3 seats free. No card. Upgrade per seat as you grow.
Free forever for teams up to 3 seats.
Your newest hires learned from YouTube, not textbooks. Here's why your training is failing them.
Free download. No credit card required.
Last updated: 2026-05-21
A plain-language snapshot first, then the full legal text. If the two ever appear to conflict, the legal text governs — but we work hard to keep the snapshot honest.
Account basics (name, email, password). Service usage and diagnostic data. Payment data is processed by Stripe (we don't store card numbers). Training content and end-user responses you choose to put into HeyLoopy.
AWS, US region (us-east-1, N. Virginia). We do not currently serve EU/UK customers. A Data Processing Addendum incorporating Standard Contractual Clauses will be put in place before we begin selling in the EU/UK.
Built on SOC 2 Type II-certified AWS infrastructure, following SOC 2-aligned controls. AES-256 encryption at rest across all customer data stores (RDS via customer-managed KMS keys; S3 via AWS-managed SSE-S3). TLS for all customer-facing traffic. Production and staging in separate AWS accounts.
We do not train any model — ours or any third party's — on your training content or end-user responses. Our AI providers (OpenAI as primary, Anthropic as fallback) contractually do not train on API traffic by default; we operate against those terms.
A short, named list of subprocessors: AWS (hosting), Stripe (payments), OpenAI + Anthropic (AI), PostHog (product analytics), Sentry (error monitoring). Full list with purposes below.
Today HeyLoopy is a web service that runs in any modern mobile or desktop browser. Native iOS and Android apps are in development. When they launch, this notice will be updated to cover the additional data they handle (e.g., device identifiers, push tokens).
Access, correct, export, or delete your personal information by emailing support@heyloopy.com or visiting heyloopy.com/support. We respond within 30 days.
Vendor security questionnaires (SIG Lite, CAIQ, custom) are completed on request, typically within 5 business days. We notify affected customers without undue delay, and where feasible within 72 hours of becoming aware of a breach. HeyLoopy processes SOPs and procedures, not PHI; a BAA is not offered. A standard Data Processing Addendum template is not yet available; one will be produced before we begin EU/UK sales. Existing customers needing data-processing terms can contact us directly to discuss case-by-case.
Last updated: 2026-05-21
This Privacy Notice for LoopBot Corporation (“we,” “us,” or “our”) describes how and why we access, collect, store, use, and share (“process”) your personal information when you use our services (“Services”), including when you:
Native mobile applications (iOS and Android) are in development. When they launch, this notice will be updated to describe the additional data they handle.
Questions? Email support@heyloopy.com .
In short: We collect what you give us, plus standard service logs needed to run and secure the product.
Personal information you provide. When you register, request information, or contact us, we collect:
Customer content. When your organization uses HeyLoopy, you upload or generate content: SOPs, training documents, drill questions and answers, end-user responses, mastery scores, and completion records. We process this content to deliver the Service. We do not use it to train AI models. See Section 6 for AI specifics.
Payment data. Card numbers and security codes are collected and stored by Stripe (PCI DSS Level 1 service provider), not by us. HeyLoopy is out of PCI scope by design — we do not store, transmit, or process payment card numbers. See Stripe’s privacy notice .
Information collected automatically. When you use the Services we automatically collect diagnostic, usage, and device data: IP address, browser type and version, device characteristics, operating system, language preferences, referring URLs, page views, feature interactions, timestamps, error reports, and similar log data. This is used to run the Service, fix bugs, and improve features.
Geolocation. We may infer approximate location from IP address. We do not collect precise GPS-level geolocation from the web service. If native mobile apps launch, this section will be updated.
Cookies and similar technologies. See Section 5 and our Cookie Policy .
Sensitive personal information. We do not intentionally process special-category or sensitive personal information (racial or ethnic origin, sexual orientation, religious beliefs, biometric identifiers, precise geolocation, etc.).
Scope of content. HeyLoopy is designed to process the documents your team needs to remember — SOPs, policies, procedures, guidelines, training materials. It is not designed to store and we do not knowingly accept Protected Health Information (PHI), financial customer records, or other sensitive personal data of your end-customers. A Business Associate Agreement (BAA) is not offered. Customers in healthcare, financial services, and similar regulated contexts should use HeyLoopy for procedural training (the bundle, the SOP, the protocol) and keep PHI / customer-record data in their existing systems of record.
In short: To run the Service, communicate with you, secure the platform, comply with law, and (in some cases) with your explicit consent.
Specifically, we process personal information to:
We do not sell personal information. We do not share personal information with third parties for their independent marketing.
In short: Contract, consent, legal obligation, or legitimate interests — depending on the activity.
If you are in the EEA or UK (GDPR / UK GDPR), our legal bases are:
International transfers. Customer data is stored in the United States (AWS us-east-1). We do not currently serve customers in the EEA or UK. Before we begin EU/UK sales, we will produce a Data Processing Addendum incorporating the EU Standard Contractual Clauses (and the UK Addendum). If you are evaluating us from the EEA/UK today, please contact us directly so we can discuss data-processing terms case-by-case.
If you are in Canada, we rely on your express or implied consent, plus the standard exceptions under PIPEDA (fraud investigation, legal compliance, life-or-safety, etc.).
In short: A short, named list of subprocessors, plus the standard legal categories.
We rely on the following service providers to process customer training content and end-user response data on our behalf. Each is bound by a contract that limits their use of your data to performing services for us. We maintain a separate internal vendor inventory that includes additional providers used for internal operations (transactional email via AWS SES, internal team communications, error/debug routing) which do not process customer training content or end-user responses. If your evaluation requires the full inventory, request it directly via the contact below.
| Subprocessor | Purpose | Location | Privacy notice |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, compute, storage, databases, backups | United States (us-east-1) | aws.amazon.com/privacy |
| Stripe | Payment processing | United States | stripe.com/privacy |
| OpenAI | Primary AI inference for drill generation, scoring, and coaching | United States | openai.com/policies/privacy-policy |
| Anthropic | Fallback AI inference | United States | anthropic.com/legal/privacy |
| PostHog | Product analytics | United States | posthog.com/privacy |
| Sentry | Application error monitoring | United States | sentry.io/privacy |
We may engage additional subprocessors in the future. Material additions will be reflected in updates to this notice.
In short: A small set of cookies for site operation and (with consent) analytics.
We use cookies to keep the site working, remember your consent preferences, and (with consent) understand product usage via PostHog. We do not use third-party advertising cookies or sell tracking data. See our Cookie Policy for the full list and how to manage them.
We currently do not respond to browser Do-Not-Track signals, as no uniform DNT standard exists. We honor opt-outs submitted through our cookie banner and through the rights mechanism in Section 10.
In short: OpenAI is our primary AI provider; Anthropic is a fallback. Neither trains on our customers’ content. We don’t either.
What the AI does. HeyLoopy uses large language models to:
What we send to AI providers. Only what’s needed to complete the request: the relevant passage of your training content, the question or response being scored, and minimal metadata for routing. We do not send unnecessary personal information.
Training. We do not use customer content to train any model — ours or any third party’s. Per OpenAI’s API data usage policy , data sent through the OpenAI API is not used to train or improve OpenAI models by default. Anthropic operates under similar API terms . We rely on those default protections and have not opted into any data-sharing or evaluation programs that would change them.
Automated decisions. AI-generated drill scores are advisory. A human-reviewable mastery view is available to administrators. Where automated decisions produce legal or similarly significant effects on an individual, we will inform that individual and offer a path to human review (GDPR Art. 22).
In short: Only as long as we need it — usually tied to your account’s life.
Personal information of individual end-users is retained while their account is active.
On account closure. Personal information is deleted from active systems within 30 days of account termination, except where:
Customer-controlled retention of organizational training records is governed by the MSA. Where there is a conflict, the MSA controls customer data; this notice controls individual end-user personal information.
In short: Defense-in-depth on SOC 2 Type II-certified AWS, with encryption at rest, encrypted customer-facing traffic, and access controls.
We have implemented technical and organizational measures designed to protect personal information:
A more detailed security overview is available to evaluating customers under NDA via support@heyloopy.com .
Vendor security review. For procurement and security teams that need to vet us, we complete vendor security questionnaires (SIG Lite, CAIQ, custom) on request, typically within 5 business days. Email support@heyloopy.com with your form.
HIPAA stance. HeyLoopy processes SOPs and procedural training content, not Protected Health Information. A Business Associate Agreement is not offered. Clinical-training customers use HeyLoopy for procedural recall (the sepsis bundle, the WHO Five Moments, central-line insertion steps); patient data stays in the customer’s EHR.
No system is perfect. Despite reasonable safeguards, no online service can guarantee absolute security. We commit to notifying affected customers without undue delay, and where feasible within 72 hours, of becoming aware of a personal data breach affecting their data.
In short: Our Service is not directed to children under 16.
We do not knowingly collect personal information from anyone under the age of 16 (or the equivalent minimum age in your jurisdiction). If you believe we have inadvertently collected such information, please email support@heyloopy.com and we will delete it.
Some customers train apprentices, students, or trainees who are 16-21 years old; that’s the intended end-user population. The under-16 restriction applies to direct collection from minor users, not to indirect references in training content authored by your organization.
In short: Access, correct, delete, port, or restrict — email us.
Depending on where you live, you may have rights to:
How to exercise rights. Email support@heyloopy.com or visit heyloopy.com/support . We respond within 30 days (with one possible 30-day extension for complex requests, with notice). We may need to verify your identity before acting.
Appeals. If we decline a request, you may appeal by emailing us. We will respond in writing within 45 days. If your appeal is denied, you may file a complaint with your state attorney general (US) or supervisory authority (EEA/UK).
EEA / UK / Switzerland. You have the right to lodge a complaint with your local data protection authority. The UK Information Commissioner’s Office is at ico.org.uk .
In short: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia residents have additional rights under state law. Email us to exercise them.
Categories of personal information collected in the past 12 months:
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, email, IP address, account name | Yes |
| B. Customer Records | Name, contact info, employment context | Yes |
| C. Protected classifications | Gender, age, race, national origin | No |
| D. Commercial information | Transaction history, billing details | Yes (via Stripe) |
| E. Biometric information | Fingerprints, voiceprints | No |
| F. Internet or network activity | Browsing/usage on our Service, feature interactions | Yes |
| G. Geolocation | Approximate location inferred from IP | Yes (approximate only) |
| H. Audio / electronic / sensory | Call recordings, photos | No |
| I. Professional / employment | Job role and training assignments within your org | Yes |
| J. Education information | Student records, directory information | No |
| K. Inferences | Mastery scores, recall predictions derived from AI scoring | Yes |
| L. Sensitive personal information | — | No |
Sources. Directly from you, from your employer’s HeyLoopy administrator, and automatically as you use the Service.
Sale or sharing. We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months.
Categories disclosed for a business purpose. Categories A, B, D, F, G, I, and K may be disclosed to the subprocessors listed in Section 4 for the purposes described there.
California “Shine the Light”. California residents may request, once per year, information about personal information we disclosed to third parties for their direct marketing purposes. As of this notice’s date, we have not disclosed personal information for third-party direct marketing.
Authorized agents. You may designate an authorized agent to make a request on your behalf, with written and signed permission and identity verification.
We update this notice as needed. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated by a prominent notice on the Service or by direct email to account administrators.
LoopBot Corporation 1000 Main St, Unit #2030 Pittsburgh, PA 15215 United States
Email: support@heyloopy.com
For data protection inquiries (DPA, VSQ completion, subprocessor changes, breach disclosures, DSARs): same address.
Log in to your account settings to review and update your information directly, or contact us at support@heyloopy.com to request access, correction, export, or deletion.