa, as Processor, shall:
- Process personal data only on documented instructions from the Controller
- Ensure persons authorized to process personal data have committed to confidentiality
- Implement appropriate technical and organizational security measures (see Section 1.5)
- Assist the Controller in responding to data subject requests
- Delete or return all personal data at the end of the service relationship, at the Controller's choice
- Make available all information necessary to demonstrate compliance and allow for audits
1.3 Sub-processors
Loqa's production sub-processor roster depends on the deployed features and region. Core providers can include the following; feature-dependent providers for email delivery, real-time media, push notifications, payment processing, and object storage may also process data on Loqa's behalf. Contact [email protected] for the current production roster before relying on this list.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner | Infrastructure hosting (VPS) | EU / US |
| Cloudflare | CDN, DDoS protection, DNS | Global (edge) |
| Vanta | Compliance automation & monitoring | United States |
We will notify the Controller before adding or replacing sub-processors, providing an opportunity to object.
1.4 International Data Transfers
When personal data is transferred outside the EEA, we use an applicable transfer mechanism, which may include Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by safeguards such as TLS in transit and encryption at rest for selected sensitive fields. The production mechanism and recipient roster must be confirmed during legal review.
1.5 Security Measures
- Encryption at rest — Account email fields in the primary database use AES-256-GCM with keyed HMAC-SHA256 indexes
- Password hashing — Argon2id with memory-hard parameters
- Transport security — TLS protects supported client connections to Loqa services
- End-to-end encryption — Eligible conversation content uses E2EE when the app displays that status; coverage varies by surface and content type
- Access control — Role-based access with principle of least privilege
- Audit logging — Administrative and moderation actions are recorded for accountability according to the feature and actor role
- No advertising trackers — No third-party advertising pixels, behavioral-analytics SDKs, or ad networks; essential session storage and limited first-party diagnostics are described in the Privacy Policy
- Email validation — Format, domain, and disposable email provider checks at registration to protect sender reputation
1.6 Breach Notification
See Section 3: Breach Notification Procedure below.
1.7 Data Deletion
Loqa processes deletion requests according to the Privacy Policy, including documented security, moderation, transaction, retention-lock, and legal-hold exceptions. Users can initiate account deletion via User Settings → My Account → Standing → Account Removal or follow the public deletion instructions.
2. Records of Processing Activities (ROPA)
In accordance with Article 30 GDPR, Loqa maintains the following record of processing activities:
| Processing Activity | Data Categories | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Account registration | Username, encrypted email field, password hash or passkey metadata, age-verification result | User authentication & platform access | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Profile management | Display name, avatar, status | User identity & social presence | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Messaging | Message content, attachments, timestamps | Core communication service | Contract performance (Art. 6(1)(b)) | Until deleted by user or account deletion, subject to retention locks, legal holds, and a limited 90-day moderation-snapshot window |
| Server membership | Server ID, roles, nickname, join date | Community participation | Contract performance (Art. 6(1)(b)) | Until user leaves server or account deletion |
| Friendships | User IDs, friendship status, timestamps | Social connections | Consent (Art. 6(1)(a)) | Until removed by user |
| User settings | Theme, locale, notification preferences | Platform personalization | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Audit logs | Action type, user ID, target, timestamp | Security & administrative oversight | Legitimate interest (Art. 6(1)(f)) | Deletion-content snapshots: up to 90 days; the audit fact and other security records may remain while operationally or legally necessary |
| Voice/video | Real-time call media plus room, participant, and connection state; Loqa does not record media by default | Real-time communication | Contract performance (Art. 6(1)(b)) | Media is processed transiently; operational and security metadata may follow separate retention schedules |
| Sessions & notifications | Keyed IP hash, user agent, platform, timestamps, device identifiers, and push tokens | Authentication, account security, and notification delivery | Contract performance and legitimate interest (Art. 6(1)(b), 6(1)(f)) | For the active session or notification subscription, plus limited expiry and security grace periods |
| Reliability diagnostics | Crash type/message/stack/URL/build and aggregate encryption-health counters | Failure detection, security, and service improvement | Legitimate interest (Art. 6(1)(f)) | According to operational log and monitoring schedules |
| Purchases & community-store orders | Transaction status, entitlements, order items, contact/shipping details, and transaction identifiers | Payment, fulfillment, disputes, fraud prevention, and accounting | Contract performance and legal obligation (Art. 6(1)(b), 6(1)(c)) | For fulfillment and applicable accounting, dispute, fraud-prevention, and legal periods |
Data Protection Officer: For DPO inquiries, contact [email protected].
3. Breach Notification Procedure
Loqa maintains a formal incident response process in accordance with Articles 33 and 34 of the GDPR. In the event of a personal data breach, we follow the procedure below:
Detection & Containment
0–4 hours: Automated monitoring alerts or manual reports trigger the incident response team. Affected systems are isolated and the breach vector is contained.
Assessment & Classification
4–24 hours: The incident is classified by severity: data categories involved, number of affected users, and risk to data subjects' rights and freedoms.
DPA Notification
Within 72 hours: If the breach is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority is notified as required by Art. 33 GDPR.
User Notification
Without undue delay: If the breach is likely to result in a high risk to affected individuals, we notify them directly via email and in-app notification, describing the nature of the breach and recommended protective measures (Art. 34 GDPR).
Remediation & Review
Post-incident: Root cause analysis is conducted. Security controls are updated, and lessons learned are documented. A full incident report is made available to affected Controllers.
4. Data Subject Rights
Under the GDPR, you have the following rights regarding your personal data. We provide both in-app tools and manual processes to fulfill these rights:
🔍 Right of Access (Art. 15)
The in-app core JSON export covers your profile, authored messages, settings, memberships, friendships, and DM channel IDs. For access to other personal-data categories, contact [email protected]. In-app: Settings → Privacy → Request My Data.
✏️ Right to Rectification (Art. 16)
Update your profile, display name, and settings at any time via Settings → My Account.
🗑️ Right to Erasure (Art. 17)
Request erasure of your account data, subject to the exceptions described in the Privacy Policy. In-app: User Settings → My Account → Standing → Account Removal.
📦 Right to Data Portability (Art. 20)
Export core account data in machine-readable JSON and request other eligible portable data from the privacy team. In-app: Settings → Privacy → Request My Data.
⏸️ Right to Restrict Processing (Art. 18)
Request restriction of processing by contacting [email protected].
🚫 Right to Object (Art. 21)
Object to processing based on legitimate interests by contacting [email protected].
To exercise any right, you can use the in-app tools or contact us at [email protected]. We will respond to all requests within 30 days.