Privacy Policy

Last Updated: 9.17.25

Introduction

The Lupulin Exchange, LLC (“LEx”, “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our website and services.

Information We Collect

We collect the following categories of personal data:

  • Identification Data: Name, email, business phone, brewery name, VAT ID, address, company type (e.g., brewpub/microbrewery), company legal name and DBA, company URL, and optional mobile phone.
  • Account & Transaction Data: Listings, purchases, sales, invoices, and private messages.
  • Payment Data: Payment information is processed directly by our payment processor and does not pass through or get stored on our servers.
  • Technical Data: IP address, device type, browser information, cookies, and similar technologies. We also use Hotjar for session recording and troubleshooting.
  • Support Interactions: Communications submitted via Freshdesk support tickets, email, or chat.

How We Use Your Information and Legal Basis

We process your personal data only when we have a lawful basis to do so.

  • Identification Data: Used to create and verify accounts, communicate with you, fulfill orders, and meet VAT/tax obligations.
    • Legal Basis: Contract performance and legal obligation.
  • Account & Transaction Data: Used to operate our marketplace, fulfill transactions between buyers and sellers, and resolve disputes.
    • Legal Basis: Contract performance and legitimate interest (fraud prevention, dispute resolution).
  • Technical Data & Analytics: Used to ensure security, detect fraud, improve site functionality, and analyze usage trends.
    • Legal Basis: Legitimate interest (security, site functionality, troubleshooting) and consent where required for analytics/marketing cookies.
  • Support Interactions: Used to respond to customer inquiries and improve support processes.
    • Legal Basis: Contract performance and legitimate interest (quality assurance).

Your Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under data protection law:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Ask us to correct or update inaccurate or incomplete information.
  • Deletion: Request deletion of your personal data. We will delete or anonymize data where possible, but certain data (such as transaction records, invoices, and tax documentation) must be retained for legal and accounting purposes. In such cases, your account will be disabled and your personal data will no longer be used for active processing.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Portability: Request a copy of certain personal data in a machine-readable format.
  • Objection: Object to processing where we rely on legitimate interests, including for analytics or direct marketing.
  • Withdrawal of Consent: If we process your data based on consent (e.g., analytics or marketing cookies), you may withdraw consent at any time.

To exercise these rights, contact us at [email protected]. We will respond within one month as required by law. You also have the right to lodge a complaint with your local supervisory authority.

Data Controller and Contact Information

The data controller responsible for your personal data is

The Lupulin Exchange, LLC

1715 Crabtree Falls Highway

Roseland, VA 22967

United States

For all privacy-related inquiries, please contact us at [email protected].

For individuals in the European Economic Area, the United Kingdom, or Switzerland: Lupulin Exchange Europe SRL is our licensed EU entity, but all personal data is controlled and processed by The Lupulin Exchange, LLC in the United States.

International Data Transfers

If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States.

We use appropriate safeguards to protect your data:

  • EU–US Data Privacy Framework: Where our vendors participate, we rely on their certification.
  • Standard Contractual Clauses: For other vendors, we use SCCs together with additional safeguards where necessary.

Data Retention

We keep your personal data only for as long as necessary to fulfill the purposes described above or to comply with legal obligations.

  • Transaction Records: Retained permanently as part of our accounting records.
  • User Accounts: Remain active until you request deactivation. If deactivated, we retain data required for tax and legal purposes.
  • Support Tickets: Retained for reference and quality purposes.
  • Analytics Data: Retained as long as possible to improve our services.
  • Hotjar Recordings: Automatically deleted by Hotjar after approximately six months.

When data is no longer needed, it will be securely deleted or anonymized.

Cookies and Tracking Technologies

We use cookies, pixels, and similar technologies to operate our website and improve your experience. These may be set by us or by third-party providers.

Categories of Cookies We Use

  • Strictly Necessary Cookies: Required for the site to function (e.g., security, login sessions).
  • Analytics and Performance Cookies: Help us understand how visitors use the site so we can improve it. We use Google Analytics (Universal Analytics and GA4), Google Global Site Tag, and Microsoft Application Insights for this purpose.
  • Marketing and Advertising Cookies: Used to deliver relevant ads and measure campaign performance. We use Facebook Pixel and Facebook Conversion Tracking.
  • Experience and Troubleshooting Tools: We use Hotjar to record user sessions and generate heatmaps to improve usability and troubleshoot issues. When you are logged in, we may associate session recordings with your user ID so we can better diagnose problems you report. These recordings are processed based on our legitimate interest in providing a reliable and functional service. You may object at any time by contacting [email protected] or using Hotjar’s Do Not Track tool.
  • Support Tools: Freshdesk provides our on-site help widget and ticketing system. These cookies are considered necessary for providing customer service.
  • Email Tracking: SendGrid includes an open-tracking pixel so we know when our system emails have been delivered or opened.

Your Choices

Most web browsers automatically accept cookies, but you can usually modify your browser settings to refuse cookies or alert you when cookies are being set. If you choose to disable cookies, some parts of the site may not function properly. You may also use Hotjar’s Do Not Track tool or contact us at [email protected] to object to session recording.

Security and Data Breach Notification

We implement appropriate technical and organizational measures to protect your data, including:

  • HTTPS/TLS encryption for data in transit
  • Secure server and database configurations
  • Role-based access controls and multifactor authentication
  • Monitoring and logging of system activity
  • Encrypted backups and disaster recovery procedures

If a data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by law.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy here and update the “Last Updated” date at the top. If the changes materially affect your rights, we will provide additional notice (for example, by email or through your account dashboard) before the changes take effect.