3 seats free

Legal · Privacy

Privacy Policy

Last updated: 2026-05-21

A plain-language snapshot first, then the full legal text. If the two ever appear to conflict, the legal text governs — but we work hard to keep the snapshot honest.

At a glance

What we collect

Account basics (name, email, password). Service usage and diagnostic data. Payment data is processed by Stripe (we don't store card numbers). Training content and end-user responses you choose to put into HeyLoopy.

Where it lives

AWS, US region (us-east-1, N. Virginia). We do not currently serve EU/UK customers. A Data Processing Addendum incorporating Standard Contractual Clauses will be put in place before we begin selling in the EU/UK.

How it's protected

Built on SOC 2 Type II-certified AWS infrastructure, following SOC 2-aligned controls. AES-256 encryption at rest across all customer data stores (RDS via customer-managed KMS keys; S3 via AWS-managed SSE-S3). TLS for all customer-facing traffic. Production and staging in separate AWS accounts.

AI and your content

We do not train any model — ours or any third party's — on your training content or end-user responses. Our AI providers (OpenAI as primary, Anthropic as fallback) contractually do not train on API traffic by default; we operate against those terms.

Who else sees it

A short, named list of subprocessors: AWS (hosting), Stripe (payments), OpenAI + Anthropic (AI), PostHog (product analytics), Sentry (error monitoring). Full list with purposes below.

Mobile apps

Today HeyLoopy is a web service that runs in any modern mobile or desktop browser. Native iOS and Android apps are in development. When they launch, this notice will be updated to cover the additional data they handle (e.g., device identifiers, push tokens).

Your rights

Access, correct, export, or delete your personal information by emailing support@heyloopy.com or visiting heyloopy.com/support. We respond within 30 days.

VSQ, breach notice, DPA status

Vendor security questionnaires (SIG Lite, CAIQ, custom) are completed on request, typically within 5 business days. We notify affected customers without undue delay, and where feasible within 72 hours of becoming aware of a breach. HeyLoopy processes SOPs and procedures, not PHI; a BAA is not offered. A standard Data Processing Addendum template is not yet available; one will be produced before we begin EU/UK sales. Existing customers needing data-processing terms can contact us directly to discuss case-by-case.