LoopSuite is a trading name of Trovelogic Ltd, a company registered in England and Wales.
We are the data controller for the personal data we collect about our customers. Where our customers use LoopSuite to contact third-party leads, we act as a data processor on behalf of our customers, who are the controllers of that outreach.
Worldwide availability. LoopSuite is operated from the United Kingdom and is available to businesses worldwide (primarily English-speaking markets today). Regardless of where you use LoopSuite from, the data-handling practices described in this policy apply. Where your local law grants you additional rights (for example, CCPA/CPRA in California, the Australian Privacy Act, or Canadian PIPEDA), we respect those rights — see §17 Your Rights and §21 California Residents.
Four promises we make and back up with how the platform is built:
This policy explains how we collect, use, store, and protect personal data when you:
It also explains the rights of individuals whose publicly available business contact information is found through our LoopGen (lead generation) feature.
When you sign up, we collect:
During onboarding and ongoing use, we collect and analyse:
When you connect a third-party service to LoopSuite (for example Gmail, Google Calendar, social media, advertising accounts, a CRM, a shop platform, a messaging channel, or any of the other integrations we support), we collect and process:
We only access the data you explicitly authorise through the connection flow. Authentication tokens and connected-service data are handled through our sub-processor Composio — see §7 Third-Party Integrations (via Composio).
All conversations with your AI teammate are stored to provide context and continuity across sessions, improve responses based on your preferences, and maintain a record of instructions and decisions you have made.
We track how you use the platform, including features used, content generated, outreach activity, subscription events, and token/usage metrics for billing and cost control.
When you use our lead-generation feature, we find potential business contacts on your behalf by searching the public web. We collect:
Important: We find this information exclusively through web search. We do not scrape LinkedIn or social media, scrape directories or databases, purchase data lists, access private databases, or collect personal (non-business) contact information.
How payment information is collected depends on where you subscribe. See §12 Subscription and Billing for the full breakdown. In summary:
If you enable push notifications on our mobile apps, we store a device push token (issued by Apple for iOS or Google Firebase Cloud Messaging for Android) so we can send notifications you've opted into. Tokens are tied to your account and rotated by the operating system. See §13 Push Notifications.
We automatically collect IP address, browser type and version, device information, pages visited, and referring website.
We use minimal cookies: authentication tokens (essential) and preferences (functional). We do not use advertising or third-party tracking cookies.
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the Service | Account info, business data, conversations | Contract performance (Art. 6(1)(b)) |
| Process subscription payments | Account info, subscription state from Stripe/Apple/Google via RevenueCat | Contract performance (Art. 6(1)(b)) |
| Generate leads | Business profile, target criteria | Legitimate interest (Art. 6(1)(f)) |
| Send outreach on your instruction | Lead and contact data, message content, connected-service credentials | Contract performance; your instruction as controller (Art. 6(1)(b) / Art. 6(1)(f)) |
| Act in third-party services on your instruction (email, calendar, social, ads, CRM, shop, messaging, etc.) | Business profile, connected-service credentials, action-specific data | Contract performance; OAuth consent |
| Run scheduled automations on your instruction | Business profile, connected-service credentials, automation parameters | Contract performance (Art. 6(1)(b)) |
| Send push notifications you've opted into | Device push token, notification content | Contract performance; consent for marketing-style notifications |
| Improve the Service | Usage data, aggregated analytics | Legitimate interest (Art. 6(1)(f)) |
| Prevent fraud | Account info, technical data | Legitimate interest (Art. 6(1)(f)) |
| Legal obligations | Account and billing records | Legal obligation (Art. 6(1)(c)) |
LoopSuite uses large language models and other AI services to power your AI teammate, analyse your business, generate content (text, images, video), find and research leads, optimise advertising, and provide business insights.
Your chat messages and business context are sent to AI providers for processing. Today we use:
Each customer runs inside an isolated environment — your data is never mixed with other customers' data. Both providers operate under Data Processing Agreements with us and do not use your data to train their models. API-tier usage by enterprise customers is excluded from model training by default under OpenAI and Google's enterprise terms.
We do not use AI to make decisions that produce legal effects or similarly significantly affect you. You remain in control: the AI suggests and drafts; you approve or edit; and any action that contacts a customer, spends money, or sends a message is either explicitly authorised by you or run inside an autonomy level you have configured.
All outreach (email, messaging, or otherwise) sent from your business identity on your instruction:
Legal basis: For UK/EU recipients, we rely on legitimate interest for B2B communications. For US recipients, emails comply with CAN-SPAM. For Canadian recipients, we rely on the implied consent exception for publicly available business information.
Your responsibilities: When using lead generation, you are the data controller for the leads found and contacted. LoopSuite acts as your data processor.
LoopSuite connects to third-party business services (email, calendar, cloud storage, social media, advertising platforms, CRMs, shop platforms, accounting tools, messaging channels, and more) through Composio, our integration sub-processor. When you connect a service to LoopSuite:
Responsibility: Composio is our sub-processor under a Data Processing Agreement. LoopSuite remains accountable to you for how your data is handled. Composio is accountable to us under our DPA with them.
Composio's own terms: When you interact with Composio directly (for example, during OAuth consent screens or the Composio-hosted connection page), Composio's own terms and privacy policy also apply:
Disconnecting: You can disconnect any third-party service at any time by asking your AI teammate or from your settings. On disconnection we stop using that service and ask Composio to revoke the stored tokens. You may also revoke tokens directly from the third-party service's own permission page (for example, Google Account → Connected apps).
Your responsibilities: You are responsible for ensuring you have the right to connect the accounts you connect, and for complying with the terms of each third-party service (for example, WhatsApp's Business Terms of Service when you connect WhatsApp, or Meta's Platform Terms when you connect Facebook or Instagram).
Recommended: use a dedicated business account, not your personal account. Wherever a service supports separate sub-accounts or business-tier accounts, we strongly recommend connecting those rather than your main personal account. For example: create a dedicated Gmail/Google Workspace user for LoopSuite to act through, use a separate social media manager role rather than your personal admin, and use a business-tier account on shop or CRM platforms. This keeps permissions minimal, makes revocation cleaner if you ever disconnect, and reduces the blast radius of any credential issue.
LoopSuite can send messages on your behalf through messaging channels you connect (for example, email, WhatsApp Business, SMS, social DMs, Slack, Discord). Messages are sent from your business identity or number, not from LoopSuite. Recipients see your business as the sender.
Data processed: the recipient's contact details (phone number, email, handle), message content, delivery status, and (where available) read receipts. This data is stored within your isolated LoopSuite account.
Your responsibilities: You are the data controller for messages sent via LoopSuite on your instruction. LoopSuite acts as your data processor. You must ensure you have appropriate consent or legal basis to contact recipients, and you must comply with applicable messaging regulations (UK PECR, EU ePrivacy Directive, CAN-SPAM where relevant to US recipients) and with the terms of each messaging platform you use.
Opt-out: If a recipient asks to stop receiving messages, your AI teammate will mark them and prevent further outreach on that channel.
A LoopSuite company account can have multiple team members with different roles (e.g. admin, member). The company owner is the primary account holder. Each team member's own account information is covered by this policy. The company owner decides who has access to the shared business data within the account.
Your AI teammate can run automations on a schedule (for example: a daily inbox triage, a weekly review, a monthly report) and take actions autonomously at the autonomy level you have configured. Each automation operates inside your isolated account and uses only the connections you have enabled. Automation run logs are stored alongside chat conversations (see §16 Data Retention).
To work as a useful long-term teammate, your AI writes persistent notes to a memory area inside your isolated account (for example: remembered preferences, decisions made, a running ledger of your business). This memory is derived from conversations you have had with it and from data you have asked it to organise. You can review, edit, or clear this memory at any time by asking your AI teammate or through your account settings.
How your subscription is processed depends on where you subscribe.
Subscriptions taken directly on our website are processed by Stripe. We never see, handle, or store your full card details. Stripe provides us with the last four digits of your card, card expiry date, billing address, and Stripe customer identifiers. Refund requests for web subscriptions are handled by us in accordance with our Terms of Service.
Subscriptions purchased inside our iOS app are processed by Apple under the App Store terms you accepted when you created your Apple ID. Apple handles all payment data. We receive subscription status and an anonymous customer identifier through our mobile-subscription manager RevenueCat. Refunds for iOS subscriptions are requested through Apple (reportaproblem.apple.com); we cannot issue them on Apple's behalf.
Subscriptions purchased inside our Android app are processed by Google under the Google Play terms you accepted when you created your Google account. Google handles all payment data. We receive subscription status and an anonymous customer identifier through RevenueCat. Refunds for Android subscriptions are requested through Google Play.
If you enable push notifications on our mobile apps, we store a device push token issued by Apple Push Notification service (APNs) on iOS, or Firebase Cloud Messaging (FCM) on Android. The token lets us deliver notifications you've opted into. Tokens are tied to your account, refreshed by the operating system, and revoked when you sign out or disable notifications.
You can turn push notifications off at any time in your device's system settings or in the app's notification settings.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | EU / USA |
| Fly.io | Isolated per-customer environment hosting | EU (London) by default; other regions on request |
| OpenAI | AI processing (chat, reasoning, transcription, image/video generation fallback) | USA (EU-US DPF) |
| AI processing (Gemini for image, video, and fallback text) | USA (EU-US DPF) | |
| Composio | Sub-processor for all third-party service integrations (OAuth tokens, tool routing) | USA (EU-US DPF) |
| Stripe | Payment processing (web subscriptions) | USA (EU-US DPF) |
| RevenueCat | Mobile subscription management (iOS/Android receipt verification, entitlement state) | USA (EU-US DPF) |
| Apple | iOS in-app purchase processing + APNs push delivery | USA (EU-US DPF) |
| Google (Play / FCM) | Android in-app purchase processing + Firebase Cloud Messaging push delivery | USA (EU-US DPF) |
| Mailgun | Transactional email delivery (account emails, notifications from LoopSuite) | USA / EU |
| Brave | Web search (for lead generation and research) | USA |
| Firecrawl | Public-web scraping (for analysing your website and researching leads) | USA |
| ElevenLabs | Text-to-speech audio generation (when you use voice replies) | USA (EU-US DPF) |
Services you connect through Composio (Gmail, Calendar, Drive, social media, advertising platforms, CRMs, shop platforms, messaging channels, etc.) are controlled by their own operators and are only involved when you explicitly connect your account. We do not sell your personal data to anyone.
Where personal data is transferred internationally, we rely on the UK/EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), and adequacy decisions as appropriate.
| Data type | Retention period |
|---|---|
| Account and business profile | Duration of account + 30 days |
| Chat conversations, AI memory, and workspace files | Duration of account + 30 days |
| Archived workspaces (after cancellation, for possible restore) | Up to 12 months from cancellation, then permanently deleted |
| Lead data | Duration of account; deleted on closure |
| Email and messaging outreach records | Duration of account + 6 months |
| Automation and cron run logs | Duration of account; rotated after 48 hours for isolated runs |
| Opt-out / unsubscribe lists | Indefinitely (for compliance) |
| Payment / billing records | 7 years (UK tax requirements) |
| Support tickets | Duration of account + 12 months |
| Device push tokens | Until you disable notifications or sign out |
| Technical / server logs | 90 days |
You have the right to: access, rectification, erasure, restriction, portability, object to processing, withdraw consent, and lodge a complaint with the ICO.
To exercise any of these rights, contact us at [email protected]. We will respond within one month.
Rights of lead recipients: If your business contact information has been found through our lead-generation service, you can opt out, request deletion, or request to know what data we hold.
LoopSuite is a business tool and is not intended for use by anyone under 18. We do not knowingly collect data from children.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Authentication token | Keeps you logged in | Essential | Session / 30 days |
| Preferences | Remembers settings | Functional | 1 year |
We do not currently use any third-party advertising or tracking cookies. If we introduce analytics cookies in the future, we will update this policy and implement a cookie consent banner.
If you are a California resident, you have additional rights: right to know, right to delete, right to correct, right to opt out of sale/sharing. We do not sell or share your personal information.
You may lodge a complaint with the UK Information Commissioner's Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
https://ico.org.uk
If you connect your Google Workspace account to LoopSuite, the following applies to how we access and handle your Google user data:
| Google Service | Access Level | How We Use It |
|---|---|---|
| Google Calendar | Read & Write | LoopSuite syncs marketing campaign milestones, content deadlines, and publication dates with your Google Calendar. We create, update, and remove calendar events on your behalf. We also read your calendar to detect scheduling conflicts and suggest optimal content times. |
| Google Docs | Read-only | You can select a Google Doc to import as a draft blog post, email newsletter, or content brief within LoopSuite. Your AI teammate LoopSuite can analyse a selected document to suggest headlines, social media excerpts, and SEO improvements. We only read documents you explicitly select — we do not scan or index all documents. |
| Google Contacts | Read-only | You can import contacts into LoopSuite's CRM to use as recipients for email campaigns, outreach, or lead nurturing workflows. We use contact data (name, email, company, job title) to segment audiences for targeted campaigns. |
| Google Sheets | Read & Write | You can import marketing data from Sheets (e.g., product catalogues, lead lists, content calendars) and export campaign performance reports and analytics summaries back to Sheets for sharing with your team. |
You can disconnect your Google account at any time from your LoopSuite settings. You can also revoke access directly from your Google Account permissions page. Upon disconnection, we stop accessing your Google data. Previously imported data (e.g., contacts imported into your CRM) remains in your LoopSuite account until you delete it or close your account.
LoopSuite's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We may update this policy from time to time. Material changes will be communicated via email and/or in-app notification.
For any questions about this privacy policy or your personal data: