Last Updated: August 28, 2025
Loopp AI, Inc. (“Loopp,” “we,” “us,” or “our”) is a Delaware corporation that operates https://loopp.com and provides a platform and related services that connect startups and enterprises with vetted AI engineers and teams to design, build, and scale intelligent solutions (the “Services”). This Privacy Policy explains how we collect, use, disclose, retain, transfer, and safeguard personal information and describes the rights and choices available to individuals under applicable privacy, consumer, and data-protection laws worldwide. By accessing or using the Services, you acknowledge that you have read, understand, and agree to this Privacy Policy; if you do not agree, you must discontinue use.
Plain English. We’re a global platform that matches companies with vetted AI talent. This policy tells you what data we collect, how we use it, who we share it with, how long we keep it, and what rights you have.
This Policy applies to (i) visitors to our site, (ii) business clients, (iii) talent candidates/contractors, and (iv) individuals whose personal data is processed during recruiting, screening, contracting, or project delivery. For Loopp’s own website, accounts, billing, support, and marketplace operations (e.g., maintaining a talent network), Loopp acts as a controller (or “business” under CPRA). When Loopp processes personal data solely on a client’s documented instructions (e.g., running assessments inside a client’s ATS, hosting client-supplied candidate lists, white-label delivery), Loopp acts as a processor/service provider. A Data Processing Addendum (DPA) is available upon request for enterprise customers.
Plain English. Sometimes Loopp decides how your data is used (controller). Sometimes we only process it for a client’s purpose under their instructions (processor). We’ll sign a DPA when needed.
“Personal Information/Personal Data (PI)” means information that identifies, relates to, describes, or can reasonably be linked to an individual. “Sensitive Personal Information (SPI)” includes categories treated as sensitive under GDPR/UK GDPR, the California CPRA, Brazil’s LGPD, and similar laws (e.g., precise location, government IDs, biometric/health data, racial/ethnic origin, union membership, financial account credentials). “Processing” means any operation on PI (collection, storage, use, disclosure, transfer, deletion). “Applicable Law” includes U.S. federal and state privacy laws (e.g., CPRA), GDPR/UK GDPR, LGPD (Brazil), PIPEDA (Canada), PDPA (Singapore), POPIA (South Africa), and other relevant global laws.
Plain English. Personal data is anything that can identify you; sensitive data is extra-protected. “Processing” covers anything we do with data. We follow U.S. and international privacy laws.
We collect:
Plain English. We collect account info, job profiles, resumes, skills, assessment results, billing details, usage data, and project paperwork. We avoid sensitive data; if you provide it for identity or checks, we lock it down and don’t use it to profile you.
PI is collected (i) directly from you (forms, uploads, interviews, assessments), (ii) automatically via cookies/SDKs/logs, (iii) from service providers/partners (payment processors, assessment/coding tools, identity/background-check providers, ATS/HRIS integrations), and (iv) from public sources (professional directories, GitHub, LinkedIn, websites you make public).
Plain English. You give us data; our systems collect some; trusted vendors and connected tools provide some; and some comes from your public profiles.
We process PI to: (a) operate, secure, and improve the platform; (b) source, vet, assess, match, and place AI engineers with clients; (c) schedule interviews and collect structured feedback; (d) verify identity and prevent fraud, abuse, or security incidents; (e) manage accounts, subscriptions, contracting, billing, and compliance; (f) provide support and service communications; (g) perform analytics and product R&D, including evaluating and tuning matching models and workflows using aggregated or de-identified data; (h) conduct optional marketing and client development (subject to opt-out/consent as required); and (i) comply with legal obligations, enforce agreements, and protect rights.
Plain English. We use data to run matching and delivery, keep things secure, get paid, support you, improve the product, and meet legal duties.
We retain PI only as long as reasonably necessary for the purposes above or to satisfy legal, tax, accounting, audit, and dispute-resolution obligations: account/profile & identifiers (life of account + 2 years), client billing/transactions (7 years), usage logs/telemetry (12–24 months), assessment artifacts (24 months unless earlier deletion is requested or prohibited by client instructions), recruiting/interview materials (24 months from last activity), contracts/SOW/NDAs (contract term + 7 years), SPI for KYC/identity or background checks (minimum required period, typically ≤ 1 year). When no longer needed, PI is deleted or irreversibly de-identified.
Plain English. We keep data only as long as needed for business and legal reasons, then we delete or de-identify it.
Where required (EU/UK/Brazil), processing rests on: contractual necessity (accounts, matching, interviews, delivery, payments); legitimate interests (fraud/security, product improvement, marketplace operations, B2B relationship management) balanced against data-subject rights; consent (certain marketing, cookies, some recordings or background checks when required); and legal obligations (tax, accounting, sanctions/export, lawful requests). In Canada (PIPEDA) we rely on express or implied consent; in Singapore (PDPA) and South Africa (POPIA) we rely on consent or other permitted grounds such as legitimate interests or contractual necessity.
Plain English. We need a legal reason to use data, usually to provide services, improve and secure the platform, follow the law, or because you said yes.
We use cookies and similar tools to authenticate sessions, remember preferences, measure performance, run limited A/B tests, and support marketing. Where legally required (e.g., EU/UK), we obtain opt-in consent for non-essential cookies. Users can manage cookies in browser settings or in-product controls. We honor Global Privacy Control (GPC) signals by treating them as valid CPRA “do not sell or share” requests.
Plain English. Cookies help the site work and improve. You can control them. If your browser sends a GPC signal, we treat it as an opt-out.
We disclose PI to: service providers/processors (hosting, storage, analytics, payments, assessment/coding tools, video/communications, identity verification, background checks, ATS/HRIS integrations) under contracts that prohibit use for their own purposes; professional advisers (lawyers, auditors, insurers) under confidentiality; authorities as required by law; and business transferees in mergers, acquisitions, or asset sales. We do not sell PI for monetary consideration and do not “share” PI for cross-context behavioral advertising as defined by CPRA. If practices change, we will update this Policy and provide required opt-out links.
Plain English. We share data with vendors who help run Loopp, with our advisors, and when the law requires. We don’t sell or share your data for targeted ads.
We maintain administrative, technical, and physical safeguards appropriate to risk, including access controls, encryption in transit and at rest where appropriate, least-privilege design, vulnerability management, logging/monitoring, and incident response procedures. We will notify affected customers and/or regulators of a personal data breach without undue delay as required by Applicable Law (e.g., GDPR/UK timelines, U.S. state/Delaware rules, LGPD/POPIA/PIPEDA).
Plain English. We protect data using industry-standard security and will notify you and regulators if a qualifying breach occurs.
The Services may use algorithmic techniques to rank, score, or suggest talent matches based on skills, experience, assignment requirements, availability, and other criteria. Such profiling does not produce legal or similarly significant effects without human involvement; human reviewers validate key placement decisions. Where GDPR/UK GDPR applies, individuals have the right to object to profiling for direct marketing and may request human review of any decision made solely by automated means that produces legal or similarly significant effects (Loopp does not rely on solely automated decisions for such effects). Loopp regularly evaluates models and workflows for accuracy and bias and implements governance to mitigate unfair impacts.
Plain English. We use algorithms to help rank and match talent, but people make the important decisions. You can object to marketing profiling and ask for a human review.
Where permitted by law and with any required consent, Loopp or its providers may verify identity (e.g., government ID checks, liveness/anti-fraud) and conduct background checks for specific roles. If U.S. FCRA or similar laws apply, Loopp will provide required disclosures/authorizations and follow adverse-action procedures. Results are used only for vetting and compliance, retained for the minimum period necessary, and shared solely with authorized parties. We do not collect or store biometric identifiers for unrelated purposes.
Plain English. For certain roles we may confirm identity or run background checks, using proper legal notices, and we keep results only as long as necessary.
Because Loopp operates globally, PI may be transferred to and processed in countries that may not provide the same level of protection as your home jurisdiction (including the U.S.). For restricted transfers (e.g., EEA/UK/Brazil), we implement safeguards such as EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), adequacy decisions where available, and reasonable supplementary measures. Copies or summaries of relevant transfer mechanisms are available upon request, subject to redactions.
Plain English. Data may cross borders. We use approved legal tools (like SCCs) to keep it protected.
California residents may: know/access categories and specific PI; delete PI (subject to exceptions); correcting accurate PI; opt out of sale/share (Loopp does not sell/share); limit use of SPI (not applicable, we do not use SPI to infer characteristics); and exercise rights without discrimination. Submit requests to [email protected] with the subject “California Request.” We verify identity reasonably (e.g., account/email checks) and respond within 45 days, extendable once by 45 days with notice. We honor GPC signals.
Plain English. In California you can see, correct, or delete your data and opt out (though we don’t sell/share).
Individuals have rights to access, rectify, erase, restrict, object (including to legitimate-interest processing and direct marketing), data portability, withdraw consent without affecting prior processing, and lodge a complaint with a supervisory authority. Requests: [email protected]. Where legally required in future, Loopp will identify its EU/UK representative or DPO in this Policy.
Plain English. In the EU/UK you have strong rights over your data. Ask us and we’ll help.
Data subjects may request confirmation of processing, access, correction, anonymization, blocking or deletion, portability, information on sharing, and revocation of consent. Requests: [email protected].
Plain English. In Brazil you can see, fix, move, delete your data, and ask who it’s shared with.
Individuals may access and correct PI and withdraw consent subject to legal/contractual limits; we will explain consequences of withdrawal where relevant.
Plain English. In Canada you can see and correct your data and withdraw consent.
Individuals may access and correct PI and withdraw consent. Complaints may be directed to the PDPC(Singapore) or Information Regulator (South Africa) after contacting Loopp.
Plain English. You can access/correct data, withdraw consent, and escalate concerns to your regulator if needed.
Individuals may have rights to access, correct, delete, portability, and opt out of targeted advertising/profiling. We provide an appeals process for denied requests, email [email protected] with the subject “Privacy Appeal.”
Plain English. Many U.S. states offer similar rights; you can appeal if we deny a request.
How to submit. Email [email protected] describing your request and jurisdiction. We will verify identity, respond within the legal timeframe, and minimize verification data, deleting it after verification.
The Services are not directed to children under 16. We do not knowingly collect PI from children. If you believe a child provided PI, contact [email protected] and we will delete it.
Plain English. Loopp is for professionals, not kids. Tell us if we have a child’s info and we’ll remove it.
We collect only PI reasonably necessary for stated purposes and do not process PI for materially different, unrelated, or incompatible purposes without notice and, where required, consent. To improve matching quality and platform performance, we may use aggregated or de-identified data to train or evaluate algorithms and features. We do not use identifiable candidate profiles to publicly train third-party foundation models; where vendor tools are configured to learn from inputs, we employ settings or agreements to disable vendor training on your identifiable data or obtain consent if required.
Plain English. We take only what we need and use it for the reasons we said. We improve our system using de-identified/aggregated data, not your identifiable profile for public AI training.
The Services may link to or integrate third-party sites, SDKs, and platforms (e.g., ATS, code-test tools, video providers, payment or identity vendors, social networks). Those services have their own privacy policies and terms; Loopp is not responsible for their practices. Workflows performed on third-party platforms are governed by those platforms’ rules.
Plain English. Tools you connect have their own policies, please review them.
We maintain records of processing, data-subject requests, and sub-processors to demonstrate compliance. Sub-processors are engaged under written contracts imposing confidentiality, security, and data-protection obligations equivalent to Loopp’s. Where required, we conduct Data Protection Impact Assessments (DPIAs) and transfer impact assessments for high-risk processing or restricted transfers.
Plain English. We keep compliance records, carefully vet vendors, and run formal risk reviews when needed.
We may update this Policy from time to time. Material changes will be communicated by posting a notice on the Site or emailing account holders. The “Last Updated” date reflects the latest version. If Loopp becomes subject to GDPR/UK GDPR requirements to appoint an EU/UK representative or a Data Protection Officer, we will update this Policy to include those details.
Plain English. We’ll tell you about important updates. If we must appoint an EU/UK rep or DPO, we’ll add that info here.
For questions or to exercise privacy rights, contact: [email protected]. If you require a postal address for your jurisdiction or wish to serve formal notices, email us and we will provide the appropriate address and contact details.
Plain English. Email us for any privacy request or question; we’ll provide a mailing address if you need to send a letter.
In the past 12 months Loopp collected: Identifiers (for accounts, security, communications) disclosed to service providers/advisors/authorities as required; Professional/Employment data (for recruiting, matching, placements) disclosed to assessment tools, identity/background vendors, and client HR/ATS systems with consent or legitimate interest; Commercial data (for billing, fraud prevention, support) disclosed to payment processors and accountants; Internet/Usage data (for analytics, performance, security) disclosed to analytics/monitoring vendors; Communications (for support, quality, compliance) disclosed to communications vendors; Inferences (to improve matching/experience) disclosed to analytics vendors. We do not sell PI and do not “share” PI for cross-context behavioral advertising, and we do not use SPI to infer protected characteristics.
Plain English. What we collect, why, who sees it, and a clear “we don’t sell or share for ads.”
