legal

Privacy Policy

Last updated: 2026-05-26. This Privacy Policy explains how Looper HQ (“Looper,” “we,” “us,” or “our”) collects, uses, discloses, retains, and protects personal information when you use our platform at looperhq.com, our API at /api/v1/*, our analytics tracker (/api/track.js), and any related services (collectively, the “Service”). This Policy is incorporated into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

Material changes to this Policy are notified to account owners by email and in-product notice with at least fourteen (14) days’ advance notice and are reflected in the “Last updated” date above.

1. Scope and Roles

This Policy applies to (a) you, our Customer (the account holder and authorized users); (b) prospects, applicants, and visitors to looperhq.com; and (c) end users of websites, forms, chat widgets, booking pages, and other surfaces you deploy through the Service that embed our tracker or send data to our API.

Controller / processor split. For the personal information of your Customer account (your identity, billing, usage telemetry, authentication tokens), Looper acts as data controller (or, in CCPA terms, the “business”). For the personal information of your leads, contacts, subscribers, members, patients, booking guests, survey respondents, form fillers, and end users of any tenant surface you operate (collectively, “End-User Data”), you are the controller and Looper is your processor (or “service provider” under CCPA). The terms of our Data Processing Addendum (“DPA”) govern that processing; a copy is available on request at privacy@looperhq.com. You are responsible for posting an appropriate privacy notice on every Customer surface where End-User Data is collected.

2. Personal Information We Collect About Customers

• Account data: email, display name, organization name, OAuth subject identifier (e.g., Google), and passwordless magic-link tokens.
• Billing data: Stripe customer identifier, plan, subscription state, invoice history, tax identifiers you provide, and billing email and address. Raw card numbers and bank account details are processed directly by Stripe; we never receive or store them.
• Customer Content: chats, missions, leads, member profiles, sites, agents, brand kits, email and SMS sequences, app-builder configs, knowledge-base entries, uploads, and any other content you submit or generate through the Service. Customer Content may itself contain End-User Data, which we process on your behalf under Section 1.
• Operational telemetry: API call counts, credit ledger entries, error logs, audit-log entries, deployment history, performance and reliability metrics.
• Connected-account credentials: Stripe Connect identifiers, Google Search Console refresh tokens, Gmail and Outlook OAuth tokens, and AI Provider API keys you choose to bring via BYOK. Stored encrypted at rest with AES-256-GCM and accessible only to backend processes acting on your behalf.
• Session cookies: a Supabase authentication cookie (sb-*), a CSRF token, and a strictly necessary product-analytics cookie (_lpr_sid) scoped to looperhq.com.
• Communications: messages you send to support, sales, security, privacy, or legal, and attachments.

3. End-User Data Processed on Your Behalf

When you deploy a site, booking page, form, chat widget, payment link, survey, quiz, funnel, course, community, blog, member portal, or other surface through the Service, our first-party tracker, served from your domain or from looperhq.com via /api/track.js, records page visits and flow events on your behalf. For each event we process, on your behalf as your processor:

• A hashed visitor identifier derived from IP address and user-agent using SHA-256 with a server-side salt. The raw IP address is not stored.
• A per-visit session identifier (random, thirty-minute idle window), kept client-side in sessionStorage.
• A long-lived first-touch cookie(_lpr_ft, 365 days, first-party) capturing only the original referrer host, channel kind, landing path, and UTM parameters, used to attribute conversions back to where the visitor first arrived.
• Page path, hostname, referrer URL, parsed channel (search, social, AI, email, direct), UTM parameters, browser, operating system, device class.
• Coarse geolocation (country, region, city) inferred from edge-network headers; no street-level geolocation and no raw IP.
• Engagement events: time on page, scroll depth, and conversion events you choose to fire via window.looperConvert().
• Any End-User Data you collect through forms, bookings, payments, subscriptions, survey responses, quiz answers, community posts, uploaded files, and other Customer-configured inputs.

Looper does not embed third-party advertising trackers (no Google Analytics, no Facebook Pixel, no AdRoll). If you embed any third-party tracker on your Customer surface, that is your responsibility to disclose and to obtain any required consent. You are responsible for posting a cookie banner where required by local law (notably under the EU ePrivacy Directive and the UK PECR), even though Looper’s own tracker is first-party and does not use cross-site identifiers.

Retention. Raw traffic events are deleted after ninety (90) days. Aggregates (totals, per-day rollups, conversion summaries) are retained until you delete the site or your account.

4. Sources of Personal Information

We collect personal information from: you (account creation, configuration, communications); your end users (form fills, bookings, payments, tracker events); third-party authentication providers when you sign in (Google); third-party services you connect (e.g., Stripe, Google Workspace, Microsoft 365); lead-data providers we route requests to on your behalf (e.g., Apollo, Hunter, Google Places, web search); and from automated logging and security tooling.

5. How We Use Personal Information

We use personal information for the following business and commercial purposes:

• Service delivery: create and authenticate your account, serve pages and APIs, route AI calls, run automations and workflows, process payments, send messages you originate, render embedded sites.
• Billing: compute credit usage and charge your saved payment instrument via Stripe; maintain tax and invoice records.
• Security and fraud prevention: detect anomalous traffic, enforce rate limits, investigate abuse, protect against unauthorized access, retain audit logs.
• Product improvement: aggregate, de-identified, or pseudonymized usage metrics inform what we ship next. We do not use your private Customer Content to train foundation models.
• Service communications: send transactional and account messages (verification, security, billing, breach notification, material changes).
• Marketing to Customers: send product updates, tips, plan-upgrade nudges, and similar marketing to existing Customers. You may opt out by using the unsubscribe link in each marketing email or by emailing privacy@looperhq.com. Transactional and security messages cannot be opted out of while your account is active.
• Legal compliance: respond to lawful requests, enforce our Terms, defend or assert legal claims, comply with tax, accounting, and other regulatory obligations.

We do notsell or “share” (as defined under the CCPA/CPRA) personal information for cross-context behavioral advertising, profile Customers or end users for advertising targeting, or use one tenant’s data to benefit another tenant.

6. Lawful Basis (GDPR / UK GDPR)

Where the EU General Data Protection Regulation, the UK GDPR, or an equivalent applies, our lawful bases for processing personal information are:

• Performance of a contract (Art. 6(1)(b)): account creation, authentication, service delivery, billing, support.
• Legitimate interests (Art. 6(1)(f)): security and fraud prevention, abuse investigation, product analytics, internal reporting, defending legal claims, providing the Service to other Customers, and marketing to existing Customers about products similar to those they already use. Where we rely on legitimate interests, we have balanced our interests against your rights; you may object at any time.
• Consent (Art. 6(1)(a)): where required, including for non-essential cookies set by your deployed surfaces, certain marketing in jurisdictions that require opt-in, and processing of any special-category data you choose to upload (Art. 9). You may withdraw consent at any time; withdrawal does not affect the lawfulness of prior processing.
• Legal obligation (Art. 6(1)(c)): retaining tax and accounting records, responding to lawful authorities.

For End-User Data processed on your behalf, your instructions and your own lawful basis govern; we process strictly per the DPA and your documented instructions.

7. Disclosure of Personal Information

We disclose personal information to the categories of recipients below, only as necessary for the purposes described in Section 5:

• Subprocessors: the infrastructure, payments, communications, AI, and data providers listed in Section 8.
• Other Customer users: where you authorize team members, agency clients, or community members to access shared resources.
• Connected third-party services: providers you choose to integrate (e.g., Google Workspace, Meta, LinkedIn, X, Apollo, Hunter), to the extent you direct.
• Professional advisors: accountants, auditors, insurers, and outside counsel under confidentiality.
• Authorities and parties to legal proceedings: where compelled by law, court order, subpoena, government investigation, or to protect rights, property, or safety. We will challenge facially invalid or overbroad requests and, where lawful, notify the affected Customer.
• Corporate transactions: in connection with a merger, financing, reorganization, acquisition, or sale of all or substantially all of our assets, subject to appropriate confidentiality protections and a successor commitment to honor this Policy.

We do not sell personal information for monetary or other valuable consideration. We do not “share” personal information for cross-context behavioral advertising as those terms are defined under California law.

8. Subprocessors

Looper uses the following subprocessors to deliver the Service. Each is contractually bound to confidentiality and to data protection terms substantially equivalent to ours. Material changes to this list are notified at least fourteen (14) days in advance as a material change under the Terms.

Each subprocessor publishes its own privacy policy and data protection documentation. We will provide direct links on request.

9. AI Provider Routing and Model Training

When you make an AI call (chat, mission, generation, classification, embedding, image, voice), the request is routed to whichever AI Provider the platform selects for the task. The prompt content and minimal metadata are sent to that provider for inference; we do not duplicate the data anywhere else for that purpose.

Looper has configured each AI Provider, where the provider supports it, to disable training on inputs and outputs submitted via the provider’s API. As of the “Last updated” date, Anthropic and OpenAI do not train on API customer data by default; Google Gemini API likewise. We do not train our own foundation models on your Customer Content or End-User Data. Provider behavior may change; the operative terms are those of the provider on the date of inference, and we will update this Policy to reflect material provider changes.

BYOK.If you bring your own API key on Business or Enterprise, that provider bills you directly under your own contract, and that contract (not Looper’s) governs the provider’s data use. Looper still logs the call for auditing and credit-balance display.

OpenRouter and Cerebras. OpenRouter is a U.S.-hosted gateway that proxies a unified API to underlying open-weight models including DeepSeek V3, Llama variants, and Mistral. Although DeepSeek is a Chinese-affiliated model, OpenRouter routes through U.S. infrastructure so prompt data does not transit Chinese servers. Cerebras hosts Llama 3.3 70B on its Wafer Scale Engine in Sunnyvale, California, for low-latency streaming.

10. Voice and Call Recording

Where you configure a voice agent or other call workflow through the Service (via Twilio), the Service may record calls and transcribe them for the purposes you configure (e.g., agent training, transcript retention, AI summarization). United States federal law and many other jurisdictions permit one-party consent; however, a number of U.S. states (including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington) require all parties to a call to consent to recording. You are responsible for delivering any required notice or consent prompt to each party to a call before recording begins, including any IVR or pre-call greeting disclosure. The Service provides the technical means to play such a notice; the obligation to use it and the legal sufficiency of its content remain yours.

11. International Data Transfers

Looper’s primary infrastructure is operated in the United States (Supabase US-East), with edge processing globally via Vercel. If you access the Service from outside the United States, your personal information will be transferred to, processed in, and stored in the United States, and may be further processed in the countries where our subprocessors operate (see Section 8).

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (Module 2 controller-to-processor and Module 3 processor-to-processor as applicable), the UK International Data Transfer Addendum, and supplementary organizational and technical measures (encryption in transit, encryption at rest with AES-256-GCM for sensitive credentials, access controls, audit logging). Where a subprocessor participates, we additionally rely on the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework. Copies of executed SCCs are available on request at privacy@looperhq.com.

12. Retention

We retain personal information for as long as necessary for the purposes described in Section 5, to comply with our legal obligations, and to resolve disputes and enforce our agreements. Indicative retention windows:

• Active account data: for the life of the account, then ninety (90) days after closure to allow reactivation and dispute resolution.
• Billing and tax records: seven (7) years, as required by U.S. federal and state tax law.
• Audit logs: one (1) year in active stores; backup copies cycle out within thirty (30) additional days. Customers on Enterprise may configure longer retention.
• AI conversation logs: ninety (90) days unless you elect to retain a specific conversation, mission, or agent run in your workspace.
• Traffic events (visitor analytics): ninety (90) days for raw events; aggregates retained for the life of the site.
• Marketing suppression list: retained indefinitely to honor opt-outs across re-signup.
• Backups: rolling backups managed by Supabase point-in-time recovery cycle out within thirty (30) days; deletion requests propagate through backups on that cycle.
• Legal hold: where we have a reasonable basis to believe data is relevant to actual or anticipated litigation, regulatory inquiry, or government investigation, retention is extended for the duration of the hold.

13. Security

• BYOK API keys and OAuth refresh tokens are encrypted at rest using AES-256-GCM with keys held outside the database.
• Per-tenant Postgres row-level security is enforced on every table that holds tenant data.
• HTTPS is enforced on all endpoints; HTTP Strict Transport Security is enabled on the application domain.
• Authentication is via Google single sign-on or magic link; session lifetime is short and refreshable.
• An audit log records every administrative or destructive action with actor email, timestamp, and before/after state.
• Webhook signatures are verified on incoming traffic from Stripe, Resend, and other senders that support signing; SSRF protections are applied to outbound webhooks.
• Production access is limited to authorized personnel under principle-of-least-privilege.
• We retain a HIPAA-specific tier with a restricted subprocessor list when the tier is enabled on your plan. The HIPAA tier is opt-in and does not apply by default; we do not have a signed Business Associate Agreement (“BAA”) with you unless you have separately executed one with us. Do not upload Protected Health Information without an executed BAA.

No system is perfectly secure. You are responsible for safeguarding your credentials, using strong unique passwords on connected accounts, enabling multi-factor authentication where offered by your identity provider, and promptly reporting suspected compromise to security@looperhq.com.

14. Data Breach Notification

If we confirm a personal-data breach affecting your account, we will notify you without undue delay and in any event within seventy-two (72) hours of confirmation, consistent with GDPR Article 33 timing. The notice will describe the nature of the breach, the categories and approximate volume of personal information involved, the likely consequences, and the measures we are taking. Where we act as your processor, this notice supports your own notification obligations to data subjects and supervisory authorities; you remain responsible for those notifications.

15. Your Rights

Subject to verification of your identity and to legal exceptions, you have the following rights with respect to personal information about you that Looper processes as a controller:

• Access: request a copy of the personal information we hold about you, including categories of information, sources, purposes, and recipients.
• Portability: obtain your workspace data in a machine-readable format via /api/gdpr/export or by request.
• Correction: correct inaccurate or incomplete information from your settings page or by request.
• Deletion: delete your account and associated tenant data (cascade delete; irreversible), subject to retention obligations in Section 12.
• Restriction and objection: restrict or object to specific processing, including processing we conduct on the basis of legitimate interests.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing.
• Lodge a complaint: residents of the EEA, UK, or Switzerland may complain to a local supervisory authority; California residents may complain to the California Privacy Protection Agency.
• No retaliation: we will not deny, charge a different price for, or provide a different quality of service in retaliation for the exercise of any of these rights.

For End-User Data that we process on your behalf as your processor, please direct rights requests to the Customer who operates the surface you interacted with; we will support our Customers in responding within the legally required time.

Send rights requests to privacy@looperhq.com. We will respond within forty-five (45) days for CCPA/CPRA requests and within one (1) month for GDPR/UK GDPR requests, each extendable as permitted by law. We may need to verify your identity by matching your request to information already in your account or by requesting additional information.

16. California Notice (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides you with the rights summarized below. Categories of personal information we collect and disclose (using CCPA definitions) include: identifiers (e.g., name, email, online identifiers); commercial information (purchases, plan history); internet or network activity (tracker events, usage logs); geolocation (coarse, from IP); professional and employment information (where you provide it); and inferences (e.g., your engagement profile within your own workspace). We collect these categories from the sources described in Section 4, use them for the purposes in Section 5, and disclose them for business purposes to the categories of recipients in Sections 7 and 8.

• Right to know the categories and specific pieces of personal information we have collected about you in the past twelve (12) months.
• Right to delete personal information we have collected, subject to legal exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing: we do not sell or share personal information.
• Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes that trigger the right to limit.
• Right to non-discrimination for exercising any of these rights.

You may submit a CCPA request via privacy@looperhq.com. An authorized agent may submit a request on your behalf with written permission from you and proof of identity; we may verify the agency relationship directly with you. We retain personal information for the periods described in Section 12.

17. Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws have rights substantially similar to those in Section 16, including access, deletion, correction, portability, and (where applicable) opt-out of targeted advertising, sale, or certain profiling. We do not engage in targeted advertising, sale of personal information, or profiling that produces legal or similarly significant effects. To exercise your rights, contact privacy@looperhq.com. You may appeal a denied request by replying to our response with the word “Appeal.”

18. Children

The Service is not directed to and is not intended for use by children under sixteen (16) years of age (or under thirteen (13) where COPPA applies). We do not knowingly collect personal information from children. If you believe we have collected personal information from a child without appropriate consent, contact privacy@looperhq.com and we will delete it. As a Customer, you must not configure the Service to collect personal information from children without complying with all applicable child-privacy laws, including COPPA, the UK Age-Appropriate Design Code, and the California Age-Appropriate Design Code Act.

19. Cookies and Local Storage

On the Looper HQ application we use only strictly necessary cookies and first-party storage required to authenticate you (Supabase session), prevent cross-site request forgery, and operate the in-product analytics scoped to looperhq.com. On surfaces you deploy through the Service, our first-party tracker sets the cookies and storage described in Section 3. Customers operating surfaces in jurisdictions that require a cookie banner or consent management platform (notably EEA, UK, Brazil) must deploy one; we provide an optional cookie consent banner you can configure under /legal.

20. Do Not Track and Global Privacy Control

Because we do not engage in cross-context behavioral advertising, we do not respond differently to Do Not Track signals at the platform level. We will treat a Global Privacy Control signal received from a verified California resident as a valid opt-out of any future “sale” or “sharing,” in the unlikely event we engage in such activity.

21. Automated Decision-Making

The Service uses AI to draft, recommend, score, and prioritize, but human review is required before any decision with legal or similarly significant effect is acted upon. Looper does not make solely automated decisions with such effect about Customers or end users.

22. Changes to This Policy

Material changes to this Policy are emailed to account owners and posted in the in-product changelog at least fourteen (14) days before they take effect, and the “Last updated” date is revised. Continued use of the Service after the effective date constitutes acceptance.

23. Contact

Privacy: privacy@looperhq.com
Security disclosures: security@looperhq.com
Legal notices: legal@looperhq.com
General: info@looperhq.com

Looper has not appointed a formal Data Protection Officer; the privacy mailbox above is the designated contact for all data-protection matters, including requests by data subjects, supervisory authorities, and Customers seeking to execute a DPA. EU-based data subjects may, where applicable, also contact our EU representative; please request current details by writing to privacy@looperhq.com.