Privacy Policy

This Privacy Policy describes how SourceLoop, operated by BrightSumo Technologies ("SourceLoop", "we", "us", "our"), collects, uses, shares, and protects information across:

1. our marketing website at sourceloop.ai (the "Website");
2. the SourceLoop application at app.sourceloop.ai, our APIs, dashboards, and integrations (the "Application"); and
3. the SourceLoop tracking snippet, server-side endpoints, and SDKs that our customers install on their own websites and applications (the "Snippet").

Different parts of this policy apply to different categories of people. Please read carefully.

1. Our Role: Controller vs. Processor

1.1 Website visitors and Customers. When you visit the Website or use the Application as a SourceLoop customer or trial user, we act as the data controller of your personal information. This Privacy Policy describes that processing.

1.2 End Users of our Customers. When personal information is collected through the Snippet on a SourceLoop customer's website (for example, when you submit a form on a SourceLoop customer's site), the customer is the data controller and SourceLoop is the data processor acting on the customer's instructions. Our processing in this case is governed by the Data Processing Addendum at sourceloop.ai/dpa and the customer's own privacy policy. If you have questions about how a specific website uses SourceLoop, please contact that website operator directly.

2. Information We Collect

2.1 Information from Website visitors

When you visit sourceloop.ai, we collect:

1. Log and device data: IP address, browser type and version, operating system, device type, referrer URL, pages viewed, and timestamps;
2. Cookies and local storage: a session identifier, an anonymous attribution identifier, and consent state. See Section 7 for the full cookie list;
3. Form submissions: name, work email, company, role, and any free-text message you submit through the contact, demo, or newsletter forms;
4. Communications: the contents of emails, chat messages, and support tickets you send us.

2.2 Information from Customers (Application users)

When you create an Account and use the Application, we collect:

1. Account data: name, email, password hash, organization name, role, time zone, and account preferences;
2. Billing data: billing contact, billing address, VAT/GST identifiers, and payment-method tokens (full card numbers are processed by our payment provider and never stored on our systems);
3. Configuration data: the websites and properties you connect, integration credentials and OAuth tokens, attribution rules, and dashboard settings;
4. Usage data: dashboard views, queries, exports, audit logs, and API request metadata.

2.3 Information collected via the Snippet (on our Customers' properties)

When a SourceLoop customer installs the Snippet on their website or application, the Snippet collects information about End Users on behalf of the customer. We process this information as the customer's processor. Categories include:

1. Page-view events: page URL, title, referrer, viewport size, time on page, and timestamps;
2. Click and interaction events: form submissions, button clicks, file downloads, video plays, and other custom events the customer chooses to track;
3. Attribution touchpoints: UTM parameters, click identifiers (such as Google's GCLID, Wbraid, Gbraid; Meta's fbclid; LinkedIn's li_fat_id; TikTok's ttclid; Microsoft's msclkid; Pinterest's epik; Reddit's rdt_cid; X's twclid; Snap's sccid), referring domain, search keyword, and landing page;
4. Session and identifier data: a first-party visitor identifier, a session identifier, and consent state, stored in first-party cookies and local storage as described in Section 7;
5. Network and device data: IP address (typically truncated or hashed for analytics), browser, operating system, device type, language, and time zone;
6. Lead and contact data submitted by the End User: for example, a work email submitted through a form. This data is collected only when the End User voluntarily provides it on the customer's site.

SourceLoop does not knowingly collect sensitive personal information (such as government identifiers, payment-card numbers, biometric data, health information, precise geolocation, or data revealing race, ethnicity, religion, sexual orientation, or political views) through the Snippet. Customers are contractually prohibited from sending such information to the Service.

2.4 Information from third-party services

Where the Service offers an integration with a third-party service and you choose to connect it (for example, an advertising platform such as Google Ads, Meta Ads, LinkedIn Ads, TikTok Ads, Microsoft Advertising, Pinterest Ads, Snap Ads, Reddit Ads, or X Ads; a CRM such as HubSpot, Salesforce, or Pipedrive; or a billing provider such as Stripe), we receive information from that service strictly within the OAuth scopes or API permissions you authorize. The specific data depends on the service and the scope but typically includes account identifiers, campaign, ad-group, ad, and creative metadata, conversion and event data, audience identifiers, and aggregated performance metrics. SourceLoop accesses only the data required to deliver the features you have enabled, applies the principle of data minimisation, and does not combine data received from one third-party service with another except as necessary to produce the cross-channel attribution and reporting that is the core user-facing purpose of the Service. Section 8 sets out our specific commitments for each advertising-platform integration.

3. How We Use Information

We use the information described in Section 2 to:

1. provide, operate, and improve the Website, Application, and Snippet;
2. create and manage your Account, authenticate you, and process billing;
3. respond to your inquiries and deliver customer support;
4. send service-related communications (security alerts, billing notices, product updates that materially affect your use of the Service);
5. send marketing communications about SourceLoop products, where permitted by law and subject to your right to opt out at any time;
6. secure the Service against fraud, abuse, denial-of-service attacks, and unauthorized access;
7. generate aggregated, de-identified statistics that cannot reasonably be used to identify any individual;
8. comply with legal obligations and enforce our agreements.

We do not sell personal information, and we do not use End User Data collected through the Snippet for any purpose other than providing the Service to the customer who owns that data.

4. Legal Bases for Processing (GDPR / UK GDPR)

For individuals in the EU, EEA, or UK, our legal bases under Article 6(1) of the GDPR (and the UK GDPR equivalent) are:

1. Performance of a contract (Art. 6(1)(b)): to provide the Application, process billing, and deliver the Service to Customers;
2. Legitimate interests (Art. 6(1)(f)): to operate and secure our Website, prevent fraud and abuse, conduct product analytics, and send transactional communications. We balance these interests against your rights and freedoms;
3. Consent (Art. 6(1)(a)): for non-essential cookies on the Website, marketing email subscriptions, and any other processing where consent is the most appropriate legal basis. You may withdraw consent at any time;
4. Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, regulatory, or law-enforcement obligations.

For End User Data processed via the Snippet, the SourceLoop customer (acting as controller) determines the legal basis and is responsible for documenting it.

5. How We Share Information

We share personal information only as described below.

5.1 Sub-processors. We use a small number of vetted sub-processors that help us operate the Service, such as cloud hosting providers, database providers, email-delivery providers, and payment processors. A current list, including each sub-processor's role and location, is maintained at sourceloop.ai/subprocessors.

5.2 Integrations you authorize. When you connect a third-party service (for example, Google Ads, HubSpot, Stripe), we share data with that service only as needed to deliver the functionality you have requested and within the OAuth scopes you granted. You can revoke access at any time.

5.3 Customers (for End User Data). End User Data collected via the Snippet is shared with, and accessible to, the SourceLoop customer who installed the Snippet. We do not share End User Data across customers.

5.4 Legal compliance. We may disclose information if required by law, regulation, court order, or government demand, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of SourceLoop, our customers, or others.

5.5 Corporate transactions. If SourceLoop is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify you (and, where required by law, seek your consent) before your information becomes subject to a different privacy policy. For data obtained from Google APIs, any transfer in such a transaction will be made only with the affected user's explicit consent, in line with the Google API Services User Data Policy.

5.6 No sale, no advertising. We do not sell personal information. We do not use information collected via the Snippet, the Application, or any third-party advertising-platform API (including Google, Meta, LinkedIn, TikTok, Microsoft, Pinterest, Snap, Reddit, and X) for advertising, retargeting, or personalized advertising of our own or any other party's products.

6. Cookies and Tracking on the Website (sourceloop.ai)

On sourceloop.ai we use a minimal set of first-party cookies and local-storage entries:

1. Strictly necessary: session identifier and consent state (cannot be disabled, no consent required under the ePrivacy Directive);
2. Analytics: anonymous visitor identifier and attribution touchpoints, used to understand how the Website is used. Set only with consent in jurisdictions that require it;
3. Marketing: none. We do not place advertising cookies or third-party tracking pixels on the Website.

Cookie lifetimes range from session-only to thirteen (13) months. You can manage cookies through your browser settings; blocking analytics cookies will not affect your ability to use the Website.

7. The Snippet on Customer Websites

When you visit a website that uses the SourceLoop Snippet (not sourceloop.ai), the Snippet may set first-party cookies and local-storage entries on that website's domain to:

1. store a visitor identifier, session identifier, and the attribution touchpoints described in Section 2.3;
2. persist consent state across pages on that website; and
3. fall back to local storage where cookies are unavailable, blocked, or shorter-lived than required for accurate attribution.

SourceLoop does not set third-party cookies in End User browsers and does not engage in cross-site tracking outside the customer's properties. The customer is responsible for displaying a privacy notice and (where required) obtaining consent before the Snippet loads. To exercise your rights with respect to data collected via the Snippet, please contact the operator of the website on which you encountered SourceLoop.

8. Advertising-Platform Integrations

Where the Service offers an integration with a third-party advertising platform and you choose to connect it, the principles in this Section 8 apply to all data we obtain from, or transmit to, that platform on your behalf. References to a platform's developer terms or API agreement are provided for your convenience and do not limit either party's obligations under those terms; in the event of a conflict, the applicable platform terms control as between SourceLoop and the platform.

8.1 Google User Data & Ad-Platform Data

When you connect an advertising account (Google Ads, Meta, TikTok, LinkedIn, Microsoft, Pinterest, Reddit, Snapchat, or X / Twitter) to SourceLoop, we request OAuth access via the standard provider consent screen. The exact scopes are shown to you at the moment of authorization. For Google Ads specifically, we request the https://www.googleapis.com/auth/adwords scope.

What we access.

1. aggregated performance data — campaigns, ad groups, ads, keywords, impressions, clicks, spend, conversions, and conversion value — for the date ranges you view in SourceLoop;
2. for Google Ads and Microsoft Advertising (Bing), additional click-level data (click_view and MsClickId) used to resolve which specific ad drove each visit captured by our first-party tracking script, enabling multi-touch attribution;
3. conversion events that you mark as goals, which we send back to Google Ads (via the ConversionUploadService) and to Meta (via the Conversions API) so the destination platform can optimise bids on first-party conversion signals. You can disable this at any time on a per-goal basis.

What we never do.

1. we never create, edit, pause, or delete ad campaigns on your behalf;
2. we never share your ad-platform data with third parties;
3. we never train models or machine-learning systems on your ad-platform data;
4. we never use your ad-platform data for our own advertising.

How we store it.

1. OAuth access and refresh tokens are stored encrypted at rest in Supabase Vault (AES-256, keys managed by Supabase). Our application database holds only opaque UUIDs that reference the encrypted secrets — the raw tokens never appear in any application table. Decryption happens only inside server-side edge functions using a service-role credential;
2. aggregated performance data is stored in Tinybird (ClickHouse);
3. all ad-data tables in our Postgres database have Row-Level Security enabled, with access scoped to the website you own.

How tokens are rotated.

OAuth refresh tokens are rotated automatically every six (6) hours via a backend job. Old tokens are overwritten in place in the vault.

What happens when you disconnect. When you disconnect an ad platform from SourceLoop:

1. we call the platform's OAuth revoke endpoint immediately, so the platform invalidates the grant on its side. After this point SourceLoop can no longer access your account even if a copy of the token existed elsewhere;
2. we hard-delete the encrypted tokens from Supabase Vault;
3. we schedule deletion of all stored campaign, ad-group, ad, keyword, and historical performance data. This completes within thirty (30) days; in practice it usually completes within minutes (Postgres rows are deleted immediately and Tinybird rows are removed during the next merge cycle).

We do not retain ad-platform data after disconnect. Tracker data (page views and conversion events captured from your own website) is separate from ad-platform data and follows its own retention windows described in Section 10.

Immediate deletion request.

If you require immediate deletion rather than the 30-day default commitment, email [email protected] and we will execute the deletion within five (5) business days.

Compliance statement.

SourceLoop's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. SourceLoop honours an equivalent commitment for Meta, TikTok, LinkedIn, Microsoft, Pinterest, Reddit, Snapchat, and X. The platform-by-platform commitments and links to each platform's developer terms are set out in Sections 8.3 through 8.7 below.

8.2 General principles applicable to every advertising-platform integration

In respect of every advertising-platform integration that you authorize:

1. SourceLoop accesses only the OAuth scopes, API permissions, and account-level resources necessary to deliver the user-facing features you have enabled (data minimisation);
2. data obtained from the platform is used solely to provide attribution, reporting, audience-management, and conversion-syndication features inside SourceLoop for the customer who authorized the connection, and not to advertise SourceLoop, advertise other customers' products, or build profiles for any purpose unrelated to the connecting customer's account;
3. SourceLoop does not sell, rent, or share platform data with third parties for their own marketing or advertising purposes, and does not transfer platform data to other parties except (i) to the sub-processors listed at sourceloop.ai/subprocessors strictly to operate the Service, (ii) where you direct us to do so as part of an authorized integration, (iii) to comply with applicable law, or (iv) as part of a merger, acquisition, financing, or sale of assets under the conditions of Section 5.5;
4. platform data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent), and access is restricted to authorized personnel under role-based access controls and audit logging;
5. platform data is retained only for as long as the connection is active and the corresponding feature requires it, after which it is deleted or anonymised in line with the windows in Section 10 and our Data Processing Addendum;
6. you may revoke SourceLoop's access at any time, either inside SourceLoop or via the platform's own permissions or business-integrations panel; revocation triggers deletion of associated tokens and dependent data within thirty (30) days, except where retention is required by law.

8.3 Google APIs and Limited Use

SourceLoop's use of information received from Google APIs (including Google Ads, Google Analytics, and Google Tag Manager) adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, data obtained from Google APIs is:

1. used only to provide or improve user-facing features of the Service that are prominent in the user-facing experience;
2. not transferred to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets, and only with the user's explicit consent;
3. not used or transferred for serving advertising, including retargeting, personalized advertising, or interest-based advertising;
4. not used to determine credit-worthiness or for lending purposes; and
5. not read by humans unless we have obtained the user's affirmative agreement, it is necessary for security purposes, it is necessary to comply with applicable law, or the data has been aggregated and is used for internal operations.

A more detailed disclosure of how SourceLoop uses Google API data is published at sourceloop.ai/google-api-disclosure. You can revoke SourceLoop's access to your Google account at any time via your Google Account permissions page.

8.4 Meta (Facebook and Instagram) Marketing Platforms

Where you connect a Meta Business or Ads account, SourceLoop's access to and use of information received from the Meta Marketing API, the Meta Conversions API, and other Meta business APIs is subject to Meta's Platform Terms and Developer Policies. In particular:

1. SourceLoop accesses ad-account, campaign, ad-set, ad, and creative metadata; performance and conversion metrics; custom and lookalike audience identifiers (where you have lawfully built them); and the lead-form submissions you direct us to retrieve, in each case strictly within the permissions granted during Meta App Review and OAuth;
2. where you have enabled server-side conversion uploads, SourceLoop transmits hashed user identifiers (typically SHA-256-hashed email addresses and phone numbers, together with Meta click identifiers such as fbc and fbp) to the Conversions API in line with Meta's customer-information requirements;
3. SourceLoop does not use Platform Data to discriminate against users or for any purpose prohibited by Meta's Platform Terms, does not combine Platform Data with data from other sources except as needed to deliver the user-facing features you have enabled, and does not retain Platform Data longer than necessary;
4. SourceLoop completes Meta's annual Data Use Checkup and other compliance attestations as required by Meta;
5. you may revoke SourceLoop's access at any time via Meta Business Settings → Business Integrations, or by removing the SourceLoop app from your Facebook account settings; revocation will disable any features that depend on the affected Meta APIs;
6. step-by-step instructions for requesting deletion of personal data SourceLoop holds about you (including data obtained from Meta on your behalf) are published at sourceloop.ai/data-deletion.

8.5 LinkedIn Marketing Platforms

Where you connect a LinkedIn Ads account, SourceLoop's access to and use of information received from the LinkedIn Marketing Developer Platform (including the LinkedIn Ads API, the Conversions API, and the Insight Tag) is subject to LinkedIn's API Terms of Use and the LinkedIn Marketing Developer Platform documentation. In particular:

1. SourceLoop accesses ad-account, campaign-group, campaign, creative, and conversion metadata; performance metrics; matched-audience identifiers (where you have lawfully built them); and lead-gen form submissions you direct us to retrieve, in each case strictly within the OAuth scopes you authorize;
2. where you have enabled the LinkedIn Conversions API, SourceLoop transmits SHA-256-hashed user identifiers (such as email and LinkedIn first-party identifiers) in line with LinkedIn's Conversions API requirements;
3. SourceLoop does not sell, sublicense, or transfer LinkedIn data to third parties, does not use LinkedIn data for any purpose other than delivering the features you have enabled, and does not combine LinkedIn data with data from other sources except as needed to produce attribution and reporting for your account;
4. you may revoke SourceLoop's access at any time via LinkedIn → Settings & Privacy → Data privacy → Permitted services, or by disconnecting the integration inside SourceLoop.

8.6 TikTok for Business Marketing Platforms

Where you connect a TikTok Ads Manager account, SourceLoop's access to and use of information received from the TikTok Marketing API and the TikTok Events API is subject to TikTok's Marketing API Terms of Service and the TikTok for Business Developer Terms. In particular:

1. SourceLoop accesses ad-account, campaign, ad-group, ad, and creative metadata; performance metrics; audience identifiers (where you have lawfully built them); and conversion data, in each case strictly within the OAuth scopes you authorize;
2. where you have enabled the TikTok Events API, SourceLoop transmits SHA-256-hashed user identifiers (such as email, phone number, and the TikTok click identifier ttclid) in line with TikTok's Events API customer-information requirements;
3. SourceLoop does not use TikTok data to advertise to or profile end users for any purpose other than delivering the features you have enabled, does not sell or transfer TikTok data to third parties, and does not combine TikTok data with data from other sources except as needed for attribution and reporting in your account;
4. you may revoke SourceLoop's access at any time via TikTok Ads Manager → Account Settings → User Permissions, or by disconnecting the integration inside SourceLoop.

8.7 Microsoft Advertising, Pinterest, Snap, Reddit, and X

Where you connect any of the platforms listed below, SourceLoop accesses ad-account, campaign, performance, audience, and conversion data strictly within the OAuth scopes or API permissions you authorize, and applies the general principles set out in Section 8.2. SourceLoop's use of each platform's API is subject to that platform's developer terms, including:

1. Microsoft Advertising (Microsoft Advertising API, Universal Event Tracking, Conversion API): the Microsoft Advertising API License Agreement;
2. Pinterest Ads (Pinterest API for Advertisers, Conversions API): the Pinterest Developer Guidelines and Pinterest Business Terms of Service;
3. Snap (Snap Marketing API, Conversions API): the Snap Marketing API Terms;
4. Reddit Ads (Reddit Ads API, Conversions API): the Reddit Data API Terms and applicable Reddit advertising policies;
5. X (formerly Twitter) Ads (X Ads API, Conversions API): the X Developer Agreement and Policy.

8.8 Server-side conversion APIs

Several of the integrations referenced above (including the Meta Conversions API, LinkedIn Conversions API, TikTok Events API, Microsoft Conversion API, Pinterest Conversions API, Snap Conversions API, Reddit Conversions API, and Google Enhanced Conversions or offline-conversion uploads) allow customers to transmit conversion events from their own systems to the destination advertising platform via SourceLoop. Where you enable one of these features:

1. SourceLoop applies SHA-256 hashing (or the platform's specified hashing) to email addresses, phone numbers, and other personally-identifiable parameters before transmission, in line with each platform's customer-information requirements;
2. SourceLoop does not retain the unhashed identifiers any longer than is required to perform the hashing and queue the transmission;
3. you represent and warrant that you have a lawful basis (under GDPR, the UK GDPR, the ePrivacy Directive, the CCPA / CPRA, and any other applicable law) to share the relevant end-user data with the destination platform, that you have provided the disclosures required by the destination platform's terms (including Meta's Business Tools Terms, LinkedIn's Conversions API documentation, and equivalent documents for each other platform), and that you have obtained any consent that the law of the end user's jurisdiction requires.

8.9 Your responsibilities

As the customer connecting an advertising-platform account to SourceLoop, you are responsible for: (a) holding the rights necessary to authorize SourceLoop to access the platform on your behalf; (b) configuring scopes and permissions appropriately; (c) maintaining a privacy notice on your own properties that discloses your use of the relevant platform's tracking pixels, conversions APIs, and audience features; (d) where required by law, obtaining consent from end users before any pixel fires or any conversion event is transmitted; and (e) honouring user requests to opt out, delete, or restrict their data. Where you are unsure of the appropriate disclosures or consent mechanism for a given platform, refer to that platform's developer documentation linked above, or contact us at [email protected] for guidance.

9. International Data Transfers

SourceLoop is headquartered in the United States, and our sub-processors operate globally. When personal information is transferred from the EU, EEA, UK, or other jurisdictions to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms, together with supplementary measures where required.

10. Data Retention

We retain personal information only as long as needed for the purposes described in this policy, after which we delete or anonymize it. Specific retention periods include:

1. Website log data: up to 90 days;
2. Marketing form submissions: up to 24 months from the last interaction, unless you unsubscribe sooner;
3. Customer Account data: for the duration of the Subscription plus a 30-day grace period after cancellation, then a further 7 years for billing and tax records as required by law;
4. End User Data (collected via the Snippet): as configured by the customer, with a default of 13 months for attribution data and as long as the Subscription is active for conversion records.

11. Security

We maintain administrative, physical, and technical safeguards designed to protect personal information, including encryption in transit (TLS 1.2+) and at rest, role-based access controls, audit logging, secure software-development practices, vulnerability management, and annual third-party security testing. No method of transmission or storage is 100% secure, but we work continuously to improve our security posture.

12. Your Privacy Rights

Depending on where you live, you may have the following rights with respect to your personal information:

1. Access a copy of the personal information we hold about you;
2. Correct inaccurate or incomplete personal information;
3. Delete personal information, subject to legal retention requirements;
4. Restrict or object to certain processing, including direct marketing;
5. Port your data in a structured, machine-readable format;
6. Withdraw consent at any time where processing is based on consent;
7. Lodge a complaint with your local data-protection authority (in the EU/EEA/UK) or attorney general (in California).

To exercise these rights with respect to data we hold as controller, or to delete personal data SourceLoop holds about you (including data obtained from an advertising-platform integration you previously authorized), see our dedicated Data Deletion page or email [email protected]. To exercise rights with respect to End User Data collected via the Snippet (where SourceLoop is processor), please contact the operator of the website on which you encountered SourceLoop. We will assist our customers in responding to your request.

California residents: Under the CCPA / CPRA, you also have the right to know the categories of personal information we collect, sell, or share (we do not sell or share personal information for cross-context behavioral advertising), and the right to non-discrimination for exercising your rights. Authorized agents may submit requests on your behalf with proof of authority.

13. Do Not Track and Global Privacy Control

We honor browser-level signals where required by law. In particular, we treat a Global Privacy Control (GPC) signal from a California resident as a valid opt-out of "sale" or "sharing" of personal information under the CCPA / CPRA. The Snippet's behavior with respect to such signals on customer websites is configured by each customer.

14. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us at [email protected] and we will take prompt steps to delete it.

15. Third-Party Links

The Website and Application may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party services you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. If changes are material, we will provide additional notice (for example, by email or by a banner on the Website) before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact

Questions, concerns, or requests about this Privacy Policy can be sent to [email protected].