loftfolio
Compliance

GDPR Compliance

Last updated: May 2026

1. Data Controller

Creative Current LLC is the data controller for personal data collected through the Loftfolio platform.

Creative Current LLC
123 Innovation Drive
Wilmington, DE 19801
United States
Email: hello@loftfolio.com

2. Data Protection Officer

Our Data Protection Officer can be reached at dpo@loftfolio.com for all data protection inquiries.

3. Data We Collect

We collect the following categories of personal data:

  • Account Information: Name, email address, phone number, company name, billing information
  • Usage Data: How you interact with the Loftfolio platform, pages visited, features used
  • Tenant/Applicant Data: Information submitted through agency websites hosted on Loftfolio, including names, contact details, identification documents, financial information, and rental history
  • Communication Data: Messages sent through the platform, support inquiries, and correspondence

4. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contractual necessity: Processing necessary to provide our services under our Terms of Service
  • Consent: For marketing communications and optional cookies
  • Legitimate interests: For improving our platform, security, and fraud prevention
  • Legal obligation: Where required by applicable law

5. Data Storage and Security

All personal data is stored in secure data centers located in the European Union (West Europe). We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access controls
  • Regular security audits and penetration testing
  • Employee data protection training
  • Incident response procedures

6. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure (Right to be Forgotten): Request deletion of your personal data
  • Right to Restrict Processing: Request restriction of processing under certain circumstances
  • Right to Data Portability: Request transfer of your data to another service provider
  • Right to Object: Object to processing based on legitimate interests or direct marketing
  • Rights related to automated decision-making: Not be subject to decisions based solely on automated processing

7. Data Subject Access Requests (DSAR)

To exercise any of your data subject rights, please submit a request through our dedicated DSAR process:

  1. Email us at hello@loftfolio.com with the subject "DSAR Request"
  2. Include your full name, email address associated with your account, and details of your request
  3. We will verify your identity before processing the request
  4. We will respond within 30 days (extension possible for complex requests)

All DSARs are processed free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests.

8. Data Processing Agreement (DPA)

As a data processor for our customers' tenant and applicant data, Loftfolio offers a Data Processing Agreement (DPA) to all customers who process EU personal data. To request our DPA, please contact us at hello@loftfolio.com.

Our DPA covers: subject matter and duration of processing, nature and purpose of processing, types of personal data, categories of data subjects, obligations and rights of the controller, security measures, sub-processor management, and data breach notification procedures.

9. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.

  • Account data: Retained for the duration of the account plus 90 days after deletion
  • Tenant data: Retained as instructed by the agency (the data controller)
  • Billing data: Retained for 7 years as required by tax regulations
  • Analytics data: Retained for up to 26 months

10. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

11. Sub-Processors

We use the following sub-processors to deliver our services:

  • Supabase — Database hosting (EU region)
  • Vercel — Application hosting and analytics (US, EU region available)
  • Stripe — Payment processing (US)
  • Resend — Email delivery (US, EU region available)

We have DPAs in place with all sub-processors. Updated list available upon request.

12. Data Breach Notification

In the event of a personal data breach, Loftfolio will notify affected data controllers within 48 hours and provide all necessary information to facilitate compliance with Article 33 of the GDPR.

13. Complaints

If you believe we have not complied with data protection laws, you have the right to lodge a complaint with your local supervisory authority. We encourage you to contact us first so we can resolve any issues directly.

14. Updates

We review and update this GDPR Compliance page at least annually. Material changes will be communicated to account holders via email.

15. Contact

For all GDPR-related inquiries, please contact:
Email: hello@loftfolio.com
DPO: dpo@loftfolio.com

This GDPR Compliance page is maintained by Creative Current LLC, the parent company of Loftfolio.