Privacy Policy
1. Introduction
PROXYGIST LLC, doing business as LOOP (“LoopHQ,” “we,” “us,” or “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service.
This policy applies to:
- The LoopHQ website (loophq.dev)
- The LoopHQ dashboard and application
- The LoopHQ chat widget embedded on your website
- The LoopHQ WordPress plugin
- Conversations that reach a Loop agent through connected messaging channels (e.g., Facebook Messenger)
By using the Service, you consent to the data practices described in this policy. Please also review our Terms of Service, Usage Policy, Cookie Policy, AI Interaction Notice, and Sub-Processors list.
2. Service Availability and Geographic Scope
LoopHQ is operated from the United States and is offered to customers located in the United States. We do not actively market the Service to residents of the European Union, the United Kingdom, or other jurisdictions outside the United States.
Our customers may operate websites that are accessible globally, and their visitors may interact with a Loop agent from anywhere in the world. When a visitor outside the United States interacts with a Loop agent embedded on a customer’s site, the customer (as the business operating that site) acts as the data controller for the visitor’s information under applicable foreign privacy laws, and LoopHQ acts as a data processor on the customer’s behalf. The customer is responsible for any region-specific obligations (for example, GDPR consent banners or cookie notices on their own website).
Because we do not target users outside the United States and we do not engage in cross-context behavioral advertising, we do not currently display a cookie consent banner on loophq.dev. See our Cookie Policy for full details on the limited storage we do use.
Where applicable law grants visitors rights regardless of our targeting (for example, GDPR Article 3(2) for monitoring of behavior within the EU), we honor those rights. See Section 14 (Your Privacy Rights) and Section 11 (Visitor Data Subject Request Process).
3. Information We Collect
3.1 Information You Provide
- Account Information: Email address and password when you create an account, or a passwordless magic link sent to your email. Your password is encrypted and managed by our authentication service. We do not store passwords in plaintext.
- Business Profile: Business name, legal name, industry, business sub-type, team size, website URL, and website platform — provided during onboarding or in your account settings.
- Agent Configuration: Agent display name, agent purpose, custom AI instructions, welcome messages, popup messages, branding preferences, response behavior settings, lead-scoring rules and custom labels, booking link configurations, custom legal links, and (on applicable plans) custom CSS and custom domain configuration.
- Knowledge Base Content: Documents (PDFs, text files), Q&A entries, and website URLs you upload to train your AI agent. When you submit a URL, the publicly available text of that URL is extracted by a third-party scraping service and stored in your knowledge base.
- Billing Information: Billing name, billing email, billing address, tax identification number (if applicable), and payment method metadata (card brand, last four digits, expiration). Full payment details are processed and stored by Stripe, our payment processor. We do not store full card numbers.
- Team Information: Email addresses of team members you invite, their assigned role (owner, admin, or member), and the user ID of each member after they accept an invitation.
- Notification and Display Preferences: Your notification settings (per-event toggles and per-project mutes), your handoff display name (the name shown to visitors when you join a live conversation), and your dashboard preferences.
- Integration Credentials: When you connect third-party integrations (e.g., HubSpot, GoHighLevel, Google Calendar, Facebook Messenger), we store the OAuth tokens, API keys, selected resources (calendar ID, Facebook Page ID), and configuration necessary to operate each integration.
- Automation Configuration: Webhook URLs, selected event types, webhook signing secrets, and automation rules you configure.
- Enterprise Inquiries: If you submit an enterprise inquiry form, we collect company name, role, company size, industry, use case details, requested plan parameters, timeline, budget, and contact information. We may also generate an internal lead-quality categorization based on the information submitted to help our sales team prioritize follow-up. This information is retained for the period described in Section 10.
- Support Communications: Messages and feedback you send to our support team, including any attachments you choose to include.
- Billing and Account Audit Data: For security and fraud prevention, we maintain an audit log of billing-relevant actions, which records the acting user, IP address, before/after states, and related event identifiers.
3.1.1 Google API Services User Data Policy Disclosure
LoopHQ’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We only request the minimum permissions necessary (Google Calendar read/write scopes for appointment scheduling)
- We use Google user data solely to provide the calendar scheduling features you enable in your LoopHQ dashboard
- We do NOT transfer Google user data to third parties, except as necessary to provide user-facing features with your consent, for security purposes, or to comply with applicable law
- We do NOT use Google user data for advertising, including retargeting or personalized ads
- We do NOT allow humans to read your Google user data unless you have given affirmative consent, it is necessary for security purposes, or it is required by law
- We do NOT use Google user data to train generalized AI or machine learning models
You can disconnect your Google account at any time from your LoopHQ dashboard under the Integrations settings. Disconnecting revokes our access and removes your stored credentials from our systems.
3.2 Automatically Collected Information
- Usage Data: Pages visited, features used, and actions taken within the LoopHQ dashboard.
- Device and Connection Information: IP address, browser type and version, and operating system.
- Page Analytics: Page views and interaction data collected through our hosting provider’s built-in, non-cookie-based analytics.
- Behavioral Analytics (Marketing Pages Only): On our public marketing and account pages (e.g., loophq.dev/, /solutions, /pricing, /signup, /login, /legal/*, /unsubscribe), we use Microsoft Clarity and PostHog to capture aggregated session behavior — page sequences, scroll depth, click activity, anonymized session replays, web vitals, and product-improvement events. Both tools automatically mask all form input. PostHog operates in identified-only mode, meaning anonymous visitors do not receive a persistent profile until they sign up for an account. Neither tool runs on the embedded chat widget that appears on our customers’ websites, in our authenticated dashboard, or on our APIs.
- Rate-Limit Data: We use a transient cache to record recent IP addresses and visitor identifiers in order to enforce abuse-prevention limits. This data is retained only briefly and is used solely to protect the Service from automated abuse.
We do NOT use advertising pixels or third-party marketing trackers. See our Cookie Policy for full details.
3.3 Visitor Data Collected Through Your Chatbot
Important distinction: When your website visitors interact with your Loop chatbot, the following data may be collected on your behalf:
- Contact information: Name, email address, and phone number, captured through one of the lead-capture methods enabled in your agent’s configuration.
- Conversation content: The full message history between your visitor and your AI agent, including any files, links, or structured data shared during the conversation.
- Session information: Anonymous visitor session identifiers, the channel source (widget, Facebook Messenger, or future channels), and browser information.
- Presence signals: Typing indicators and engagement state (transiently broadcast to support the live-chat experience).
- AI-derived analytical signals: Categorical signals and structured context inferences about the conversation (such as lead quality, sentiment, urgency, topics, intent, and conversational context) generated by our AI systems to help the operating business understand and serve the visitor. See Section 5 (Automated Decision-Making) for the framework these signals operate within and Section 11 (Visitor Data Subject Request Process) for how to request review, restriction, or deletion.
- Booking details: If the AI books an appointment on the operating business’s calendar, the visitor’s name and email are included as calendar-event attendee information.
- Visitor IP address: Collected transiently for rate-limit enforcement (see Section 3.2).
- Cross-channel identity linkage: When a visitor interacts with the same operating business through multiple channels (for example, a website chat followed later by SMS), we may internally associate those interactions with a shared identity record so the operating business sees a more complete view of the visitor. Currently, identity linkage is based on shared identifiers the visitor has provided in the conversation (such as a phone number or email address). Verified cross-channel merging via opt-in (such as a one-time-passcode flow that confirms two channel identifiers belong to the same person) is planned for a future release. We will update this Policy and disclose the active mechanism when introduced.
For this visitor data, the business operating the agent is the data controller and LoopHQ acts as a data processor. The operating business is responsible for disclosing LoopHQ’s role in its own privacy policy and for obtaining any consents required by applicable law in the visitor’s jurisdiction.
3.4 Messaging Platform Data (Facebook Messenger and Future Channels)
Facebook Messenger is currently supported on applicable plans. SMS is also currently supported and is described separately in Section 3.5 below because the data flow differs (SMS uses phone numbers as identifiers rather than platform-scoped IDs). Additional messaging channels — including Instagram DM and WhatsApp — are planned for future release. When you connect any messaging channel, the data practices described in this section apply, and you are subject to the underlying platform’s terms and our Usage Policy.
When you connect a messaging channel, additional data is collected through that platform:
- Platform user identifiers: Page-Scoped User IDs (PSIDs) for Facebook Messenger. When Instagram DM and WhatsApp are introduced, equivalent platform-scoped identifiers (IGSIDs for Instagram, WhatsApp phone numbers) will be collected. These identifiers are unique per-user-per-page assignments and cannot be used to identify users across different pages or platforms.
- Message content: Text messages, media (images, files), and interaction data (button clicks, quick replies) exchanged between your customers and your AI agent through these channels.
- User profile data: Name and profile picture as provided by the platform to identify the sender in your conversation dashboard. Profile pictures may be cached in our storage to remain available alongside the conversation, and are removed when the underlying conversation is deleted.
- Page connection details: Which Facebook Page (or in the future, Instagram account or WhatsApp number) the conversation is associated with, and OAuth credentials for sending replies on your behalf.
How we use messaging data: Messaging data is used solely to deliver AI-powered responses to your customers, display conversations in your LoopHQ dashboard, power the analytics and AI-derived signals described in Section 3.3, and qualify leads. We do NOT access users’ friends lists, personal Facebook/Instagram profiles, photos, or any data beyond the conversation itself.
Data controller: As with web widget visitor data (Section 3.3), you are the data controller for messaging data collected through your connected channels. LoopHQ acts as a data processor. Conversations through Meta-owned platforms are also subject to Meta’s Privacy Policy.
Data retention: Messaging conversation data follows the same retention principles as web widget conversations (see Section 10).
Data deletion: When a user requests deletion of their data through Meta, we process the request and remove all associated conversation data. You can also delete conversations from your LoopHQ dashboard at any time. See Section 11 for the full deletion request process.
3.5 SMS and Mobile Messaging Data
SMS messaging is supported on applicable plans. When you enable SMS for an agent, LoopHQ provisions a dedicated phone number on your behalf and registers the required carrier compliance entries (commonly referred to as A2P 10DLC registration). The data practices below apply to SMS conversations between visitors and your agent, to outbound transactional messages we send on your behalf, and to alert messages we send to you as the account holder.
What we collect:
- Phone numbers of visitors who message your agent and of account holders who opt in to SMS alerts
- Message content (the text exchanged between visitors and your agent, and the content of outbound transactional messages and alerts)
- Opt-in and opt-out status (including STOP/HELP keyword history)
- Message timestamps and carrier delivery metadata (sent, delivered, failed)
- Business information you submit during A2P registration through our setup wizard (legal entity name, EIN, contact information, sample message content, use-case description), which we forward to our messaging carrier sub-processor for review
How we use SMS data: To deliver the AI-generated responses to inbound visitor messages, to send transactional messages you have configured (such as booking confirmations), to send alert messages to you as the account holder when you have opted in, to honor STOP/HELP requests automatically, and to maintain the carrier compliance records required to operate your SMS service.
Mobile information sharing: Mobile information (phone numbers and SMS opt-in data) will not be shared with third parties or affiliates for marketing or promotional purposes, including lead generators. Text messaging originator opt-in data and consent will not be shared with any third parties, excluding aggregators and providers of the Text Message services. Information sharing with sub-processors that perform services on our behalf — including for SMS message delivery, A2P 10DLC compliance, and phone number provisioning — is permitted. See our Sub-Processors page for the current list.
Data controller: For SMS conversations between visitors and your agent, you are the data controller and LoopHQ acts as a data processor on your behalf. For SMS that LoopHQ sends to a loophq.dev visitor who texts our own number, LoopHQ acts as the data controller.
Standard rates and frequency: Message and data rates may apply to recipients based on their mobile carrier plan. Message frequency varies based on the visitor’s interaction with your agent.
Opt-out: Visitors can stop receiving SMS at any time by replying STOP to any message. Reply HELP for assistance. LoopHQ honors STOP and HELP keywords automatically across all SMS interactions; account holders may not override this behavior.
Account holder consent obligations: Account holders are responsible for collecting TCPA-compliant consent from visitors before SMS messages are sent. See Terms of Service § 13.1 and § 13.2 (SMS Customer Attestations and Remedies) and Usage Policy § 6 for the full customer obligations.
SMS consent capture (conversational): When you interact with a Loop AI agent (on loophq.dev or on a partner channel including Facebook Messenger and, when introduced, Instagram DM), the agent may offer SMS continuation for transactional purposes — for example, to confirm a booking, send an appointment reminder, deliver a payment receipt, send an account alert or demo confirmation, or follow up on a request you initiated. If you voluntarily provide your phone number in response to that offer, you consent to receive SMS related to that interaction. We retain a record sufficient to demonstrate that consent if asked, and you can opt out at any time by replying STOP to any SMS. Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes, including lead generators. Message frequency varies by your interaction with us; we send messages only in response to consumer-initiated actions and do not broadcast or send promotional content. Msg & data rates may apply. For a fuller reference of our consent flow, see our SMS Consent Reference.
What happens when an account lapses or is closed: If your subscription lapses or is closed, your provisioned phone number is released after a brief grace period. Visitors who text a released number receive a short auto-reply directing them to the website you have configured, so they are not ignored. Conversation data remains subject to Section 10 (Data Retention).
Future SMS-related features: Outbound payment links, appointment reminders, review requests, and re-engagement messaging may be introduced as part of future releases. When introduced, the same SMS data practices in this section will apply.
4. How We Use Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process payments, manage subscriptions, issue invoices, and calculate taxes
- Generate AI-powered chatbot responses using your knowledge base content
- Analyze conversations to produce AI-derived analytical signals that help the operating business understand visitor intent (see Section 5)
- Send proactive follow-up messages to visitors who appear to have disengaged from a conversation (see Section 6)
- Send transactional communications (lead alerts, handoff notifications, booking confirmations, billing notifications, system updates, and — on applicable plans — daily digest emails)
- Deliver SMS messages on your behalf when SMS is enabled for your agent (inbound responses, transactional outbound, and account-holder alerts you have opted in to)
- Push lead information to connected CRM, automation, or webhook endpoints when you configure those integrations
- Detect and prevent fraud, abuse, and security incidents
- Analyze usage patterns to improve user experience
- Enforce our Terms of Service and Usage Policy
- Comply with legal obligations
We do NOT use your information for targeted advertising, and we do NOT sell or share personal information for cross-context behavioral advertising. See our Do Not Sell or Share notice.
4.1 Cold Outreach and Marketing Email
From time to time, LoopHQ contacts business prospects by email to introduce our Service. Recipients of this outreach are identified through publicly available business sources (for example, business directories and professional networks), and emails are sent to business addresses for legitimate business-to-business purposes consistent with the CAN-SPAM Act.
How to opt out: You can stop receiving outreach emails from LoopHQ at any time using any of the following methods:
- Click the unsubscribe link included at the bottom of every outreach email
- Reply directly to the email and ask to be removed
- Email privacy@loophq.dev with the subject line “Unsubscribe” and the email address you would like removed
We honor opt-out requests within 10 business days, consistent with the CAN-SPAM Act. Opt-outs apply across all current and future LoopHQ outreach campaigns, not just the campaign through which you received the message.
Outreach emails always include LoopHQ’s physical mailing address, accurate sender identification, and a non-deceptive subject line, as required by the CAN-SPAM Act. If you believe you have received an outreach email that does not meet these standards, please contact privacy@loophq.dev.
5. Automated Decision-Making
Loop applies automated analysis to conversations in order to help the operating business understand visitor intent and respond appropriately. These automated signals, generated by AI systems, may include categorical assessments of:
- Lead quality, drawing on the conversation and any rules the operating business has configured
- Visitor sentiment
- Urgency
- Conversation topics and context
- Structured context inferences drawn from the conversation (such as expressed visitor intent, topical entities, and conversational state) used to help the AI agent track context across turns
These signals are used internally by the Service and are visible to the operating business in its dashboard. They do not independently cause legal effects on visitors (they do not, for example, deny service, approve credit, or execute transactions without human involvement). They are decision-support signals for the operating business and the GDPR Article 22 carve-out for solely-automated decisions producing legal or similarly significant effects therefore does not apply to them as generated by LoopHQ.
Right to human review, restriction, and deletion: If an automated signal produced by Loop has been used in a way that you believe produced a significant effect on you (for example, you believe you were excluded from a service offering based solely on a lead score), you may request that the operating business review the outcome with a human. You may also request restriction or deletion of the inferences themselves through the process described in Section 11 (Visitor Data Subject Request Process), and we will assist in routing your request to the operating business.
No adverse automated decisions by Loop: Loop itself does not use these signals to make adverse automated decisions about individual visitors without human involvement.
6. Proactive AI Communications
Loop agents may send unsolicited follow-up messages during a conversation if the system detects that a visitor may benefit from a gentle nudge. Proactive messaging is subject to internal frequency limits and cooldowns designed to protect visitor experience, with channel-appropriate behavior across the channels we support.
Visitor opt-out: Visitors can stop receiving proactive messages by closing the chat widget, by not responding on messaging platforms, or (where the channel supports it) by sending standard opt-out keywords. On messaging platforms, the underlying platform’s messaging policies and opt-out mechanisms apply.
Customer responsibility: The business operating the agent is responsible for ensuring proactive messaging is appropriate for its audience and its jurisdiction, and for complying with any applicable messaging or consent laws. For SMS specifically, proactive messaging is also subject to the Telephone Consumer Protection Act (TCPA), carrier rules, and the consent obligations in our Terms of Service § 13 and Usage Policy.
7. Legal Basis for Processing (GDPR)
For users who are nevertheless subject to the GDPR or UK GDPR (see Section 2), we process personal data based on the following legal grounds:
- Contractual Necessity: Processing required to provide the Service (account management, billing, AI chatbot functionality).
- Legitimate Interests: Improving the Service, preventing fraud, ensuring security, enforcing our Terms, and analyzing usage patterns. You have the right to object to processing based on legitimate interests (see Section 14).
- Legal Obligations: Compliance with tax laws, billing record retention, and responding to lawful government or public authority requests (see Section 8.2).
- Consent: For certain processing activities such as optional marketing communications. You can withdraw consent at any time.
9. AI Data Processing
LoopHQ uses multiple AI service providers to generate chatbot responses and to power the analytical signals described in Section 5. Here is how your data is processed:
- What is sent to AI providers: Visitor messages and the relevant portions of your knowledge base needed to generate a response, along with the agent configuration and industry context required for the AI to respond appropriately.
- What is NOT sent: Your entire knowledge base is not sent to AI providers. Only the portions relevant to a given query are included. Unrelated account data is not included in AI prompts.
- Embeddings: Your knowledge base content is processed into mathematical representations (embeddings) stored in our database to support semantic search. This happens when content is uploaded and when content changes.
- Multiple providers: LoopHQ uses multiple AI providers for reliability. Your data may be processed by any of them. See our Sub-Processors page for the current list.
- AI-initiated actions: Depending on your configuration, the AI may take actions on your behalf such as scheduling appointments, capturing lead information, sharing resources you have configured, and routing conversations to a human team member. See AI Interaction Notice and Terms of Service § 9.
- Abuse prevention: We apply automated safeguards to detect and block abuse before sending requests to AI providers.
- Multilingual processing: When enabled in your settings, Loop detects the visitor’s language and responds in that language. AI translation may produce errors; see Terms of Service § 8.
- Not used for training: None of our AI providers are authorized to use Loop customer or visitor data to train or fine-tune their models. API-based AI usage typically does not involve training on customer data.
- Processing location: All AI service providers used by Loop are US-based.
10. Data Retention
We retain data for the following periods:
- Conversation History: We retain conversation data for a period configured by the operating business per project (typically between approximately one and two years). After the configured period elapses, conversations are deleted or anonymized. Account holders may also delete individual conversations, entire agents (which removes all associated conversations), or their entire account at any time from the LoopHQ dashboard. Pro and Growth customers can export conversation data at any time. Visitors may request immediate deletion at any time through the process described in Section 11. SMS conversations follow the same retention principle and are tied to the visitor’s phone number.
- SMS phone numbers and provisioning records: Your provisioned phone numbers and the associated A2P 10DLC registration records are retained while your account is active and SMS is enabled. If your subscription lapses or is closed, the phone number is released after a brief grace period; carrier registration records are retained as needed to comply with carrier and regulatory requirements.
- Visitor Deletion Rights: Any visitor whose data was collected through a chatbot may request deletion through the process described in Section 11. We act as a data processor for visitor data on behalf of the operating business.
- Knowledge Base Content: Retained as long as your account is active.
- Account Data: Retained as long as your account exists.
- Enterprise Inquiries: Information submitted through enterprise inquiry forms is retained for up to 24 months from submission for sales evaluation and follow-up. After 24 months without further engagement (or upon your written request), records are purged or anonymized.
- Identity Records: Internal records that associate a visitor’s conversations across channels are retained alongside the operating business’s project for the duration of the project’s life, and are removed if the project is deleted. The associated channel identifiers (such as phone number or email address) follow the same retention principle. Audit records of any cross-channel identity association are retained to satisfy data subject access request (DSAR) obligations and audit-trail requirements.
- Notifications: In-app notifications are retained for a limited period and are pruned periodically.
- Integration Credentials: Retained until you disconnect the integration or close your account. Disconnection removes the stored credentials from our systems.
- Billing Records: Retained for 7 years as required by applicable tax and financial laws.
- Billing Audit Log: Retained for 7 years for security and fraud prevention.
- After Account Deletion: When an account holder closes their account, associated personal data and conversation data are removed within 30 days. Anonymized, aggregated analytics data may be retained. Billing records are retained as noted above.
- Inactive Accounts: Accounts inactive for 12 months or more may be archived. Email notifications are sent before archiving.
11. Visitor Data Subject Request Process
Visitors who interacted with a Loop agent on an operating business’s website have the right to request access to, correction of, deletion of, or portability of their personal data. Because the operating business is the data controller and LoopHQ is the data processor for visitor data, requests can be submitted through either party.
Preferred path — through the operating business: Contact the business you interacted with and request the action you want taken. They can act directly through their LoopHQ dashboard or instruct us to act on their behalf.
Direct path — through LoopHQ: Email privacy@loophq.dev with:
- Subject line: “Visitor Data Request”
- The website, Page, or account where the conversation took place
- A date range or other identifying detail to help us locate the relevant conversation
- The specific action requested (access, correction, deletion, export)
Verification: To protect visitors from unauthorized requests, we may ask for identifying information that matches the conversation record (for example, the email address or phone number used during the conversation). We will only verify through information the visitor already provided during the conversation — we will not ask for government ID or other sensitive identifiers.
Scope of the request: Where we have associated a visitor’s conversations across channels (see Section 3.3, Cross-channel identity linkage), we will use the linked identity record — if any — to ensure your request reaches all of your conversations associated with you, not only the single conversation you reference. If you want a request scoped to a single conversation only, please indicate that in your request.
Response time: We will acknowledge your request within 10 business days and respond substantively within 30 days, consistent with GDPR Article 12(3) and CCPA § 1798.130. We may extend the response time by up to 45 additional days for particularly complex requests, as permitted by law, and will notify you if we do.
Account holder deletion: If you are an account holder (a LoopHQ customer), you may delete conversations, agents, or your entire account directly from the dashboard, or request assistance at privacy@loophq.dev.
Scheduled retention deletion is automatic. In addition to request-driven deletion, conversation data is automatically deleted or anonymized when the operating business’s configured retention period elapses (see Section 10). You do not need to file a request to trigger scheduled deletion. Your right to request immediate deletion in advance of the scheduled period is preserved by this Section.
13. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: All data is transmitted over HTTPS/TLS
- Encryption at rest: Data stored in our database is encrypted at rest
- Data isolation: Row-level security policies at the database layer ensure your data is isolated from other customers even if application-layer authorization fails
- Access controls: Separate keys for different access levels, with administrative access restricted to essential operations
- Webhook signing: Outbound webhooks to customer-configured endpoints are HMAC-signed so you can verify authenticity
- Rate limiting: Automated per-IP and per-visitor limits protect against abuse
- Audit logs: Billing actions and sensitive operations are logged with actor, IP, and state changes
- Internal staff access logging: Internal LoopHQ staff access to customer and visitor data is logged for security, audit, and compliance purposes. Access is restricted to essential operations and reviewed periodically.
- Regular review: We regularly review our security practices and update them as needed
While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
14. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
For all users:
- Access the personal information we hold about you
- Correct inaccurate personal information
- Delete your personal information
- Export your data in a portable format
- Update your communication preferences from your account settings
Additional rights for California residents (CCPA/CPRA):
- Right to know what personal information is collected and how it is used
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to limit use and disclosure of sensitive personal information
- Right to opt-out of the sale or sharing of personal information (we do not sell or share — see our Do Not Sell or Share notice)
- Right to non-discrimination for exercising your privacy rights
Additional rights for residents of Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy laws:
- Right to access, correct, and delete personal data
- Right to data portability
- Right to opt out of targeted advertising (we do not engage in it), sale of personal data (we do not sell), and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects (see Section 5 — Loop does not make such decisions solely through automation)
- Right to appeal our decision on any rights request
Additional rights for EU/EEA and UK residents (GDPR / UK GDPR):
- Restrict processing of your personal data
- Object to processing based on legitimate interests
- Withdraw consent at any time (where processing is based on consent)
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 5)
- Lodge a complaint with your local data protection authority
To exercise your rights: Account holders may exercise most rights directly from the LoopHQ dashboard. Visitors to customer sites should use the process described in Section 11. For any other request, contact us at privacy@loophq.dev. We will respond within 30 days.
15. Children’s Privacy
LoopHQ is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.
Our customers are responsible for ensuring their deployments do not target or collect personal information from children under 13 in violation of the Children’s Online Privacy Protection Act (COPPA) or comparable laws. See our Usage Policy.
If you believe a child has provided us with personal information, please contact us at privacy@loophq.dev.
16. International Transfers
LoopHQ is operated by PROXYGIST LLC, based in the United States. Our service providers are primarily US-based; a subset also have operations in the European Union (noted on our Sub-Processors page).
Your data is stored and processed primarily in the United States. By using the Service from outside the United States, you acknowledge that your information will be transferred to the United States, where data protection laws may differ from those in your jurisdiction.
17. WordPress Plugin
The LoopHQ WordPress plugin allows website owners to easily embed their LoopHQ chatbot on WordPress sites.
What the plugin sends to LoopHQ:
- Project ID: Your unique project identifier, used to load the correct chatbot configuration
- Deployment ping: A one-time notification on plugin activation containing your Project ID and the source “wordpress” to confirm your chatbot is live
What loads on your WordPress site:
- The LoopHQ widget script is loaded asynchronously on every page
- Visitor interactions with the chatbot are processed by LoopHQ’s AI service as described throughout this Privacy Policy
No additional data is collected through the WordPress plugin beyond what is described in Section 3.3 (Visitor Data).
18. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The updated policy will be posted with a new “Last Updated” date and version number.
Your continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.
19. Contact Us
If you have any questions about this Privacy Policy or your data, please contact us:
PROXYGIST LLC, doing business as LOOP
Privacy inquiries: privacy@loophq.dev
General inquiries: support@loophq.dev
Website: loophq.dev