This Privacy Policy describes how Lootbit Ltd (“we,” “us,” “our”) collects and processes personal data when you visit lootbit.com (the “Website”), set up an Account, place an order for digital products, contact support, or otherwise engage with our services (the “Services”). We are committed to privacy by design and to following the data protection laws that apply, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the UK GDPR, and other privacy rules that may be relevant based on where you are and how you use the Website. “Personal data” means information that identifies you or can reasonably be connected to you — for example, your name, email, billing and transaction identifiers, device identifiers, or online identifiers such as an IP address. This Policy explains what data we gather, why and on what legal grounds we process it, how long we keep it, when we share it, what rights you have, and how to contact us. Unless stated otherwise, Lootbit Ltd is the data controller for the processing described here. We may revise this Policy to reflect changes in our Services, our data practices, legal requirements, security standards, or business operations; when we do, we will change the effective date shown at the top, and the current version is always available on lootbit.com. If a change has a material effect on how we process personal data, we may provide additional notice through a visible banner, an in-account message, or an email where appropriate. By continuing to use the Website after an updated Policy takes effect, you indicate that you have read it. If you do not agree with this Policy, you should stop using the Website.
Where the GDPR or UK GDPR applies, we process personal data only when we have a valid legal basis. Depending on the situation, our processing may rest on: (i) performance of a contract — for instance, creating and managing your Account, handling Orders, delivering digital products, and providing support; (ii) legal obligations, including accounting, tax, recordkeeping, responding to lawful requests, and applying risk controls; (iii) legitimate interests, such as keeping the platform secure, preventing abuse, improving functionality, and defending legal claims, provided those interests are not outweighed by your rights; and (iv) consent, for example where you opt in to marketing messages or where non-essential cookies need consent in your region. If you are in the EEA or UK, you may have the right to access, rectification, erasure, restriction, objection, data portability, and withdrawal of consent (where consent is the basis). You can exercise these rights by contacting us (see the final section). We may confirm your identity in order to protect your data. If you think we have handled your data unlawfully, you may complain to the relevant supervisory authority (including the UK ICO), although we encourage you to contact us first so we can resolve the matter quickly.
Although the previous section explains that this Policy can change, it is worth setting out separately what that means for you. The latest version of this Policy is always the one published on the Website, and it replaces any earlier version from the moment it takes effect. We recommend reviewing it from time to time, particularly before making purchases or using new features, so that you stay aware of how your data is handled. If you disagree with the changes we make, you may stop using the Website and ask us to close your Account and delete your personal data so far as the law permits, subject to the retention duties and lawful exemptions described later in this Policy. Where local law grants mandatory rights that cannot be waived, those rights apply regardless of how this Policy is worded, and no update we publish will reduce protections below the level the law requires.
We process various categories of personal data depending on how you interact with the Website. Common categories include: Account and identity data (such as your name, email address, username, authentication and security details, and account preferences); transaction and order data (products bought, order history, timestamps, pricing, currency, delivery status, and limited payment-related data such as payment status, authorization results, or fraud signals supplied by payment partners — note that we do not deliberately store full card numbers); contact and communication data (support tickets, emails, chat messages, and related metadata); technical and device data (IP address, browser type, device identifiers, operating system, language/time zone, cookie/session identifiers); usage and analytics data (pages viewed, clicks, navigation patterns, search queries, time spent, error logs, performance metrics, and referral/source information); and cookie and tracking data (cookie identifiers, pixels, tags, and similar technologies, subject to your preferences). In some cases you may give us extra data voluntarily — for example, information you include in a support message. Wherever data can be linked to you, we treat it as personal data and protect it under this Policy.
We collect personal data in three main ways. First, you provide it directly when you register an Account, place an Order, contact support, sign up for communications, take part in promotions, or fill in forms. Second, we collect it automatically by technical means as you browse and use the Website, including through server logs, cookies, and analytics tools; this can include your IP address, device and browser attributes, the pages you visit, session length, click events, error reports, and similar operational data. Third, we may receive limited data from third parties that help us operate safely and provide the Services, including payment processors (transaction status, authorization outcomes, fraud indicators), security and anti-fraud partners (risk signals), email delivery providers (delivery status), and analytics providers (aggregated usage insights). We use these sources to deliver digital products, prevent unauthorized transactions, troubleshoot problems, and improve performance. Where we obtain data from third parties, we process it only for legitimate purposes and in line with our contracts and legal duties. We do not deliberately collect more data than is reasonably needed for the purposes described in this Policy.
Some processing activities are optional and depend on your preferences. Where the law requires it, we ask for your consent before enabling non-essential cookies, analytics, personalization, or marketing messages. You may withdraw consent at any time, and doing so does not affect any processing that took place beforehand. If you withdraw consent for a particular feature (for example, analytics cookies), the Website should keep working, though some non-essential functions may be reduced. Alongside consent-based processing, we may still process certain personal data for contract performance, legal obligations, and legitimate interests — such as fraud prevention, account security, and recordkeeping. As for promotional messages specifically, we send marketing (such as newsletters, product updates, and offers) only where the law allows and on a lawful basis — usually your consent or, in limited situations, legitimate interests subject to an opt-out. You can opt out at any time using the unsubscribe link in our emails or by contacting support, and you can ask us to remove your email from marketing lists, which we will honor promptly. Opting out of marketing does not affect essential communications about your Account and Orders, such as receipts, delivery notices, security alerts, and policy updates — these may be sent even if you have unsubscribed, because they are necessary to operate your Account. We do not share your personal data with third parties for their own independent marketing unless you have given explicit consent.
We process personal data for clearly defined purposes. The core ones include: (a) providing the Services and fulfilling Orders, including creating Accounts, handling checkout, confirming payments, delivering digital products, and keeping purchase records; (b) customer support and communication, such as answering questions, dealing with complaints, helping with delivery, and sending service notices; (c) security, fraud prevention, and abuse monitoring, including detecting suspicious behavior, account takeovers, bot activity, chargeback patterns, and policy breaches; (d) operational analytics and improvement, such as understanding how users move through the Website, diagnosing errors, improving performance, optimizing checkout, and testing features; (e) compliance and legal obligations, including tax and accounting duties, responding to lawful requests, maintaining audit trails, and defending legal claims; and (f) marketing and promotions, where permitted and based on consent or another lawful basis. We do not use personal data for purposes incompatible with these goals without giving notice and, where required, obtaining further consent. We apply data minimization, processing only what is reasonably needed for each purpose.
We share personal data with third parties only as far as it is necessary for the purposes set out in this Policy. We do not sell personal data. Typical recipients include: payment processors and payment service providers, to process transactions, handle authorizations, and reduce fraud; hosting, infrastructure, and security providers, to run the Website, prevent attacks, and maintain reliability; customer support and communication vendors, such as ticketing systems and email delivery providers; analytics and performance providers, to measure and improve how the Website performs (subject to a lawful basis and cookie settings); and digital fulfillment partners or suppliers, where limited data is needed to facilitate delivery or validate that a product has been issued (for example, order identifiers and product details, and in some cases an email address for delivery routing). We share only the minimum information needed and require recipients to protect data through contractual commitments such as confidentiality, security measures, and limits on processing. We may also disclose data where the law, a regulation, a court order, or a lawful request requires it, and where it is necessary to protect rights, prevent fraud, or respond to security incidents. If the Company goes through a merger, acquisition, reorganization, sale of assets, or similar corporate transaction affecting the Website or Services, personal data may be transferred as part of it; where that happens, we will require the recipient to process it in a way consistent with applicable data protection laws and to provide protections substantially similar to those in this Policy, and we will give notice where the law requires. After such a transaction, you keep the same rights over your personal data and may contact the successor controller to exercise them.
We aim to keep personal data accurate and to let you review and correct it where possible. Many Account details can be changed through your Account settings — for example, your email, login information, and certain preferences. If you need help or cannot edit a field through the interface, you can contact support. You can also ask for a copy of the personal data we hold about you, subject to identity verification and any legal limits; for security reasons, we may request extra information to confirm that the requester is the Account owner or is otherwise entitled to the data. We respond within the timeframes set by applicable law and will explain if we cannot fully comply because of legal duties, the rights of others, or technical limits. At the same time, you are responsible for giving accurate information when you create an Account, place an Order, or contact us, and for keeping key details current, since accurate data is necessary for processing transactions, delivering digital products, running fraud controls, and sending reliable communications. If the email address or other contact details you provide are wrong or out of date, you may not receive digital deliveries or important security notices, and support may be unable to verify that you own an Account. If we suspect that an Account is using false or misleading information, we may restrict its functionality, ask for verification, or suspend it; while we take reasonable steps to keep records accurate, we cannot be held responsible for problems caused by information you entered incorrectly or did not update. Requests relating to transactional and accounting records may be subject to retention requirements, which means we may be unable to delete or change some information.
We keep personal data only for as long as it is needed to fulfill the purposes described in this Policy, including legal, tax, accounting, security, and dispute-resolution obligations. Retention periods differ depending on the type of data and the context. For example, transaction and invoice records may be held for several years to meet legal and accounting requirements; Account data may be kept while your Account is active and then for a limited period after closure to handle disputes, prevent fraud, and comply with legal duties; support communications may be retained long enough to resolve issues, improve service, and maintain audit trails; and technical logs may be kept for security and troubleshooting and then deleted or anonymized. Where possible, we delete data or irreversibly anonymize it once it is no longer needed. If you request deletion, we will honor it so far as the law allows. Some data must be kept even after a deletion request — for example, records needed for tax, legal compliance, or fraud prevention. When we retain data, we limit access to it and apply security safeguards in line with this Policy, and we review our retention practices periodically to make sure they stay proportionate and consistent with legal requirements.
We put in place technical and organizational safeguards designed to protect personal data against unauthorized access, alteration, disclosure, and loss. These measures may include encrypted connections (HTTPS/TLS), access controls, separation of environments, logging and monitoring, vulnerability management, and secure hosting configurations. Access to personal data is restricted to staff and contractors who need it for legitimate business reasons and who are bound by confidentiality obligations, and we also require our service providers to keep appropriate security standards. Despite these measures, no method of transmission or storage is completely secure, so we cannot guarantee absolute security. You can help protect your data by using strong passwords, not sharing login details, securing your email account, and telling us promptly if you suspect your Account has been compromised. Security-related messages may be sent even if you have opted out of marketing, because they are necessary to protect your Account and our Services.
Even with strong safeguards, security incidents can occur, and we maintain procedures for handling them. If we learn of a personal data breach that is likely to create a risk to individuals’ rights and freedoms, we will act to contain and investigate it and will notify the relevant authorities and affected individuals where the law requires, within the timeframes the law sets. Our priority in such situations is to limit any harm, understand what happened, and take corrective steps to reduce the chance of it happening again. We may also work with service providers, security partners, or authorities as part of investigating and resolving an incident. If an incident affects you and the law requires us to inform you, we will do so using the contact details associated with your Account, which is one more reason to keep that information current.
We use cookies and similar technologies to provide core Website functionality, keep sessions secure, remember preferences, measure performance, and — where lawful and enabled — support advertising and marketing. Cookies are small text files stored on your device. Some are strictly necessary to run the Website (for example, to keep you logged in, preserve the integrity of the checkout flow, prevent abuse, and ensure basic functionality). Others may support analytics (understanding how users interact with pages), functional preferences (language or interface choices), and marketing or targeting (measuring how effective a campaign is or showing more relevant promotions). Where required, we ask for consent before placing non-essential cookies and give you tools to accept, reject, or customize cookie categories. You can also control cookies through your browser settings, though disabling them may affect how the Website works and may stop some features from functioning. Third-party tools embedded on the Website may set their own cookies, governed by those third parties’ policies. For a more detailed breakdown, please see our Cookie Policy and any cookie preference interface available on the Website.
The Website may contain links to third-party sites, services, or platforms — for example, the publishers or redemption platforms used to activate digital products. This Policy covers only the data we process through lootbit.com. Once you move to a third-party site, that third party’s privacy policy and terms apply, and we are not responsible for their privacy practices, security measures, or content. Some third-party services built into the Website (such as embedded tools, plug-ins, or widgets) may collect technical data (like an IP address or cookie identifier) when you interact with them; that processing is governed by the third party’s policy. If you redeem a code on a third-party platform, we do not control how that platform handles your data. We recommend reviewing third-party privacy notices before creating accounts or sharing personal data on external platforms. In addition, browser extensions or plugins installed on your device may interact with websites and collect data independently of us, and we do not control these tools. Using third-party services is at your own discretion and risk, so you should be careful and do your own checks before sharing information outside our Website.
If you have questions, concerns, or complaints about privacy, the use of your data, or your rights, you can contact us using the details in the final section. We will review your request and respond within the timeframes the law requires. To protect your data, we may ask you to verify your identity before we act on a request, and we may ask for clarification if a request is broad or unclear so that we can respond properly. If we cannot fully meet a request because of legal duties (for example, accounting retention) or because doing so would affect the rights of others, we will explain why so far as we are permitted. If you are in the EEA or UK and feel we have not handled your concern adequately, you have the right to complain to a supervisory authority (such as your local Data Protection Authority or the UK Information Commissioner’s Office). We encourage you to contact us first so we can resolve matters efficiently. We take privacy seriously and will look into credible concerns, take corrective action where appropriate, and cooperate with lawful regulatory inquiries.
For the purposes of the GDPR and other applicable data protection laws, the data controller is:
When you contact us, please describe your request clearly and include enough information for us to identify your Account (if relevant). We will respond in accordance with applicable law and may request verification to protect your personal data.