Data Packet Expiry Policy (DPEP)

Overview

Looma’s Data Packet Expiry Policy (DPEP) is being developed as a core part of our “Privacy by Design” framework. It defines how anonymised data shared through Looma’s future marketplace will have a clear and finite lifecycle, ensuring data never exists indefinitely.

How it will work

When anonymised data packets are created and shared through Looma, each packet will be encrypted and assigned a unique expiry key.

After a fixed period typically five years, that key will automatically expire, rendering the packet unreadable and permanently inaccessible.

This expiry process will apply to all anonymised datasets within the Looma ecosystem, including those shared with third party buyers under user approved campaigns.

Why it matters

• Protects user privacy: No indefinite data retention or long‑term tracking.
• Builds trust: Users will see the expiry date for every data packet they share.
• Supports compliance: Designed to align with GDPR, UK DPDI and EU Data Act principles for data minimisation and limited retention.
• Encourages data freshness: Buyers will access relevant, time bound insights rather than outdated or legacy data.

Planned options

The default expiry period will be five years, but shorter cycles, for example two or three years, may apply to specific campaigns, particularly those involving sensitive or health related data.

Buyers will only be able to request extended access if a user explicitly renews consent before the key expires.

Deletion and verification

When an expiry key lapses:

• The data packet will become cryptographically inaccessible.
• Metadata confirming expiry will be logged to Looma’s provenance ledger.
• Users will be able to view expired items in their Vault history for full transparency.

Our commitment

Looma’s DPEP will be a built in safeguard to ensure personal insights remain valuable but never perpetual.

Your data should work for you, not follow you forever.