← Back to LendLoop

Privacy Policy

Last updated: April 20, 2026

1. Who we are

LendLoop ("LendLoop", "we", "us", "our") is operated by Trip.Fish LLC, a United States limited liability company and the data controller for your personal data. You can reach us by mail at Trip.Fish LLC, [ADDRESS ON FILE], United States, or by email at privacy@lendloop.co.

This policy explains what data we collect through the LendLoop web app and iOS app (together, the "Service"), how we use it, who we share it with, and the rights you have over it. We take a strict-minimum approach: we try to collect as little as possible, keep it only as long as we need it, and give you straightforward controls to delete it.

2. Data we collect

Account identity

When you sign in with Google, we receive and store your name, email address, profile image URL, and Google user ID. When you sign in with Apple, we receive your Apple user ID and (if you choose to share it on first sign-in) your name and email. We never receive your Google or Apple password.

Content you create

Items you track (names, emojis, optional photos), lending and borrowing records, expected return dates, optional notes, activity feed posts, likes, comments, and crew memberships. Photos you upload are stored on our hosting provider's disk volume and served from our own domain.

Technical and session data

IP address, browser or device user agent, and a NextAuth session token used to keep you signed in. On the mobile app we also store a session token in the iOS secure keychain.

Product analytics

A Mixpanel distinct ID and a Google Analytics 4 client ID, plus events describing how you use features (for example, creating an item, sending a share link, marking a return). We do not use these analytics tools to build advertising profiles about you.

3. What we do NOT collect

  • Payment card or bank account information — LendLoop is free to use.
  • Precise or coarse location data.
  • Your contacts, calendar, microphone, camera roll (beyond photos you explicitly upload), or HealthKit data.
  • Advertising identifiers (IDFA) and cross-site tracking data.
  • Biometric data.

4. How we use your data

  • To run the Service — authenticate you, show items you've added, generate share links, and render the activity feed.
  • To send transactional notifications such as overdue-item reminders and crew invitations, by email or web/mobile push.
  • To measure product usage in aggregate so we can decide what to build next.
  • To detect and prevent abuse, fraud, and security incidents.
  • To comply with legal obligations when required.

We do not sell your personal data. We do not use it to train machine-learning models and we do not share it with advertising networks.

5. Legal bases (EEA / UK users)

If you are in the European Economic Area or United Kingdom, we rely on the following legal bases under the GDPR/UK GDPR:

  • Contract: providing the Service you signed up for.
  • Legitimate interest: product analytics, security, and service improvement, balanced against your rights.
  • Consent: where required (for example, opt-in push notifications). You can withdraw consent at any time.
  • Legal obligation: responding to lawful requests and keeping required records.

6. Third-party processors

We use a small set of service providers ("processors") who handle data on our behalf under contract. They may not use your data for their own purposes.

  • Google — Sign in with Google (authentication).
  • Apple — Sign in with Apple (authentication).
  • Railway — hosting, Postgres database, and file storage (United States).
  • Mixpanel — product analytics.
  • Google Analytics (GA4) — aggregate traffic analytics.
  • Resend (or SendGrid) — transactional email delivery.
  • Sentry — crash and error reporting (being rolled out).

7. Data we share with other users

LendLoop is a social product, so some of what you create is visible to other people on purpose:

  • People you lend to or borrow from can see the item, the loan dates, and your profile name and photo.
  • Anyone you send a share link to can view the associated item and lending details until you revoke the link or it expires.
  • Activity you mark as public appears in the social feed with your name and profile photo. Activity marked as private is only visible to you and the counterparty.
  • Crew members see items you have added to that crew.

8. Retention

  • Active account data is kept while your account is active.
  • Deleted account data is hard-deleted within 30 days of the deletion request. This grace period lets us recover from accidental deletions and honour abuse investigations.
  • Server and activity logs (requests, IPs, user agents) are retained for up to 90 days and then deleted or aggregated.
  • Email delivery records held by our email processor are retained per that provider's policy (typically 30 days).
  • Analytics events are retained in aggregate for up to 24 months.

9. Your rights

Regardless of where you live, you can ask us to:

  • Access the data we hold about you.
  • Correct data that is inaccurate.
  • Delete your account and associated personal data.
  • Export a copy of your data (portability).
  • Object to or restrict certain processing, including product analytics.
  • Withdraw consent where we rely on consent.

Email privacy@lendloop.co from the address on your account and we will respond within 30 days. In-app self-serve account deletion is being added; until then, we will honour email requests. EEA/UK residents also have the right to lodge a complaint with their local data protection authority, and California residents have the additional rights described in the CCPA/CPRA (including the right to know and the right to opt out of any "sale" or "sharing" — which we do not do).

10. Children's privacy

LendLoop is not intended for children under 13 and we do not knowingly collect data from them. Account creation requires a Google or Apple account, which in turn has its own age requirements. If you believe a child under 13 has provided personal data to us, please contact us and we will delete it.

11. International transfers

Trip.Fish LLC and our hosting provider are based in the United States, which means personal data from users outside the US is transferred to and processed in the US. Where required for EEA/UK users we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum) with our processors to provide an adequate level of protection.

12. Security

We serve all traffic over HTTPS, store session tokens as HTTP-only cookies (web) or in the iOS secure keychain (mobile), and restrict production database access to a small number of administrators. No system is 100% secure, and we cannot guarantee absolute security, but we will notify affected users and the relevant authorities in the event of a breach as required by applicable law.

13. Opting out of analytics

Today, opting out of product analytics is not yet self-serve. If you would like us to stop associating analytics events with your account, email privacy@lendloop.co and we will honour the request. A self-serve toggle is on our roadmap.

14. Changes to this policy

We will update the "Last updated" date above whenever this policy changes and post a notice in the app for material changes. We encourage you to review this page periodically.

15. Contact

Trip.Fish LLC, [ADDRESS ON FILE], United States · privacy@lendloop.co.

Terms of ServiceBack to LendLoop