Privacy Policy

Loppa · Last updated: 11 April 2026 · Governing law: UK GDPR This policy explains what personal data Loppa collects, why we collect it, who we share it with, and what rights you have. We are committed to handling your data responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Loppa Market Limited, 23a St. Ann's Road, SW139LH London ("Loppa", "we", "us", "our") is the data controller for personal data collected through this website. Loppa is registered with the Information Commissioner's Office (ICO) as a data controller. Our ICO registration number is ZC121742. Questions about this policy or your data: hello@loppa.market

2. What data we collect and why

We only collect data that is necessary for the purposes set out below. Each category includes what we collect, why, and the lawful basis under UK GDPR.

Account data

What: email address, first name, last name, country, city.
Why: to create and manage your account and send transactional emails (e.g. application updates, welcome email).
Lawful basis: performance of a contract.

Profile data (optional)

What: bio, profile photo, and a social media link (if provided).
Why: to display on your public profile so other users can learn about you and build trust before meeting in person. This data is entirely optional — you can use Loppa without providing it. When you replace or remove your profile photo, the previous image is deleted from our storage.
Lawful basis: legitimate interest.

Pop-up listing data (hosts only)

What: full address, images, description, brands, categories, dates.
Why: to organise and run your pop-up and display it to potential attendees.
Lawful basis: performance of a contract.

Shipping address (hosts only)

What: address line, city, country, postal code.
Why: to send optional pop-up add-ons you request when creating a Loppa.
Lawful basis: performance of a contract.

Payment data

What: transaction amounts, currency, line items, promotion codes, payment processor reference IDs, shipping address snapshot at time of payment.
Why: to process the listing fee for hosting a pop-up.
Lawful basis: performance of a contract; legal obligation for retention of financial records.
Card details are handled directly by Stripe and are never stored by Loppa.

Participation data

What: application message submitted when requesting to attend a pop-up.
Why: to allow hosts to review and respond to attendance requests.
Lawful basis: performance of a contract.

Contact form

What: name, email address, message.
Why: to respond to your enquiry.
Lawful basis: legitimate interest.

Spaces waitlist

What: first name, last name, email address, country, city, product categories of interest.
Why: to notify you when Loppa Spaces (publicly hosted pop-ups) launches.
Lawful basis: consent. You may withdraw at any time by contacting hello@loppa.market.

Authentication data

What: session tokens; OAuth tokens if you sign in with a third-party sign-in provider. We only access the name and email address your provider shares with us.
Why: to keep you securely signed in.
Lawful basis: performance of a contract.

Technical and usage data

What: IP address, browser type, device type, pages visited, timestamps. Collected automatically by our web infrastructure and, where you have opted in, by analytics tools.
Why: to operate the platform securely, diagnose technical issues, and (with your consent) understand how the site is used.
Lawful basis: legitimate interest for infrastructure logs; consent for analytics and advertising tools.

Consent records

What: timestamped audit trail of your consent choices (e.g. when you accepted the terms, whether you opted in to promotional emails).
Why: to demonstrate compliance with our legal obligations.
Lawful basis: legal obligation.

Email delivery logs

What: recipient address, email subject, template type, delivery timestamp.
Why: to ensure reliable email delivery and debug issues.
Lawful basis: legitimate interest.

3. Data shared with other users

Part of how Loppa works is connecting hosts and attendees. Some of your data is therefore visible to other logged-in users:

All logged-in users can see a host's full name, bio (if provided), social media link (if provided), country, and city.
Attendees whose application has been approved can additionally see the host's full pop-up address and all listing details.
Hosts can see an approved attendee's publicly available profile information (such as name, photo, bio, location, and social media link, where provided) as well as the message submitted with their application.

We do not sell, rent, or trade your personal data to third parties for their own purposes.

4. Third-party processors

We use the services below to operate the platform. Each acts as a data processor on our behalf and is contractually bound to handle your data only as we instruct.

Processor	Purpose	Country
Convex	Database and backend infrastructure	United States
Vercel	Web hosting and content delivery	United States
Stripe	Payment processing	United States
Resend	Email delivery	United States
Cloudflare R2	Image and file storage	United States
Radar.io	Address autocomplete when creating a pop-up	United States
Google Tag Manager	Tag management	United States
Google Analytics 4, Meta Pixel, Pinterest Pixel, Google Consent Mode	Analytics and advertising (only active if you have opted in via the cookie banner)	United States

Where data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses to ensure your data receives an equivalent level of protection.

5. Cookies

Essential (always active): session authentication, consent preferences, and language setting. Required for the site to function — cannot be disabled.
Functional (opt-in): enables enhanced features and personalisation.
Analytics (opt-in): Google Analytics, Google Consent Mode — used to understand how visitors use the site.
Advertising (opt-in): Meta, Pinterest — used to show relevant marketing.

The Cookie banner will appear for Users before any non-essential Cookies are activated. User consent is required prior to the activation of any opt-in Cookies, and the default settings do not include analytics or advertising cookies. Preferences can be updated at any time via Cookie settings in the footer.

6. Data retention

Data category	Retention period
Account and profile data	Until account deletion is requested
Pop-up and participation data	Until account deletion is requested
Payment records	6 years (UK tax and financial reporting requirements)
Contact form submissions	12 months
Spaces waitlist	Until feature launches or removal is requested
Email delivery logs	12 months
Consent records	Account lifetime + 3 years after deletion
Technical and infrastructure logs	30 days
Authentication / session data	Duration of session; OAuth tokens held until account deletion

7. Your rights under UK GDPR

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — request that we delete your personal data ("right to be forgotten"). We will process erasure requests in accordance with our obligations under UK GDPR. Certain data may be retained where we have a legal obligation to do so (for example, payment records required for tax compliance).
Restriction — ask us to pause processing of your data in certain circumstances.
Portability — receive your data in a structured, commonly used, machine-readable format.
Objection — object to processing carried out on the basis of legitimate interest.
Withdraw consent — withdraw consent at any time, without affecting the lawfulness of prior processing.
Automated decisions — we do not make solely automated decisions about you that have legal or similarly significant effects. Pop-up review decisions are made by a member of our team.
Complain — lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. How to exercise your rights

Email and notification preferences can be managed directly in your account settings on the site. For all other requests — including access, erasure, or portability — email hello@loppa.market. We will respond within one calendar month.

9. Data security

Data is stored on Convex infrastructure with encryption at rest and in transit. Images and files are stored on Cloudflare R2. We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. Access is limited to team members who require it to provide support.

10. Data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay. If you become aware of or suspect a data breach, contact us immediately at hello@loppa.market.

11. Children

Loppa is for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted data to us, contact hello@loppa.market and we will delete it promptly.

12. Changes to this policy

We may update this policy periodically. Where changes are material, we will notify you by email before they take effect. The date at the top of this document reflects the most recent revision.

Contact

Loppa has not appointed a Data Protection Officer, as we are not required to do so under UK GDPR. Data protection queries should be directed to hello@loppa.market.

Loppa · Privacy Policy · 11 April 2026