Privacy
Privacy at Loopin.
What we collect, why, how long we keep it, and the rights you (and your end customers) have. GDPR, UAE PDPL, and KSA PDPL aligned.
Only what we need
Account info (name, email), workspace data you put in, and product usage telemetry. No tracking pixels in the dashboard. No selling to advertisers.
Encrypted, isolated, audited
AES-256 at rest, TLS 1.3 in transit, per-tenant logical isolation. SOC 2 Type II, PCI DSS Level 1, ISO 27001.
Data residency you choose
Default region is UAE (Dubai). Enterprise customers can pin to EU (Frankfurt), Saudi (Riyadh), Singapore, or the US.
Your data subjects' rights
GDPR, UAE PDPL, KSA PDPL. End-customer access, rectification, erasure, and portability requests are honored within 30 days.
What we collect
Five categories. Plain language.
| Category | Examples | Retention |
|---|---|---|
| Account data | Name, email, phone, role, password hash (bcrypt, never plain). | Lifetime of account + 90 days post-deletion. |
| Workspace data | Products, orders, customers, invoices, bookings, anything you create. | Lifetime of workspace + 60 days export window after deletion. |
| Telemetry | Page views, feature usage, error rates, perf timings, no PII inside events. | 13 months rolling, then aggregated. |
| Support history | Tickets, chat transcripts, screen recordings you upload. | 24 months after last activity, then deleted. |
| Billing data | Plan, invoices, tax ID, last 4 of card (Stripe holds the rest). | 10 years for tax compliance (UAE FTA, KSA ZATCA). |
Sub-processors
Every third party we share data with.
Updated whenever it changes. We give Enterprise customers 30 days notice before adding a new sub-processor that touches customer data.
- A
AWS (Bahrain region, Frankfurt region)
Compute, storage, networking
BH, DE - S
Stripe Payments
Card processing, subscription billing
IE, US - C
Cloudflare
DNS, WAF, DDoS mitigation, edge cache
Global edge - A
Anthropic
AI advisor, chatbot, draft generation
US - R
Resend
Transactional email delivery
EU - T
Twilio (WhatsApp Business)
WhatsApp message delivery
IE, US - D
Datadog
Infrastructure metrics + logs
EU - S
Sentry
Application error tracking
EU
Your rights
Six rights, all self-serve.
- Access: get a copy of every piece of data we hold about you.
- Rectification: correct anything that is wrong, in two clicks from Settings.
- Erasure: delete your workspace, your account, or specific data sets.
- Portability: export to CSV, JSON, or PDF on demand.
- Objection: opt out of telemetry from Settings, Privacy controls.
- Withdraw consent: revoke marketing email consent in one click.
For any request, write to privacy@loopin.app or open a ticket from Settings, Privacy controls. We respond within 30 days.
Response SLA
Access and erasure requests are processed within 30 days. Urgent erasure (verified identity theft) within 72 hours.
Data Protection Officer
privacy@loopin.app
EU representative: Boulevard Plaza 1402, Downtown Dubai.