Privacy
Statement

Last updated: Apr 16, 2026
Controller: Lomeo
Country of establishment: The Netherlands
Contact: [email protected]

1. Introduction

Lomeo is a Stripe App that helps merchants manage transactional communications related to their services. This Privacy Statement explains what personal data Lomeo collects, why, how long it is kept, and what rights you have, whether you are a merchant (a Stripe Dashboard user who installs Lomeo) or an end-user (a person whose email address is collected by merchants via Lomeo).

Lomeo operates as an independent controller for merchant account and service operations, and as a processor for end-user email delivery actions performed on behalf of merchants.

Payment transaction data is processed by Stripe in Stripe's own payment infrastructure. Lomeo does not control or store payment card data.

2. Who This Statement Applies To

  • Merchants: businesses or individuals who install Lomeo via the Stripe App Marketplace.
  • End-users: individuals whose email addresses are collected by merchants using Lomeo.

3. Data We Collect

3.1 Merchant Data
When a merchant installs Lomeo, we receive and store: Stripe Account ID, business name, account email address, country, and installation/activity timestamps. Merchants may also configure sender name, sender address, and sender domain for transactional email delivery.

3.2 End-User Data
We only collect and store the email address of end-users for transactional communication initiated by the merchant (for example, order confirmation and service notifications).

We do not collect or store other end-user personal data (including names, phone numbers, addresses, payment card details, or financial data). All payments are processed directly by Stripe, and Lomeo does not receive or store payment-related information.

3.3 Operational Logs
We maintain operational records for system reliability with retention by category: 7-day retention for email outbox and worker run logs, and 30-day retention for webhook processing, fulfillment, and account snapshot records.

3.4 Website newsletter
If you subscribe via the “Stay updated” form in our website footer, we collect your email address to send occasional product news and updates about Lomeo. We also record the page you subscribed from and the subscription date. This data is stored in a Google Sheet (Google Workspace) operated by us. You may unsubscribe or request deletion at any time by contacting [email protected].

4. Legal Basis for Processing (GDPR Article 6)

Merchant account setup and app operation: Contract performance (Art. 6(1)(b)).
Transactional email delivery to end-users: Contract performance (Art. 6(1)(b)) and/or legitimate interest of the merchant (Art. 6(1)(f)).
Operational logs: Legitimate interest in service reliability (Art. 6(1)(f)).
Website newsletter: Consent (Art. 6(1)(a)) when you submit the subscription form.

5. Data Retention

We retain data only for the minimum period necessary:

  • End-user email addresses: 1 year from collection, then automatically deleted.
  • Email outbox and worker run logs: 7 days, then automatically deleted.
  • Webhook processing, fulfillment, and merchant account snapshot records: 30 days, then automatically deleted.
  • Merchant account data after uninstall: retained for 30 days, then permanently deleted.

When a merchant uninstalls Lomeo App, their account is marked inactive. After 30 days, we purge merchant rows and related relational records (via database cascade rules), and remove related QR files from object storage. If reinstalled within that 30-day window, data may be restored. After 30 days, deletion is irreversible.

6. Data Sharing

Lomeo does not sell personal data. Data is shared only to operate the service:

  • Stripe (app infrastructure).
  • Postmark (transactional email delivery).
  • Fly.io (application hosting and infrastructure).
  • Supabase (database hosting).
  • Google (Google Sheets for website newsletter subscriber list).

We do not share merchant or end-user data with advertisers, data brokers, or third parties for marketing.

International transfers: Lomeo infrastructure may process data in Europe and North America. Where data is transferred outside the EEA/UK, we rely on GDPR-compliant mechanisms such as adequacy decisions or SCCs with relevant providers, plus supplementary safeguards.

7. Merchant Responsibilities

Merchants who collect end-user email addresses through Lomeo act as independent data controllers for their own customers. Merchants are responsible for having a lawful basis, providing their own privacy notice, and complying with GDPR obligations.

8. Data Portability — CSV Export

Merchants may export end-user email records (with transaction timestamps) as CSV at any time from the Lomeo app.

9. Your Rights (GDPR)

You may request access, rectification, erasure, restriction, portability, or object to processing where applicable.

Merchants: submit requests via Stripe Dashboard/Lomeo app features where available, or contact [email protected].

End-users: please contact the merchant you interacted with first. The merchant is your primary controller and request handler. If Lomeo receives an end-user request directly, we may redirect it to the relevant merchant and assist where legally required.

If unsatisfied, you may file a complaint with the Dutch data protection authority: autoriteitpersoonsgegevens.nl.

10. Security

We use appropriate technical and organizational measures, including encrypted transmission (TLS), strict access controls, least-privilege access, short log retention, backup/recovery controls, incident response procedures, and no storage of payment card or financial data.

11. Changes to This Statement

We may update this Privacy Statement from time to time. The “Last updated” date reflects the most recent revision. Continued use of Lomeo after changes constitutes acceptance of the updated statement.

Features Pricing How to Lomeo
Privacy statement Terms and conditions [email protected]