Privacy Policy

This Privacy Policy describes how SourceLoop, Inc. ("SourceLoop", "we", "us", "our") collects, uses, shares, and protects information across:

1. our marketing website at sourceloop.ai (the "Website");
2. the SourceLoop application at app.sourceloop.ai, our APIs, dashboards, and integrations (the "Application"); and
3. the SourceLoop tracking snippet, server-side endpoints, and SDKs that our customers install on their own websites and applications (the "Snippet").

Different parts of this policy apply to different categories of people. Please read carefully.

1. Our Role: Controller vs. Processor

1.1 Website visitors and Customers. When you visit the Website or use the Application as a SourceLoop customer or trial user, we act as the data controller of your personal information. This Privacy Policy describes that processing.

1.2 End Users of our Customers. When personal information is collected through the Snippet on a SourceLoop customer's website (for example, when you submit a form on a SourceLoop customer's site), the customer is the data controller and SourceLoop is the data processor acting on the customer's instructions. Our processing in this case is governed by the Data Processing Addendum at sourceloop.ai/dpa and the customer's own privacy policy. If you have questions about how a specific website uses SourceLoop, please contact that website operator directly.

2. Information We Collect

2.1 Information from Website visitors

When you visit sourceloop.ai, we collect:

1. Log and device data: IP address, browser type and version, operating system, device type, referrer URL, pages viewed, and timestamps;
2. Cookies and local storage: a session identifier, an anonymous attribution identifier, and consent state. See Section 7 for the full cookie list;
3. Form submissions: name, work email, company, role, and any free-text message you submit through the contact, demo, or newsletter forms;
4. Communications: the contents of emails, chat messages, and support tickets you send us.

2.2 Information from Customers (Application users)

When you create an Account and use the Application, we collect:

1. Account data: name, email, password hash, organization name, role, time zone, and account preferences;
2. Billing data: billing contact, billing address, VAT/GST identifiers, and payment-method tokens (full card numbers are processed by our payment provider and never stored on our systems);
3. Configuration data: the websites and properties you connect, integration credentials and OAuth tokens, attribution rules, and dashboard settings;
4. Usage data: dashboard views, queries, exports, audit logs, and API request metadata.

2.3 Information collected via the Snippet (on our Customers' properties)

When a SourceLoop customer installs the Snippet on their website or application, the Snippet collects information about End Users on behalf of the customer. We process this information as the customer's processor. Categories include:

1. Page-view events: page URL, title, referrer, viewport size, time on page, and timestamps;
2. Click and interaction events: form submissions, button clicks, file downloads, video plays, and other custom events the customer chooses to track;
3. Attribution touchpoints: UTM parameters, click identifiers (such as Google's GCLID, Wbraid, Gbraid, Meta's fbclid, LinkedIn's li_fat_id), referring domain, search keyword, and landing page;
4. Session and identifier data: a first-party visitor identifier, a session identifier, and consent state, stored in first-party cookies and local storage as described in Section 7;
5. Network and device data: IP address (typically truncated or hashed for analytics), browser, operating system, device type, language, and time zone;
6. Lead and contact data submitted by the End User: for example, a work email submitted through a form. This data is collected only when the End User voluntarily provides it on the customer's site.

SourceLoop does not knowingly collect sensitive personal information (such as government identifiers, payment-card numbers, biometric data, health information, precise geolocation, or data revealing race, ethnicity, religion, sexual orientation, or political views) through the Snippet. Customers are contractually prohibited from sending such information to the Service.

2.4 Information from third-party services

When you connect a third-party service to SourceLoop (for example, Google Ads, Meta Ads, LinkedIn Ads, HubSpot, Salesforce, Pipedrive, Stripe), we receive information from that service within the scopes you authorize. The specific data depends on the service and the scope but typically includes account identifiers, campaign and conversion metadata, contact records, and aggregated performance data. See Section 8 for our specific commitments around Google APIs.

3. How We Use Information

We use the information described in Section 2 to:

1. provide, operate, and improve the Website, Application, and Snippet;
2. create and manage your Account, authenticate you, and process billing;
3. respond to your inquiries and deliver customer support;
4. send service-related communications (security alerts, billing notices, product updates that materially affect your use of the Service);
5. send marketing communications about SourceLoop products, where permitted by law and subject to your right to opt out at any time;
6. secure the Service against fraud, abuse, denial-of-service attacks, and unauthorized access;
7. generate aggregated, de-identified statistics that cannot reasonably be used to identify any individual;
8. comply with legal obligations and enforce our agreements.

We do not sell personal information, and we do not use End User Data collected through the Snippet for any purpose other than providing the Service to the customer who owns that data.

4. Legal Bases for Processing (GDPR / UK GDPR)

For individuals in the EU, EEA, or UK, our legal bases under Article 6(1) of the GDPR (and the UK GDPR equivalent) are:

1. Performance of a contract (Art. 6(1)(b)): to provide the Application, process billing, and deliver the Service to Customers;
2. Legitimate interests (Art. 6(1)(f)): to operate and secure our Website, prevent fraud and abuse, conduct product analytics, and send transactional communications. We balance these interests against your rights and freedoms;
3. Consent (Art. 6(1)(a)): for non-essential cookies on the Website, marketing email subscriptions, and any other processing where consent is the most appropriate legal basis. You may withdraw consent at any time;
4. Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, regulatory, or law-enforcement obligations.

For End User Data processed via the Snippet, the SourceLoop customer (acting as controller) determines the legal basis and is responsible for documenting it.

5. How We Share Information

We share personal information only as described below.

5.1 Sub-processors. We use a small number of vetted sub-processors that help us operate the Service, such as cloud hosting providers, database providers, email-delivery providers, and payment processors. A current list, including each sub-processor's role and location, is maintained at sourceloop.ai/subprocessors.

5.2 Integrations you authorize. When you connect a third-party service (for example, Google Ads, HubSpot, Stripe), we share data with that service only as needed to deliver the functionality you have requested and within the OAuth scopes you granted. You can revoke access at any time.

5.3 Customers (for End User Data). End User Data collected via the Snippet is shared with, and accessible to, the SourceLoop customer who installed the Snippet. We do not share End User Data across customers.

5.4 Legal compliance. We may disclose information if required by law, regulation, court order, or government demand, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of SourceLoop, our customers, or others.

5.5 Corporate transactions. If SourceLoop is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify you (and, where required by law, seek your consent) before your information becomes subject to a different privacy policy. For data obtained from Google APIs, any transfer in such a transaction will be made only with the affected user's explicit consent, in line with the Google API Services User Data Policy.

5.6 No sale, no advertising. We do not sell personal information. We do not use information collected via the Snippet, the Application, or Google APIs for advertising, retargeting, or personalized advertising.

6. Cookies and Tracking on the Website (sourceloop.ai)

On sourceloop.ai we use a minimal set of first-party cookies and local-storage entries:

1. Strictly necessary: session identifier and consent state (cannot be disabled, no consent required under the ePrivacy Directive);
2. Analytics: anonymous visitor identifier and attribution touchpoints, used to understand how the Website is used. Set only with consent in jurisdictions that require it;
3. Marketing: none. We do not place advertising cookies or third-party tracking pixels on the Website.

Cookie lifetimes range from session-only to thirteen (13) months. You can manage cookies through your browser settings; blocking analytics cookies will not affect your ability to use the Website.

7. The Snippet on Customer Websites

When you visit a website that uses the SourceLoop Snippet (not sourceloop.ai), the Snippet may set first-party cookies and local-storage entries on that website's domain to:

1. store a visitor identifier, session identifier, and the attribution touchpoints described in Section 2.3;
2. persist consent state across pages on that website; and
3. fall back to local storage where cookies are unavailable, blocked, or shorter-lived than required for accurate attribution.

SourceLoop does not set third-party cookies in End User browsers and does not engage in cross-site tracking outside the customer's properties. The customer is responsible for displaying a privacy notice and (where required) obtaining consent before the Snippet loads. To exercise your rights with respect to data collected via the Snippet, please contact the operator of the website on which you encountered SourceLoop.

8. Google APIs and Limited Use

SourceLoop's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data obtained from Google APIs is:

1. used only to provide or improve user-facing features of the Service that are prominent in the user-facing experience;
2. not transferred to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets, and only with the user's explicit consent;
3. not used or transferred for serving advertising, including retargeting, personalized advertising, or interest-based advertising;
4. not used to determine credit-worthiness or for lending purposes; and
5. not read by humans unless we have obtained the user's affirmative agreement, it is necessary for security purposes, it is necessary to comply with applicable law, or the data has been aggregated and is used for internal operations.

You can revoke SourceLoop's access to your Google account at any time via your Google Account permissions page.

9. International Data Transfers

SourceLoop is headquartered in the United States, and our sub-processors operate globally. When personal information is transferred from the EU, EEA, UK, or other jurisdictions to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms, together with supplementary measures where required.

10. Data Retention

We retain personal information only as long as needed for the purposes described in this policy, after which we delete or anonymize it. Specific retention periods include:

1. Website log data: up to 90 days;
2. Marketing form submissions: up to 24 months from the last interaction, unless you unsubscribe sooner;
3. Customer Account data: for the duration of the Subscription plus a 30-day grace period after cancellation, then a further 7 years for billing and tax records as required by law;
4. End User Data (collected via the Snippet): as configured by the customer, with a default of 13 months for attribution data and as long as the Subscription is active for conversion records.

11. Security

We maintain administrative, physical, and technical safeguards designed to protect personal information, including encryption in transit (TLS 1.2+) and at rest, role-based access controls, audit logging, secure software-development practices, vulnerability management, and annual third-party security testing. No method of transmission or storage is 100% secure, but we work continuously to improve our security posture.

12. Your Privacy Rights

Depending on where you live, you may have the following rights with respect to your personal information:

1. Access a copy of the personal information we hold about you;
2. Correct inaccurate or incomplete personal information;
3. Delete personal information, subject to legal retention requirements;
4. Restrict or object to certain processing, including direct marketing;
5. Port your data in a structured, machine-readable format;
6. Withdraw consent at any time where processing is based on consent;
7. Lodge a complaint with your local data-protection authority (in the EU/EEA/UK) or attorney general (in California).

To exercise these rights with respect to data we hold as controller, email [email protected]. To exercise rights with respect to End User Data collected via the Snippet (where SourceLoop is processor), please contact the operator of the website on which you encountered SourceLoop. We will assist our customers in responding to your request.

California residents: Under the CCPA / CPRA, you also have the right to know the categories of personal information we collect, sell, or share (we do not sell or share personal information for cross-context behavioral advertising), and the right to non-discrimination for exercising your rights. Authorized agents may submit requests on your behalf with proof of authority.

13. Do Not Track and Global Privacy Control

We honor browser-level signals where required by law. In particular, we treat a Global Privacy Control (GPC) signal from a California resident as a valid opt-out of "sale" or "sharing" of personal information under the CCPA / CPRA. The Snippet's behavior with respect to such signals on customer websites is configured by each customer.

14. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us at [email protected] and we will take prompt steps to delete it.

15. Third-Party Links

The Website and Application may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party services you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. If changes are material, we will provide additional notice (for example, by email or by a banner on the Website) before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact

Questions, concerns, or requests about this Privacy Policy can be sent to [email protected].