Privacy Policy

1. Introduction

PROXYGIST LLC, doing business as LOOP (“LoopHQ,” “we,” “us,” or “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy applies to:

• The LoopHQ website (loophq.dev)
• The LoopHQ dashboard and application
• The LoopHQ chat widget embedded on your website
• The LoopHQ WordPress plugin

By using the Service, you consent to the data practices described in this policy. Please also review our Terms of Service and Usage Policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address and password when you create an account. Your password is encrypted and managed by our authentication service. If you choose to sign in with Google, we receive your Google profile information including name, email address, and profile picture. We use this information solely for account creation and authentication.
• Billing Information: Payment method details (card last four digits, card brand, expiration date) and billing email. Payment information is processed and stored by Stripe, our payment processor. We do not store full card numbers.
• Knowledge Base Content: Documents, Q&A entries, and website content you upload to train your AI agent.
• AI Agent Configuration: Agent settings, custom instructions, branding preferences, and response behavior settings.
• Communications: Messages and feedback you send to our support team.
• Calendar Integration Data: If you connect Google Calendar (available on applicable plans), we access your calendar availability and event data to enable appointment scheduling through your chatbot. We store your OAuth credentials (encrypted), selected calendar ID, and scheduling configuration. We do not access your Google Drive, Gmail, Contacts, or any other Google services beyond Calendar.

2.1.1 Google API Services User Data Policy Disclosure

LoopHQ’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only request the minimum permissions necessary (profile and email for authentication, calendar access for scheduling)
• We use Google user data solely for authentication and providing the calendar scheduling features you enable
• We do NOT transfer Google user data to third parties, except as necessary to provide or improve user-facing features with your consent, for security purposes, or to comply with applicable law
• We do NOT use Google user data for advertising, including retargeting or personalized ads
• We do NOT allow humans to read your Google user data unless you have given affirmative consent, it is necessary for security purposes, or it is required by law
• We do NOT use Google user data to train generalized AI or machine learning models

You can disconnect your Google account at any time from your LoopHQ dashboard under the Integrations settings. Disconnecting revokes our access and removes your stored credentials from our systems.

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, and actions taken within the dashboard.
• Device Information: IP address, browser type and version, and operating system.
• Page Analytics: Page views and interaction data collected through our hosting provider’s built-in analytics.

We do NOT use third-party tracking cookies or advertising pixels.

2.3 Visitor Data Collected Through Your Chatbot

Important distinction: When your website visitors interact with your LoopHQ chatbot, the following data may be collected on your behalf:

• Contact information: Name, email address, and phone number (if you have enabled contact capture forms in your agent settings)
• Chat messages: The full conversation history between your visitor and your AI agent
• Session information: Visitor session identifiers and browser information

For this visitor data, you are the data controller. LoopHQ acts as a data processor on your behalf. You are responsible for disclosing LoopHQ’s use in your own website’s privacy policy and for obtaining any necessary consents from your visitors.

2.4 Messaging Platform Data (Facebook Messenger & Instagram DM)

If you connect messaging channels (available on applicable plans), additional data is collected through those platforms:

• Platform user identifiers: Page-Scoped User IDs (PSIDs) for Messenger and Instagram-Scoped User IDs (IGSIDs) for Instagram DM. These are unique per-user-per-page identifiers assigned by Meta and cannot be used to identify users across different pages or platforms.
• Message content: Text messages, media (images, files), and interaction data (button clicks, quick replies) exchanged between your customers and your AI agent through these channels.
• User profile data: Name and profile picture as provided by the platform to identify the sender in your conversation dashboard.
• Page connection details: Which Facebook Page or Instagram account the conversation is associated with, and OAuth tokens for sending replies on your behalf.

How we use messaging data: Messaging data is used solely to deliver AI-powered responses to your customers, display conversations in your LoopHQ dashboard, and qualify leads. We do NOT access users’ friends lists, personal Facebook/Instagram profiles, photos, or any data beyond the conversation itself.

Data controller: As with web widget visitor data (Section 2.3), you are the data controller for messaging data collected through your connected channels. LoopHQ acts as a data processor. Conversations through Messenger and Instagram are also subject to Meta’s Privacy Policy.

Data retention: Messaging conversation data follows the same retention periods as web widget conversations (see Section 7).

Data deletion: When a user requests deletion of their data through Meta, we process the request and remove all associated conversation data. You can also delete conversations from your LoopHQ dashboard at any time. To request deletion, contact privacy@loophq.dev.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process payments and manage subscriptions
• Generate AI-powered chatbot responses using your knowledge base content
• Send transactional communications (error alerts, billing notifications, system updates)
• Analyze usage patterns to improve user experience
• Enforce our Terms of Service and prevent abuse
• Comply with legal obligations

We do NOT use your information for targeted advertising or sell it to third parties.

4. Legal Basis for Processing (GDPR)

For users in the European Union and European Economic Area, we process your personal data based on the following legal grounds:

• Contractual Necessity: Processing required to provide the Service you subscribed to (account management, billing, AI chatbot functionality).
• Legitimate Interests: Improving the Service, preventing fraud, ensuring security, and analyzing usage patterns.
• Legal Obligations: Compliance with tax laws, billing record retention, and responding to lawful government or public authority requests (see Section 5.2).
• Consent: For certain processing activities such as optional marketing communications. You can withdraw consent at any time.

5. Data Sharing and Third Parties

We do NOT sell your personal information.

We do NOT use your content to train AI models for other users. Your knowledge base, conversations, and data are used solely to provide the Service to you.

We share information with third-party service providers only as necessary to operate the Service:

5.1 Service Provider Categories

• Payment Processing (Stripe): Handles all payment transactions, subscription management, and invoicing. Stripe receives your billing email, payment method details, and transaction data. Stripe’s Privacy Policy
• Cloud Infrastructure and Database: Your data is stored on secure, encrypted, US-based cloud services with row-level security policies ensuring data isolation between accounts.
• AI Service Providers: When visitors interact with your chatbot, their queries and relevant context from your knowledge base are sent to AI providers solely to generate responses. See Section 6 for details.
• Email Delivery: Transactional emails (error alerts, billing notifications, system updates) are sent through a third-party email service. We share your email address and notification content with this provider.
• Web Hosting and Analytics: Our hosting provider collects page-level analytics (page views, performance metrics). This does not involve cookie-based tracking.
• Web Processing: When you import website content to your knowledge base, the URL is processed by a third-party service to extract text content.
• Google APIs: Google Sign-In provides authentication services. Google Calendar API enables appointment scheduling through your chatbot (on applicable plans). We access only the minimum scopes necessary. Google’s Privacy Policy. See Section 2.1.1 for our Google API Limited Use Disclosure.
• Meta (Facebook/Instagram): Meta processes message delivery for Facebook Messenger and Instagram DM integrations (on applicable plans). When your customers message your connected Page or Instagram account, Meta delivers the messages to our servers and delivers our replies back. See Section 2.4 for details on messaging data. Meta’s Privacy Policy

5.2 Law Enforcement and Public Authority Requests

We may disclose personal information to law enforcement agencies, government authorities, or other third parties when we believe in good faith that disclosure is necessary to comply with a legal obligation, such as a valid subpoena, court order, or other lawful government request. We have the following policies and processes in place to protect your data:

• Legality Review: We review every government or public authority request for personal data to verify that it is legally valid and properly scoped before disclosing any information. Requests that do not meet legal requirements are rejected.
• Right to Challenge: We reserve the right to challenge government or public authority requests that we believe are overbroad, unlawful, or otherwise inappropriate. We will seek to narrow or contest such requests where feasible.
• Data Minimization: When we are legally required to disclose data, we provide only the minimum information necessary to satisfy the specific request. We do not provide bulk or unrestricted access to user data.
• Documentation: We maintain records of all government and public authority data requests, including our responses, the legal basis for each disclosure, and the parties involved.

Where legally permitted, we will notify affected users of government data requests. We do not voluntarily provide user data to any government authority outside of valid legal process.

6. AI Data Processing

LoopHQ uses multiple AI service providers to generate chatbot responses. Here is how your data is processed:

• What is sent to AI providers: When a visitor sends a message, the visitor’s query and relevant snippets from your knowledge base (retrieved via semantic search) are sent to the AI provider to generate a response.
• What is NOT sent: Your entire knowledge base is not sent to AI providers. Only small, relevant portions are retrieved for each query.
• Embeddings: Your knowledge base content is processed into mathematical representations (embeddings) stored in our database for fast semantic search. This happens once when content is uploaded.
• Multi-provider: LoopHQ uses multiple AI providers with an automatic failover system for reliability. Your data may be processed by any of our AI providers.
• Not used for training: Your data is NOT used to train or fine-tune AI models for other customers or for general model improvement. API-based AI usage typically does not involve training on customer data.
• Processing location: All AI service providers are US-based.

7. Data Retention

We retain your data for the following periods:

• Conversation History: Retention varies by plan — Free: 30 days, Starter: 90 days, Pro: 180 days, Growth: unlimited. Conversations older than your plan’s retention period are removed.
• Knowledge Base Content: Retained as long as your account is active, regardless of plan.
• Account Data: Retained as long as your account exists.
• Billing Records: Retained for 7 years as required by applicable tax and financial laws.
• After Account Deletion: Personal data is removed within 30 days of account deletion. Anonymized, aggregated analytics data may be retained.
• Inactive Accounts: Accounts inactive for 12 months or more may be archived. Email notifications are sent before archiving.

8. Cookies and Local Storage

Authentication Cookies: We use session cookies managed by our authentication service to keep you logged in and protect your account. These are essential cookies that cannot be disabled while using the Service.

No Third-Party Tracking Cookies: We do not use advertising cookies, social media tracking pixels, or cross-site tracking cookies.

Chat Widget Local Storage: The LoopHQ chat widget uses your visitors’ browser localStorage to store:

• Widget display preferences (open/closed state)
• Unread message badge status
• Interaction state (whether the visitor has engaged with the widget)

This data stays entirely in the visitor’s browser and is not transmitted to our servers. It persists until the visitor clears their browser data.

Page Analytics: Our hosting provider collects page-level analytics without using cookie-based tracking.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit: All data is transmitted over HTTPS/TLS
• Encryption at rest: Data stored in our database is encrypted at rest
• Data isolation: Row-level security policies ensure your data is completely isolated from other users
• Access controls: Separate security keys for different access levels, with administrative access restricted to essential operations
• Regular review: We regularly review our security practices and update them as needed

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

For all users:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Delete your personal information
• Export your data in a portable format
• Update your communication preferences from your account settings

Additional rights for EU/EEA residents (GDPR):

• Restrict processing of your personal data
• Object to processing based on legitimate interests
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with your local data protection authority

Additional rights for California residents (CCPA/CPRA):

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your privacy rights

To exercise your rights: Contact us at privacy@loophq.dev. We will respond to your request within 30 days. You may also update or delete much of your data directly from your LoopHQ dashboard.

11. Children’s Privacy

LoopHQ is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

If you believe a child has provided us with personal information, please contact us at privacy@loophq.dev.

12. International Transfers

LoopHQ is operated by PROXYGIST LLC, based in the United States. All our service providers (cloud infrastructure, AI providers, payment processing, email delivery) are US-based.

Your data is stored and processed in the United States. By using the Service from outside the United States, you consent to the transfer of your information to the United States, where data protection laws may differ from those in your jurisdiction.

13. WordPress Plugin

The LoopHQ WordPress plugin allows website owners to easily embed their LoopHQ chatbot on WordPress sites.

What the plugin sends to LoopHQ:

• Project ID: Your unique project identifier, used to load the correct chatbot configuration
• Deployment ping: A one-time notification on plugin activation containing your Project ID and the source “wordpress” to confirm your chatbot is live

What loads on your WordPress site:

• The LoopHQ widget script (loophq.dev/widget.js) is loaded asynchronously on every page
• Visitor interactions with the chatbot are processed by LoopHQ’s AI service as described throughout this Privacy Policy

No additional data is collected through the WordPress plugin beyond what is described in Section 2.3 (Visitor Data).

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The updated policy will be posted with a new “Last Updated” date and version number.

Your continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.

15. Contact Us

If you have any questions about this Privacy Policy or your data, please contact us:

PROXYGIST LLC, doing business as LOOP
Privacy inquiries: privacy@loophq.dev
General inquiries: support@loophq.dev
Website: loophq.dev