Privacy Policy

Who we are

Loop is operated by Ömer Gülen, Berlin, Germany (hello@stayinloop.dev). Loop is a real-time data and action layer for AI agents, accessible at stayinloop.dev and via API at api.stayinloop.dev.

For privacy matters, contact: hello@stayinloop.dev

What we collect and why

API key requests

When you request an API key, we collect your email address and an optional description of what you are building. This is stored in our database to provision and manage your key. Legal basis: contract performance (Art. 6(1)(b) GDPR). Retention: until you request deletion or the key is revoked.

API usage signals

Every call to the Loop API leaves a signal recording the signal type (demand, selection, or outcome), an opaque agent ID, and — for search calls — the query text truncated to 140 characters. Query text is stored only as aggregated tokens; raw query text is never displayed publicly. Outcome signals record only a fixed enum value (correct | wrong | booked | closed | other), never free text. Legal basis: legitimate interests in improving data quality (Art. 6(1)(f) GDPR). Retention: signals auto-expire after approximately 7 days.

Rate limiting counters

To enforce per-IP rate limits, we store a hashed per-IP, per-minute counter. No IP addresses are retained beyond the current rate-limit window. Legal basis: legitimate interests in preventing abuse (Art. 6(1)(f) GDPR).

Server logs

Our hosting provider (Vercel) collects standard access logs including IP address, user agent, timestamp, and HTTP status code. These are retained for up to 30 days under Vercel’s data processing terms. We do not use these logs for tracking or profiling.

What we do not collect

We do not use cookies, tracking pixels, or analytics SDKs. We do not build user profiles or share data with advertisers. We do not store raw query text in any persistent or queryable form.

Data processors

We use the following sub-processors:

• Supabase(EU Central — Frankfurt, Germany): database and RPC layer. Your data is stored in the EU under Supabase’s DPA.
• Vercel: hosting and edge infrastructure. Vercel is certified under the EU-US Data Privacy Framework.
• Cloudflare: DNS and email routing. No personal data is processed beyond standard IP-level network transit.

International transfers

Your data is stored in the EU (Frankfurt). Vercel serves edge traffic globally but does not persistently store personal data outside the EU under our configuration.

Your rights (GDPR)

Under GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Request erasure (“right to be forgotten”).
• Restrict or object to processing.
• Data portability.
• Lodge a complaint with a supervisory authority — in Germany, this is the relevant Landesbeauftragte für Datenschutz in your state.

To exercise any right, email hello@stayinloop.dev. We respond within 30 days.

Security

All data is transmitted over HTTPS. Database access uses Row-Level Security with a deny-by-default policy. Application code holds only a publishable (anonymous) key; all writes go through security-definer stored procedures. API keys are stored as SHA-256 hashes only — we cannot recover your key if lost.

Changes to this policy

We will update the “Last updated” date and post any material changes here. Continued use of the API after a policy change constitutes acceptance.

Contact

Privacy questions: hello@stayinloop.dev
See also the Impressum for full operator details.