loop/made
Privacy

Privacy Policy.

What we collect, why we collect it, and the controls you and your readers have over the data.

Effective April 29, 2026

1. Overview

LoopMade, Inc. (“LoopMade”) builds an engagement engine for newsletter publishers. This policy describes how we collect, use, and share information about (a) the people who sign up for and operate a LoopMade workspace (“Publishers”) and (b) the readers who interact with a LoopMade embed on a Publisher's site (“Visitors”).

For Publishers, LoopMade is the data controller. For Visitors, the Publisher is the data controller and LoopMade is the data processor acting on the Publisher's instructions.

2. Information we collect

From Publishers

  • Account data: name, email address, password (hashed), and optional profile metadata you supply.
  • Workspace data: the name of your newsletter, the niches you target, brand kit (logo, colors, font, brand name), connected ESP credentials (encrypted at rest with AES-256-GCM), and webhook URLs and secrets.
  • Content: decks, items, blocks, sponsor creatives, layouts, and templates you create. We treat all such content as confidential unless you publish it.
  • Billing data: handled by Stripe; we receive customer identifiers, subscription status, and the last four digits of any saved card. We do not receive or store full card numbers or CVCs.
  • Product telemetry: pages visited within the admin, events that diagnose feature use (e.g. paywall_viewed, first_play_received). Forwarded to our analytics processors (PostHog) under contract.
  • Support communications: emails you send to our support address.

Automatically

  • Server logs containing IP address, request timestamp, and basic request metadata, retained for up to 30 days for security and debugging.
  • Errors reported to Sentry: stack traces, request paths, and a best-effort browser environment for diagnosis.

3. How we use information

We use the information described above to:

  • Provide, maintain, and improve the Service;
  • Render embeds, generate preview images, route email captures to your ESP, and operate every other feature you ask us to;
  • Compute analytics aggregates and surface them in your admin dashboards;
  • Send transactional email (welcome, billing receipts, weekly digest, product updates you opted into);
  • Detect, prevent, and investigate fraud, abuse, and security incidents;
  • Comply with applicable law and enforce our Terms.

We do not sell personal information. We do not use Publisher content or Visitor data to train third-party AI models.

4. Embed visitors

When a Visitor loads a LoopMade embed on a Publisher's site, we record the following on the Publisher's behalf:

  • A randomly-generated visitor_id stored in first-party browser localStorage scoped to the embed origin — used to count unique visitors and detect repeat plays. It is not a cross-site tracking identifier.
  • The embed origin (the URL of the page hosting the iframe), the referrer if available, the coarse device class (mobile, tablet, desktop) inferred from the user agent, and the IP address (used only to derive coarse device class and to rate-limit abuse; the raw IP is not stored long-term beyond security log retention).
  • The events the Visitor produces: impression, start, answer_submitted, complete, cta_click, share_click, email_capture, block_view, block_vote, block_complete.
  • If the Visitor submits an email to a capture form, the email address (forwarded to the Publisher's connected ESP if configured, otherwise stored in LoopMade's Publisher-accessible storage).

Publishers are responsible for posting any required notices on the page hosting the embed and for honoring data-subject rights requests. LoopMade will assist with such requests at the Publisher's direction.

5. Cookies and local storage

On loopmade.io we set a small number of strictly necessary cookies (auth session, CSRF token). We use first-party browser localStorage in admin and embed surfaces to persist UI state and the Visitor id. We do not use cross-site advertising cookies on either surface.

6. How we share information

We share information with our subprocessors (listed below) only as needed to operate the Service. We share information with law enforcement only when required by valid legal process, and we will notify you (where lawful) before disclosing information about your workspace. We may share aggregated and de-identified statistics that cannot reasonably be used to identify you.

7. Subprocessors

  • Supabase — Postgres, authentication, edge functions (US region).
  • Vercel — application hosting and edge delivery.
  • Stripe — payment processing.
  • Resend — transactional and digest email.
  • PostHog — product analytics (when configured).
  • Sentry — error monitoring (when configured).
  • Cloudflare — DNS and DDoS protection.

We notify Publishers of new subprocessors at least thirty (30) days before they begin processing data on our behalf, via the admin and the changelog page.

8. Retention

We retain Publisher data for as long as your workspace is active. After cancellation, we retain Publisher data for thirty (30) days to support reactivation, then we delete it from active systems. Backups are retained for up to ninety (90) days and then purged on a rolling schedule.

Visitor analytics events are retained for thirteen (13) months unless a Publisher requests earlier deletion. Email capture records persist until the Publisher deletes them or the workspace is closed.

9. Your rights

Depending on where you live, you may have rights to access, correct, port, or delete your personal information; to opt out of certain processing; and to lodge a complaint with a supervisory authority. Email privacy@loopmade.io to exercise any of these rights — we respond within thirty (30) days.

10. International transfers

LoopMade is operated from the United States. By using the Service you consent to the transfer of your information to the U.S. We rely on Standard Contractual Clauses for transfers of EEA / UK / Swiss personal data and require equivalent protections from our subprocessors.

11. Security

We encrypt data in transit (TLS 1.2+) and at rest (provider- managed encryption plus AES-256-GCM for sensitive fields like ESP credentials). We follow the principle of least privilege for production access and rotate credentials regularly. No system is perfectly secure; please report suspected vulnerabilities to security@loopmade.io.

12. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If we learn we have collected personal information from a child, we will delete it.

13. Changes to this policy

We will update this page when our practices change. Material changes will be announced by email and in the admin at least fifteen (15) days before taking effect.

14. Contact

Privacy questions or requests: privacy@loopmade.io. For general support, email hello@loopmade.io.