Privacy Policy

Loopi Social (loopi.social) is a creator platform that schedules content to social platforms, hosts public link-in-bio pages, and runs email broadcasts and drip sequences. This policy explains what data we collect, why, where it goes, and how to remove it. Loopi Social is operated by an individual creator-developer and is provided "as-is." By using Loopi Social you agree to the practices described here.

This document is organized around the three services that handle most of your data: Content (post scheduling, media, AI drafts, platform connections), Links (your public link-in-bio page at {username}.loopi.social), and Mail (subscriber lists, broadcasts, drip sequences, delivery telemetry). Your account and profile data underpin all three.

1. Account & profile data

When you sign up, we store:

Account-level: the owner's email address, a salted bcrypt hash of your password (never the plaintext), an optional Google OAuth subject identifier if you signed in with Google, an account creation timestamp, and a last-active timestamp.
Profile-level: profile name, optional display name and bio, optional avatar image, and an optional free-form "AI context" describing your brand voice. The AI context is only sent to AI providers when you generate drafts (see §6).
Membership: for multi-user accounts, per-member role and per-profile scopes.
Sessions: short-lived JWT access tokens in your browser's localStorage; the corresponding session row is stored server-side with a TTL of 30 days. We do not use third-party analytics cookies.
Google sign-in: if you choose Google sign-in, we request only the standard openid email profile scopes. We receive your email address, Google subject ID, and (optionally) name and avatar. We do not request access to Gmail, Drive, Calendar, or any other Google product, and we have no ability to read those services.

2. Content service

When you connect a third-party platform (TikTok, Instagram, LinkedIn, YouTube, Bluesky), we receive an OAuth access token from that platform on your behalf and use it only to publish content you explicitly schedule.

Platform OAuth tokens: stored per-profile and per-platform in DynamoDB with AWS-managed encryption at rest. Refresh tokens (where the platform issues them) are stored alongside. You can disconnect any platform from the Content tab at any time, which deletes the stored tokens.
Media you upload: stored in Amazon S3, keyed by accountId/profileId/filename. Originals plus auto-generated thumbnails and transcripts. A bucket lifecycle policy hard-expires every object 366 days after upload — including transcripts and thumbnails. You can delete sooner via the Media tab.
Transcripts: generated inside an AWS Lambda using faster-whisper (open-source speech-to-text). Audio is not sent to any third party for transcription. The resulting text is written next to the video as a sidecar JSON.
AI-generated drafts: when you request post drafts from a transcript, we send the transcript text, your profile's AI context, and the target platform to Anthropic's Claude API. We do not send your subscriber list, email history, link analytics, or other creator data. We do not retain the raw API exchange beyond the resulting draft text. See Anthropic's privacy policy for their handling.
Scheduled posts: the post body, target platform, scheduled time, and any associated media reference. Stored until you delete the post or until the post fires (and then retained for analytics until you delete it).
Platform-side analytics: after a post is published, we may sync the public counts (views, likes, comments, shares) that the platform exposes via its API. We do not collect anything about individual viewers — those numbers come pre-aggregated from the platform.

YouTube notice: Loopi Social uses YouTube API Services. By connecting a YouTube account, you also agree to the YouTube Terms of Service and acknowledge Google's Privacy Policy. You can revoke Loopi Social's access to your Google account at any time via Google's security settings.

3. Links service

The Links service hosts your public link-in-bio page at {username}.loopi.social. This page is publicly accessible to anyone who knows the URL — it is intentionally not behind authentication.

Username & page content: the username you claim (lowercased, globally unique), display name, bio, avatar, theme/color settings, and the link rows you configure (titles, URLs, images, sections, embedded email forms). All of this is published to the public page.
Link assets (images): images you upload for link tiles or your avatar are stored in S3 and served publicly via CloudFront so the page can render.
Visitor analytics: when someone visits your public link page or clicks a link on it, we record the event type (view/click/copy/email-submit), the link clicked, the visitor's IP address, the User-Agent header, the Referer header, and any UTM query parameters. This data is used to render the analytics you see in /app/links/analytics and to detect abuse.
Embedded email-capture forms: if you place an email form on your link page, submissions are handled by the Mail service (see §4) and create active subscribers immediately.

For visitors of public link pages: we do not set third-party advertising or analytics cookies on the page; we do not fingerprint your device beyond the User-Agent string already sent by your browser; and the IP/User-Agent log is used only to give the creator basic traffic analytics. The creator is responsible for informing their own audience that this analytics capture exists if their jurisdiction requires such disclosure.

4. Mail service

The Mail service operates per-list. Subscribers belong to a list owned by one of your profiles; sender identity (display name, reply-to address) is configured per-list and verified before sending is allowed.

Subscriber data: email address, optional first/last name, browser timezone (captured at form submission), custom fields you provide, status (active/unsubscribed/bounced/complained), the tags you assign, and timeline (subscribed-at, unsubscribed-at).
Subscription source: when a visitor signs up via a public form (e.g., embedded on the creator's website or link page), we record the subscriber as active immediately — there is no double-opt-in confirmation step. The creator is responsible for ensuring the embedding page carries the required consent disclosures (see Terms §4).
Sender identity: per list, the display name and a creator-controlled reply-to address. The reply-to is only used after the creator verifies it by clicking a token-signed link sent to that address.
Email content templates: subject lines, HTML/text bodies, preheader text, and any merge fields you compose for broadcasts and sequences. Stored until you delete them.
Open and click tracking — what we capture: when a recipient opens an email, the email loads a 1×1 transparent pixel from our servers; we record the message ID, the recipient's IP address, the User-Agent, and the timestamp. When a recipient clicks a tracked link, the click passes through a redirect URL and we record the same fields plus the destination URL before issuing the redirect. These records back the open/click counts shown to the creator.
Bounce / complaint handling: AWS SES delivers bounce, complaint, and delivery events to us. We store the event type, the SES-provided reason string (which may contain identifiers about the recipient's mail server), and the timestamp. Hard-bounced and complained addresses are flagged so we will not contact them again.
Unsubscribe tokens: every email contains a one-click unsubscribe link backed by a per-message HMAC token. Clicking it flips the subscriber to unsubscribed without requiring a login.

5. Payment processing

Paid plans are billed through Stripe. When you subscribe, your payment details (card number, billing address) are collected and stored directly by Stripe — Loopi Social never sees your card number. We receive only a Stripe customer ID, the subscription status, and the plan tier via Stripe's webhook events, which we use to grant or revoke access to paid features. Stripe's handling of your payment data is governed by Stripe's privacy policy.

6. Third-party services we send data to

By design, Loopi Social shares data with the following processors:

Amazon Web Services (us-east-1) — hosts the entire platform: Lambda compute, DynamoDB storage, S3 for media and link assets, SES for outbound mail, CloudFront for the web app. AWS receives all data we store and is subject to AWS-managed encryption at rest.
Anthropic — receives transcripts, the active profile's AI context, and the target platform when you generate AI drafts. Used only for that single API request. Anthropic's API does not, by default, use this data to train models.
Google — if you sign in with Google, we receive your email, Google subject ID, and (optionally) name and avatar per the OAuth scopes you grant. We request only standard sign-in scopes.
Connected social platforms (TikTok, Instagram, LinkedIn, YouTube, Bluesky) — receive your scheduled posts when they fire. Each platform's own privacy policy governs what they do with your content after publication.
Stripe — receives your payment information directly. We receive only a customer ID and subscription metadata.
Subscriber inbox providers — when a broadcast sends, the recipient's email provider (Gmail, Outlook, etc.) receives the email; their privacy policies govern handling on their side.

We do not sell or rent any data. We do not run advertising trackers. We do not load Google Analytics, Meta Pixel, or third-party JavaScript on the marketing pages or on public link pages.

7. Data retention

Account & profile rows: retained while the account is active. Deleted on request (see §8).
Media (videos, images, transcripts, thumbnails): hard-expired by S3 lifecycle policy 366 days after upload. Earlier deletion via the Media tab.
Link-page visitor analytics: retained until the creator deletes the corresponding link, or until the account is deleted.
Subscribers: retained until the creator deletes the list or the individual subscriber. Unsubscribed and bounced subscribers stay on the row with a status flag to prevent re-contact.
Mail templates, sequences, broadcasts: retained until deleted. Sent broadcasts retain delivery telemetry (open/click rows, bounce events) until you delete the broadcast.
Sessions: server-side TTL of 30 days; expired sessions are removed automatically.
OAuth state tokens (CSRF): server-side TTL of 10 minutes; expired tokens are removed automatically.

8. Your rights & how to remove data

Access: every piece of data tied to your account is visible inside /app. We do not keep a hidden second copy.
Deletion: deleting a post, media file, content template, sequence, broadcast, list, subscriber, link, or analytics row from the app removes the underlying row. To delete the entire account, email support@loopi.social from the address registered on the account; within 30 days we erase the account, profiles, lists, content, link pages, and connected-platform tokens. Content already published to social platforms or already delivered to subscriber inboxes is outside our control and is not deleted.
Subscriber unsubscribe: every email contains a one-click unsubscribe link. Subscribers can also email a creator's reply-to address to request removal.
Disconnect a platform: click "Disconnect" next to any platform connection in the Content tab; the stored OAuth tokens are deleted immediately.
EU / UK residents: you have rights of access, rectification, erasure, portability, and objection under GDPR / UK GDPR. For account-level data we act as the data controller. For subscriber data uploaded or captured by creators, the creator is the controller and Loopi Social is the processor — direct erasure or access requests to the creator first, or to support@loopi.social and we will forward them.
California residents: you have rights under the CCPA/CPRA to know, delete, and correct the personal information we hold. Loopi Social does not sell personal information and does not share it for cross-context behavioral advertising.
Washington residents: you have rights under the My Health My Data Act and the Washington Privacy Act where applicable. Loopi Social does not collect consumer health data.

9. Security

All traffic is served over HTTPS. Passwords are hashed with bcrypt before storage; we never store plaintext passwords and have no way to recover one. OAuth tokens for connected platforms, Stripe customer IDs, and all DynamoDB tables benefit from AWS-managed encryption at rest. Session JWTs are signed with an HMAC secret. Despite these measures, no online service is perfectly secure — if we become aware of a breach affecting your personal information, we will notify affected users by email within 72 hours, as required by applicable law.

10. Children

Loopi Social is intended for adults aged 18 years or older. We do not knowingly collect personal information from anyone under 18. If you are under 18, please do not use this service or submit any information. If you believe a minor has registered, email support@loopi.social and we will remove the account.

11. International transfers

Loopi Social is hosted in the United States (AWS us-east-1). If you access the service from outside the US, your data is transferred to and processed in the US. By using Loopi Social you consent to this transfer. For EU/UK residents we rely on the appropriate transfer mechanisms (Standard Contractual Clauses) where required.

12. Changes to this policy

We may update this policy. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated via an in-app notice and an email to account owners. Continued use of the service after the effective date constitutes acceptance.

13. Contact

Questions about this policy or about your data: support@loopi.social.