GDPR Compliance
Last updated: February 15, 2026
Loqa is committed to protecting the privacy and rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland under the General Data Protection Regulation (GDPR). This page documents our processing activities, data protection agreements, breach procedures, and how you can exercise your rights.
1. Data Processing Agreement (DPA)
This Data Processing Agreement governs the processing of personal data by Loqa on behalf of its users and enterprise customers (the "Controller"). Loqa acts as a Data Processor under Article 28 GDPR.
1.1 Scope of Processing
Loqa processes personal data solely to provide the messaging platform service, including:
- Account registration and authentication
- Message delivery, storage, and retrieval
- Server membership and role management
- User preferences and settings synchronization
- Optional voice and video communication
1.2 Processor Obligations
Loqa, as Processor, shall:
- Process personal data only on documented instructions from the Controller
- Ensure persons authorized to process personal data have committed to confidentiality
- Implement appropriate technical and organizational security measures (see Section 1.5)
- Assist the Controller in responding to data subject requests
- Delete or return all personal data at the end of the service relationship, at the Controller's choice
- Make available all information necessary to demonstrate compliance and allow for audits
1.3 Sub-processors
Loqa uses the following sub-processors to deliver the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner | Infrastructure hosting (VPS) | EU / US |
| Cloudflare | CDN, DDoS protection, DNS | Global (edge) |
| Vanta | Compliance automation & monitoring | United States |
We will notify the Controller before adding or replacing sub-processors, providing an opportunity to object.
1.4 International Data Transfers
When personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by additional technical safeguards including encryption in transit (TLS 1.3) and encryption at rest (AES-256-GCM).
1.5 Security Measures
- Encryption at rest β PII encrypted with AES-256-GCM; email addresses looked up via HMAC-SHA256 blind indexes
- Password hashing β Argon2id with memory-hard parameters
- Transport security β TLS 1.3 enforced on all connections
- E2EE for DMs & group DMs β End-to-end encryption via Signal-style Double Ratchet protocol with forward secrecy; keys never leave the device
- Access control β Role-based access with principle of least privilege
- Audit logging β All administrative actions logged with timestamps
- No third-party trackers β Zero tracking pixels, cookies, or ad networks
1.6 Breach Notification
See Section 3: Breach Notification Procedure below.
1.7 Data Deletion
Upon termination of the service agreement or at the Controller's request, Loqa will delete all personal data within 30 days, except where retention is required by law. Users can initiate immediate data deletion via Settings β Privacy β Delete All Account Data.
2. Records of Processing Activities (ROPA)
In accordance with Article 30 GDPR, Loqa maintains the following record of processing activities:
| Processing Activity | Data Categories | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Account registration | Username, email, password hash | User authentication & platform access | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Profile management | Display name, avatar, status | User identity & social presence | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Messaging | Message content, attachments, timestamps | Core communication service | Contract performance (Art. 6(1)(b)) | Until deleted by user or account deletion |
| Server membership | Server ID, roles, nickname, join date | Community participation | Contract performance (Art. 6(1)(b)) | Until user leaves server or account deletion |
| Friendships | User IDs, friendship status, timestamps | Social connections | Consent (Art. 6(1)(a)) | Until removed by user |
| User settings | Theme, locale, notification preferences | Platform personalization | Contract performance (Art. 6(1)(b)) | Until account deletion |
| Audit logs | Action type, user ID, target, timestamp | Security & administrative oversight | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Voice/video | Connection metadata (no recording) | Real-time communication | Contract performance (Art. 6(1)(b)) | Session duration only |
Data Protection Officer: For DPO inquiries, contact [email protected].
3. Breach Notification Procedure
Loqa maintains a formal incident response process in accordance with Articles 33 and 34 of the GDPR. In the event of a personal data breach, we follow the procedure below:
Detection & Containment
0β4 hours: Automated monitoring alerts or manual reports trigger the incident response team. Affected systems are isolated and the breach vector is contained.
Assessment & Classification
4β24 hours: The incident is classified by severity: data categories involved, number of affected users, and risk to data subjects' rights and freedoms.
DPA Notification
Within 72 hours: If the breach is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority is notified as required by Art. 33 GDPR.
User Notification
Without undue delay: If the breach is likely to result in a high risk to affected individuals, we notify them directly via email and in-app notification, describing the nature of the breach and recommended protective measures (Art. 34 GDPR).
Remediation & Review
Post-incident: Root cause analysis is conducted. Security controls are updated, and lessons learned are documented. A full incident report is made available to affected Controllers.
4. Data Subject Rights
Under the GDPR, you have the following rights regarding your personal data. We provide both in-app tools and manual processes to fulfill these rights:
π Right of Access (Art. 15)
You can access all data we hold about you. In-app: Settings β Privacy β Request My Data.
βοΈ Right to Rectification (Art. 16)
Update your profile, display name, and settings at any time via Settings β My Account.
ποΈ Right to Erasure (Art. 17)
Delete all your data permanently. In-app: Settings β My Account β Delete All Account Data.
π¦ Right to Data Portability (Art. 20)
Export your data in machine-readable JSON format. In-app: Settings β Privacy β Request My Data.
βΈοΈ Right to Restrict Processing (Art. 18)
Request restriction of processing by contacting [email protected].
π« Right to Object (Art. 21)
Object to processing based on legitimate interests by contacting [email protected].
To exercise any right, you can use the in-app tools or contact us at [email protected]. We will respond to all requests within 30 days.