Legal

Privacy Policy

Last updated: 5 July 2026

1. Who We Are

Loopion Ltd ("Loopion", "we", "us", "our") is a meeting accountability platform that captures actions from meetings, tracks their completion, and resurfaces outstanding items automatically. We are registered in England & Wales. Our contact email is privacy@loopion.ai.

Our role: for account, billing, website, and support data we act as the data controller. For meeting content processed on behalf of a customer workspace (recordings, transcripts, action items, and participant details), the customer is the controller and Loopion acts as a data processor under our Data Processing Agreement. If you attended a meeting captured by a Loopion customer and want your data amended or deleted, you can contact the meeting organiser or us directly — see Section 8.

2. Data We Collect

2.1 Account Data

When you sign up, we collect:

  • Name and email address (via Microsoft SSO, email + password, one-time email code, or passkey sign-in)
  • Workspace and team membership information
  • Profile preferences and settings
  • Where you connect a calendar (Microsoft 365 or Google), OAuth tokens and calendar event details needed to schedule the assistant — stored encrypted

2.2 Meeting Data

When Loopion joins your meetings, we process:

  • Audio recordings — temporarily captured during the meeting for transcription purposes only. Audio files are processed and deleted; we do not store raw recordings.
  • Transcripts — generated from audio using AI transcription services. Stored within your workspace.
  • Speaker identification — voice identity data used to attribute actions to the correct participants.
  • Meeting metadata — date, time, duration, participant names, calendar event details.

2.3 Action Data

  • Actions extracted from meeting transcripts
  • Action owners, due dates, and completion status
  • Carry-forward history and accountability metrics

2.4 Usage Data

  • Pages visited, features used, session duration
  • Device type, browser, IP address (used for security and fraud prevention)
  • Error, performance, and security logs, including limited operational diagnostics (such as screenshots of the assistant's own meeting-join screen) used to debug capture failures

2.5 Billing Data

  • Payments are processed by Stripe. We never see or store your full card number — Stripe handles card details on their PCI-DSS compliant infrastructure.
  • We store your billing email, plan, subscription status, invoices, and usage records needed to bill you correctly.

2.6 Marketing & Website Data

  • If you request content or a demo via our website, we store the email address you provide and the page it came from.
  • We do not run third-party advertising or analytics trackers on our website — see our Cookie Policy.

3. How We Use Your Data

We use your data to:

  • Provide the Loopion service — joining meetings, transcribing, extracting actions, tracking accountability
  • Post recap messages to your Microsoft Teams channels
  • Send notifications about outstanding actions
  • Monitor and improve service quality and reliability — we do not use your meeting content to train AI models, and our AI providers are contractually prohibited from doing so
  • Process payments and manage your subscription
  • Detect, prevent, and investigate fraud, abuse, and security incidents
  • Provide customer support
  • Comply with legal obligations

4. Legal Basis (GDPR)

We process your data under the following legal bases:

  • Contract performance — processing necessary to deliver the service you've signed up for
  • Legitimate interests — improving our service, preventing fraud, ensuring security
  • Consent — where we need your explicit consent (e.g., marketing communications)
  • Legal obligation — where we're required to process data by law

5. Third-Party Processors

We use carefully selected third-party services to process your data. Each processor is bound by data processing agreements. See our full subprocessors list.

Key processors include:

  • OpenAI — AI transcription and action extraction (API inference only; no model training on your data)
  • Anthropic — AI processing (Claude models), where configured
  • Supabase — database hosting (EU region)
  • Vercel — application hosting (EU region — Dublin)
  • Microsoft Azure — compute infrastructure and email delivery
  • Microsoft Graph API — calendar and Teams integration
  • Google Calendar API — calendar integration for Google Workspace users
  • Stripe — payment processing
  • Resend — transactional email delivery

6. Data Retention

  • Audio files — processed and automatically deleted within 7 days of capture
  • Raw transcripts — retained according to your workspace retention setting (default 90 days; configurable from immediate deletion up to 365 days or indefinite). Transcript text is purged automatically when the retention period expires.
  • Action items & summaries — retained for the lifetime of your workspace, or until you delete them
  • Account data — retained until account deletion, plus 30 days for backup recovery
  • Operational diagnostics & security logs — retained for a limited period and then deleted automatically
  • Billing records — retained for 6 years as required by UK tax law

To request deletion of your account or workspace data, contact privacy@loopion.ai and we will action it within 30 days.

7. Data Storage & Security

Your data is stored on servers in the European Union (EU). We implement comprehensive security measures including:

  • AES-256-GCM encryption for sensitive data at rest
  • TLS 1.3 for data in transit
  • HMAC SHA-256 request authentication
  • 8 layered security systems with 30+ feature flags
  • Automated threat detection, fingerprinting, and circuit-breaker lockdown
  • Self-healing recovery systems

For full details, see our Security page.

Breach notification: if a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it and inform affected customers without undue delay, as required by UK GDPR Articles 33–34.

8. Your Rights

Under GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — restrict processing of your data
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact privacy@loopion.ai. We will respond within one month.

Meeting participants who are not Loopion users: these rights also apply to you. Where Loopion processes your data as a processor on behalf of a customer workspace, we may need to refer your request to the meeting organiser (the controller), but we will always help facilitate it.

9. International Transfers

Some of our processors (e.g., OpenAI, Anthropic, Stripe) are based in the United States. Where data is transferred outside the UK or EU/EEA, we ensure appropriate safeguards are in place, including the UK International Data Transfer Addendum and Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by encryption in transit and at rest.

10. Children's Privacy

Loopion is designed for business use and is not intended for individuals under 16 years of age. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or through the Loopion platform. The "Last updated" date at the top of this page indicates when this policy was last revised.

12. Contact Us

For questions about this privacy policy or our data practices, contact:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.