Privacy Policy
Loops — tryloops.ai
Last updated: June 10, 2026
At Loops, protecting your personal data is our priority. This policy explains how we process your personal data in compliance with Regulation (EU) 2016/679 of 27 April 2016 (the "GDPR") and French Data Protection Law n° 78-17 of 6 January 1978 (together the "Applicable Regulations").
1. Who is the data controller?
The data controller is Loops , a French SAS (société par actions simplifiée).
- Registered office: Bureau 326, 59 rue de Ponthieu, 75008 Paris, France
- SIRET: 103 479 358 00014
- VAT: FR62103479358
- Privacy contact: jules@tryloops.ai
2. What personal data do we collect?
Personal data is any data that identifies an individual directly or indirectly. We may collect the following personal data:
- Identification data : full name, email address;
- Data relating to your professional life : company name, company website, position;
- Account and login data : hashed password, connection logs, IP address;
- Third-party sign-in data : if you choose to sign in using a third-party authentication service (e.g. Google), your name and email address may be shared with us by that service. We never collect your third-party account password;
- User content : product images you upload, prompts you write, and ad creatives generated by the platform;
- Economic and financial data : billing name and address. Payment card details are collected and stored directly by our payment processor (Stripe) — Loops never stores card numbers, and the CVV is never stored;
- Browsing data : IP address, pages viewed, date and time of connection, browser, operating system;
- Any information you choose to send us as part of a contact or support request.
We do not collect special categories of personal data (health, political opinions, etc.) and our service is not directed at individuals under 18.
3. On what legal basis, for what purposes and for how long do we process your personal data?
| Purpose | Legal basis (GDPR Art. 6) | Retention period |
|---|---|---|
| Providing the service: account management, generating ad creatives from your inputs | Performance of a contract (Art. 6(1)(b)) | Personal data and user content are retained for the duration of your account and deleted upon account deletion. Connection logs are kept for 12 months. |
| Managing contracts, orders, invoices and the customer relationship | Performance of a contract; legal obligation | Data is retained for the duration of the business relationship. Transaction data (excluding banking data) is archived for probationary purposes for 5 years. Invoices are archived for 10 years (French Code de commerce, Art. L123-22). |
| Service security, fraud prevention and abuse detection | Legitimate interest (Art. 6(1)(f)) | Security logs are kept for 12 months. |
| Service communications (transactional emails) | Performance of a contract | Duration of your account. |
| Newsletters and direct marketing to customers | Legitimate interest in informing our customers of our latest news | 3 years from the last contact with us. You may unsubscribe at any time. |
| Building and managing a customer and prospect database | Legitimate interest in developing and promoting our business | Customers: duration of the business relationship. Prospects: 3 years from the last contact. |
| Responding to your information requests and other inquiries | Legitimate interest in responding to your inquiries | 3 years from your last contact. |
| Audience measurement and analytics cookies | Your consent | 25 months maximum. |
| Compliance with our legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) | As required by the applicable law. |
| Processing data subjects' requests to exercise their rights | Legitimate interest in responding to your requests and keeping records of them | If we request a proof of identity, it is retained only for the time necessary to verify your identity, then deleted. |
4. No use of your data for AI model training
Your data is never used to train AI models. Neither Loops nor any of our sub-processors use your product images, prompts, generated creatives, or any other personal data to train, fine-tune, or improve machine learning models. Our AI provider (OpenAI) is engaged via its API under terms that contractually exclude the use of API data for model training.
5. Who are the recipients of your personal data?
Your personal data is accessible to:
- Authorized staff of Loops , on a strict need-to-know basis;
- Our sub-processors , listed below, strictly to the extent necessary to operate the service. Each sub-processor is bound by a data processing agreement (DPA) under GDPR Article 28;
- Public and private organisations , exclusively where required to comply with our legal obligations.
| Sub-processor | Role | Data shared | Location of processing | Transfer safeguard |
|---|---|---|---|---|
| Supabase | Database and storage for the application | Email address, user content (product images, generated creatives) | European Union (project hosted in an EU region) | N/A — EU processing |
| Hostinger | Web hosting infrastructure for the platform | Application database (as hosting provider of the service) | European Union (Lithuania) | N/A — EU processing |
| Stripe | Payment processing | Email address, billing information (name, address, payment details) | EU / United States | DPA incl. EU Standard Contractual Clauses; EU-U.S. Data Privacy Framework |
| OpenAI | AI generation engine (via API) | Product images and user prompts, transmitted at generation time | United States | DPA incl. EU Standard Contractual Clauses; API data excluded from model training |
We do not sell personal data. We do not share personal data with any third party for advertising purposes.
When Loops processes data on behalf of a business client (for example, assets provided by an agency for creative production), Loops acts as a processor for that client and processes such data solely on the client's documented instructions, under a DPA available on request.
6. Are your personal data transferred outside the European Union?
Our primary processing and storage take place in the European Union. Where a sub-processor processes data outside the EU/EEA (Stripe, OpenAI — United States), transfers are secured by appropriate safeguards under Chapter V of the GDPR:
- Either the destination country benefits from an adequacy decision of the European Commission under Article 45 of the GDPR (including, for certified US companies, the EU-U.S. Data Privacy Framework); or
- The transfer is governed by the Standard Contractual Clauses approved by the European Commission under Article 46 of the GDPR, together with supplementary technical measures (encryption in transit).
7. Security
We implement technical and organizational measures appropriate to the risk, including:
- Encryption of data in transit (TLS) and at rest;
- Access to production data restricted to authorized personnel on a need-to-know basis, with authentication controls;
- Logical separation of customer data;
- Logging and monitoring of access to production systems;
- Vendor due diligence and DPAs with all sub-processors.
In the event of a personal data breach likely to result in a risk to your rights, we will notify the CNIL within 72 hours and inform affected users as required by GDPR Articles 33 and 34.
8. What rights can you exercise on your personal data?
You have the following rights with regard to your personal data:
- Right to be informed (Art. 13 and 14) — which is the purpose of this policy;
- Right of access (Art. 15): access all your personal data at any time;
- Right to rectification (Art. 16): rectify inaccurate, incomplete or obsolete data;
- Right to erasure ("right to be forgotten", Art. 17): request deletion of your data;
- Right to restriction of processing (Art. 18);
- Right to data portability (Art. 20): receive the data you provided us in a standard machine-readable format;
- Right to object (Art. 21): object to processing based on legitimate interest, including direct marketing at any time;
- Right to withdraw your consent at any time (Art. 7), without affecting the lawfulness of processing carried out before withdrawal;
- Right to define instructions relating to the retention, deletion and communication of your personal data after your death (French law);
- Right to lodge a complaint with a competent supervisory authority (Art. 77) — in France: CNIL , 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr .
You can exercise these rights by writing to jules@tryloops.ai . We respond within one month. We may ask you to provide additional information or documents to prove your identity.
9. What cookies do we use?
The platform uses strictly necessary cookies for authentication and session management, which do not require consent. Any non-essential cookies (audience measurement, analytics) are deposited only with your prior consent, which you can withdraw at any time via your cookie settings. Cookies have a maximum lifespan of 13 months, and data collected through audience measurement cookies is retained for a maximum of 25 months.
10. Modifications
We may modify this privacy policy at any time, in particular to comply with any regulatory, jurisprudential, editorial or technical change. These modifications will apply on the date of entry into force of the modified version. You will be informed of any significant change by email or in-app notice.
11. Contact information for data privacy matters
Contact email:
jules@tryloops.ai
Contact address: Loops SAS — Bureau 326, 59 rue de Ponthieu, 75008
Paris, France