Legal - Privacy Policy

Looped acts as a data controller when you create an account, visit our websites, or interact with us directly.

When you use Looped in a team or organisation context, the account owner or organisation administrator is typically the data controller for team member data, and Looped acts as a data processor on their behalf. If you have questions about how your organisation handles your data, please contact your account administrator.

When you create a Looped account, we collect:

• Email address
• Name
• Profile picture (from your OAuth provider)

We use Auth0 for secure authentication. Your login credentials are managed by Auth0 and your chosen OAuth provider (Google, Microsoft, etc.) - we never see or store your passwords.

To provide time tracking functionality, we store:

• Time entries with duration, task names, and descriptions
• Project information including titles, codes, and statuses
• Team member assignments and roles
• Custom tags for organizing your work
• Email reminder preferences (address, frequency, timezone)
• Custom report configurations

To enable invoicing functionality, we store:

• Client information: names, VAT numbers, email addresses, phone numbers
• Business addresses (your address and client addresses)
• Invoice details: line items, amounts, dates, statuses
• Bank account information for payment instructions
• Payment integration credentials (encrypted)
• Invoice styling preferences

When you connect your calendar to Looped Track, we access calendar data strictly for the purpose of importing events as time entries. This is a read-only integration.

Google Calendar:

• Access scopes: openid, email, profile, calendar.readonly
• Data accessed: Event subjects, start times, and end times from your selected calendar
• Data stored: OAuth tokens (encrypted), selected calendar ID, imported event IDs
• We do not access event attendees, locations, descriptions, or any other calendar metadata

Microsoft Calendar:

• Access scopes: openid, profile, email, User.Read, Calendars.Read, offline_access
• Data accessed: Event subjects, start times, and end times from your selected calendar
• Data stored: OAuth tokens (encrypted), account email, selected calendar ID, imported event IDs
• We do not access event attendees, locations, descriptions, or any other calendar metadata

Important: You can disconnect your calendar at any time from your Looped Track settings. When you disconnect, we immediately delete all stored OAuth tokens and calendar integration data. Previously imported time entries remain in your account but are no longer linked to calendar events.

We integrate with several payment processors to enable invoice payments:

• Stripe
• Yoco
• Payfast
• Coinbase Commerce

Payment data (credit card numbers, banking information) is handled directly by these PCI-compliant processors. We never see or store your customers' payment card details.

We store: checkout session IDs, integration parameters, and merchant credentials (encrypted) required to facilitate payments on your behalf.

We use PostHog for product analytics with privacy-focused configuration:

• Only identified users are tracked (no anonymous tracking)
• Feature flag data for product features
• Usage patterns to improve our products
• All analytics are proxied through our own infrastructure

We do NOT collect:

• IP addresses
• Precise location data
• Device fingerprints
• Browsing history outside of Looped

When you use AI-powered features in Looped, we send certain data to third-party AI providers for processing:

• Calendar event titles (for smart time entry suggestions)
• Task names and descriptions
• Time entry data (durations, project names)

This data is sent only when you actively use AI features. Our AI providers process this data solely to provide the requested functionality. When accessed via their APIs, these providers do not use your data to train their models. If you prefer not to have this data processed by AI providers, you can choose not to use AI-powered features.

We may use the following AI providers:

• OpenAI — Privacy Policy
• Anthropic — Privacy Policy

We do NOT send to AI providers:

• Your account credentials or passwords
• Email addresses or contact information
• Payment or billing information
• Client details from invoices
• Bank account information

Note: If you include personal information in your calendar event titles, task names, or descriptions (such as someone's name), that information may be sent to AI providers if you use AI classification features.

We use cookies for essential functionality only:

• Authentication cookies (Auth0 session, domain: .looped.sh)
• Theme preference cookie (dark/light mode)
• Team preference cookies

We do not use advertising cookies or third-party tracking cookies. Our services do not respond to "Do Not Track" browser signals because we do not engage in cross-site tracking.

Google and Microsoft integrations: These are inbound integrations only. We receive data from these services (such as calendar events) when you authorise the connection. We do not send your Looped data to Google or Microsoft.

AI providers: When you use AI-powered features in Looped, we send certain data to our AI providers (such as OpenAI or Anthropic) for processing. This may include:

• Calendar event titles (for smart time entry suggestions)
• Task names and descriptions
• Time entry data

These providers process this data to provide AI features and do not use data received via their APIs to train their models. You can choose not to use AI-powered features if you prefer not to have this data processed by AI providers.

If you believe we are processing your personal data in violation of applicable law, you have the right to lodge a complaint with a supervisory authority:

South Africa: Information Regulator — www.inforegulator.org.za