# Privacy Policy - ClosedLoop AI > ClosedLoop AI Privacy Policy and Data Protection Information --- # Privacy Policy How we collect, use, and protect your data Effective: July 20, 2025 Updated: July 20, 2025 21 min read Table of Contents [1. Introduction](#introduction)[2. Information We Collect](#information-collect)[3. How We Use Your Information](#how-we-use)[4. Legal Basis for Processing](#legal-basis)[5. Data Sharing and Disclosure](#data-sharing)[6. Data Retention](#data-retention)[7. International Data Transfers](#international-transfers)[8. Data Security](#data-security)[9. Your Rights](#your-rights)[10. California Privacy Rights](#california-rights)[11. Children's Privacy](#childrens-privacy)[12. Third-Party Links](#third-party-links)[13. Changes to This Policy](#changes)[14. Contact Us](#contact-us) ## 1. Introduction ClosedLoop Labs LLC, doing business as "ClosedLoop AI" ("ClosedLoop AI," "we," "us," or "our"), is a B2B SaaS product intelligence platform. We help businesses analyze customer conversations and feedback from their existing tools to surface actionable product insights using artificial intelligence. This Privacy Policy describes how we collect, use, share, and protect personal information when you visit our marketing website at **closedloop.sh**, use our platform at **app.closedloop.sh**, or engage with any related services, APIs, or integrations (collectively, the "Services"). This policy applies to: - Visitors to our website (closedloop.sh) - Customers and users of our platform (app.closedloop.sh) - Individuals whose data is processed through our platform as part of our customers' use of the Services - Anyone who contacts us or interacts with us in connection with our Services By accessing or using our Services, you acknowledge that you have read and understand this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein. If you do not agree, please discontinue use of our Services. If you are a customer subject to a Data Processing Agreement (DPA) with us, the terms of that DPA supplement and, where applicable, take precedence over this Privacy Policy with respect to the processing of personal data we handle on your behalf. See our [Data Processing Agreement](https://closedloop.sh/dpa)for details. ## 2. Information We Collect We collect personal information in several ways depending on how you interact with our Services. The categories of information we collect are described below. ### Information You Provide Directly When you create an account, subscribe to our Services, or otherwise interact with us, you may provide: - **Account information:**Your name, work email address, company name, job title, and account credentials - **Billing information:**Payment details are collected and processed by our payment processor, Stripe. We do not store full credit card numbers on our systems - **Support communications:**Messages, emails, or other communications you send to our support team - **Feedback and survey responses:**Any information you voluntarily provide through product feedback forms, NPS surveys, or user research sessions ### Information from Integrations A core function of our platform is connecting to your existing business tools to analyze customer conversations and feedback. When you authorize integrations with third-party services such as Gong, Slack, HubSpot, Jotform, and others, we may collect and process: - Conversation transcripts and recordings metadata from sales and customer success calls (e.g., via Gong) - Channel messages and threads relevant to customer or product discussions (e.g., via Slack) - Contact records, deal notes, and customer interaction logs (e.g., via HubSpot) - Form submission data and customer-provided responses (e.g., via Jotform) - Any other customer communication or feedback data made available through integrations you authorize The data we access through integrations is governed by the permissions you grant during the authorization process and by the terms of those third-party services. You control which integrations are active and can revoke access at any time through your account settings. ### Automatically Collected Information When you visit our website or use our platform, we automatically collect certain technical information, including: - IP addresses and approximate geolocation - Browser type and version - Device type and operating system - Referral URLs and pages visited - Time and date of visits, time spent on pages - Click patterns and navigation behavior - Error logs and performance data This information is used to maintain service performance, diagnose technical issues, and improve our platform. ### Cookies and Tracking Technologies We use cookies and similar tracking technologies on our website and platform. These may include session cookies, preference cookies, and analytics cookies. For detailed information about the cookies we use and your choices, please refer to our Cookie Policy. You can manage cookie preferences through your browser settings or through our cookie consent tool. ## 3. How We Use Your Information We use the personal information we collect for the following purposes: - **Provide and maintain our Services:**Operating, maintaining, and improving the reliability and performance of our platform - **AI-powered insight generation:**Processing and analyzing communication data you provide through integrations to generate product insights, using Azure OpenAI. Your data is not used to train AI models - **Account management:**Creating and managing your account, verifying your identity, and managing your subscription - **Payment processing:**Processing subscription payments and managing billing through Stripe - **Transactional communications:**Sending account confirmations, receipts, security alerts, and other service-related notifications via Resend - **Customer support:**Responding to your questions, troubleshooting issues, and providing technical assistance - **Product improvement:**Analyzing usage patterns to understand how the platform is used and to develop new features and improvements - **Security and fraud prevention:**Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity; protecting the rights and safety of our users and third parties - **Legal compliance:**Meeting our obligations under applicable laws and regulations, responding to lawful requests from public authorities, and enforcing our agreements - **Service communications:**Informing you about material changes to our Services, new features, or important policy updates. Where required by law, we will obtain your consent before sending marketing communications, and you may opt out at any time We will not use your personal information for purposes that are incompatible with the purposes described in this policy without obtaining your consent or as otherwise permitted by law. ## 4. Legal Basis for Processing If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that applies similar legal requirements, we process your personal data on the following legal bases under Article 6 of the General Data Protection Regulation (GDPR) and equivalent laws: ### Contract Performance Much of our processing is necessary to perform our contract with you or to take steps at your request prior to entering into a contract. This includes creating and managing your account, providing the platform's core functionality, processing integration data to generate insights, and handling billing and payments. ### Consent Where we rely on your consent, we will ask for it clearly and separately. Examples include sending you marketing or promotional emails, placing non-essential cookies on your device, and certain data processing activities that go beyond what is necessary to deliver the Services. You may withdraw your consent at any time by contacting us at support@closedloop.sh or by using the unsubscribe link in any marketing email. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. ### Legitimate Interests We may process your personal data where it is necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your rights and interests. Our legitimate interests include: - Improving and personalizing our Services based on how they are used - Ensuring the security and integrity of our platform - Preventing fraud and abuse - Understanding our customer base for business planning and analytics - Communicating about service changes that may affect you ### Legal Obligation We may process your personal data where it is necessary for compliance with a legal obligation to which we are subject, such as retaining financial records, responding to lawful requests from law enforcement authorities, or meeting our obligations under data protection law. You have the right to withdraw consent at any time where we rely on consent as the legal basis for processing. This will not affect the lawfulness of any processing carried out before your withdrawal. ## 5. Data Sharing and Disclosure We do not sell your personal information. We share personal information only in the circumstances described below. ### Service Providers (Subprocessors) We engage trusted third-party companies and individuals to perform services on our behalf, such as hosting, payment processing, email delivery, analytics, and customer relationship management. These service providers have access to personal information only as needed to perform their functions and are contractually obligated to protect it. A complete and up-to-date list of our subprocessors is available at [closedloop.sh/subprocessors](https://closedloop.sh/subprocessors). ### AI Processing Customer communication data is processed through Azure OpenAI to generate product insights. Microsoft Azure OpenAI is a subprocessor of ClosedLoop AI. Your data is processed in accordance with our [AI Terms of Service](https://closedloop.sh/ai-terms). Importantly, your data is not used to train, fine-tune, or improve any AI or machine learning models operated by Microsoft, OpenAI, or any other third party. ### Payment Processing Billing and payment information is shared with Stripe, Inc. for the purpose of processing subscription payments. Stripe's use of your information is governed by the [Stripe Privacy Policy](https://stripe.com/privacy). We do not store complete credit card numbers on our systems. ### Email Delivery We use Resend to deliver transactional emails such as account confirmations, receipts, and service notifications. Email addresses and message content necessary for delivery are shared with Resend for this purpose. ### Customer Relationship Management We use HubSpot for customer relationship management. Information about your account, subscription status, and support interactions may be stored in HubSpot to help us manage our customer relationships and provide better support. ### Legal Requirements We may disclose your personal information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service or other agreements; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of ClosedLoop AI, our users, or the public. ### Business Transfers If ClosedLoop AI is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website of any such change in ownership or control of your personal information, and any choices you may have regarding your information. ### With Your Consent We may share your personal information with third parties for purposes not described in this policy when we have your explicit consent to do so. We do not sell, rent, or lease your personal information to third parties for their own marketing purposes. ## 6. Data Retention We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to provide our Services, and to comply with our legal obligations. The specific retention periods we apply are as follows: ### Customer Communication Data - **Raw customer data**(conversation transcripts, integration data): Up to 12 months from collection, then automatically deleted unless a longer retention period is required by law or agreed in a DPA - **Processed insights and extracted signals:**Retained for the duration of your active subscription, subject to deletion requests ### Pattern Recognition and Analytics Data - **Raw signals:**Retained for up to 2 years - **Pattern history and aggregated trends:**Retained for up to 5 years in anonymized or pseudonymized form - **Strategic insights:**Retained for up to 3 years ### Account and Subscription Data - **Active account data:**Retained for the duration of your subscription - **Post-termination:**Account data is deleted within 30 days of subscription termination, unless we are required to retain it for legal or compliance purposes - **Billing records:**Retained for up to 7 years to meet financial and tax compliance requirements ### Audit Logs and Security Records Audit logs and security-related records are retained for 2 years to support security investigations, incident response, and compliance obligations. ### Marketing Data If you have opted in to marketing communications, we retain your contact information and preferences until you unsubscribe or request deletion. You may unsubscribe at any time via the link included in any marketing email. ### Requesting Deletion You may request deletion of your personal data at any time through your account settings or by contacting us at [support@closedloop.sh](mailto:support@closedloop.sh). We will fulfill deletion requests within 30 days, subject to any legal obligations that require us to retain certain records for a longer period. ## 7. International Data Transfers ClosedLoop AI is headquartered in the United States. Our platform infrastructure is hosted on Microsoft Azure in the United States. As a result, personal information that we collect may be transferred to, stored, and processed in the United States or other countries where our service providers operate. ### Transfers from the EEA and UK If you are located in the European Economic Area (EEA) or the United Kingdom, your personal data may be transferred to and processed in countries that may not provide the same level of data protection as your home country. When we transfer personal data from the EEA or UK to third countries, we rely on the following appropriate safeguards: - **Standard Contractual Clauses (SCCs):**We use the European Commission's approved Standard Contractual Clauses for transfers from the EEA to third countries - **UK International Data Transfer Agreement (UK IDTA):**For transfers from the United Kingdom, we use the UK International Data Transfer Agreement as approved by the UK Information Commissioner's Office Copies of these safeguards are available upon request by contacting [support@closedloop.sh](mailto:support@closedloop.sh). ### EU Data Residency For enterprise customers with data residency requirements, we offer EU data processing with infrastructure hosted in Microsoft Azure's European regions. If you require EU data residency, please contact [support@closedloop.sh](mailto:support@closedloop.sh)to discuss enterprise plan options. ### Subprocessor Transfers Our subprocessors are contractually required to maintain appropriate safeguards for any international transfers of personal data. For details, see our [Subprocessors page](https://closedloop.sh/subprocessors). ## 8. Data Security We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, disclosure, alteration, or destruction. Our security program includes the following controls: ### Encryption - **In transit:**All data transmitted between your browser or API client and our servers is encrypted using TLS 1.3 or higher - **At rest:**Data stored in our databases and object storage is encrypted at rest using industry-standard encryption algorithms ### Access Controls - Role-based access control (RBAC) limits employee access to personal data to those with a legitimate business need - Multi-factor authentication (MFA) is required for all internal systems and production environments - Access to production systems is reviewed periodically and revoked promptly upon role change or departure ### Infrastructure Security - Secret management via Azure Key Vault — credentials and API keys are never stored in source code or plain-text configuration files - Network security controls including firewalls, network segmentation, intrusion detection, and DDoS protection - Regular vulnerability scanning of our infrastructure and applications - Periodic third-party penetration testing ### Audit Logging Comprehensive audit logs are maintained for all access to and modification of personal data. These logs are retained for 2 years and are reviewed as part of our security monitoring program. ### Employee Training All employees with access to personal data receive training on data protection obligations and security best practices. Security awareness training is conducted regularly. ### Limitations No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law. ## 9. Your Rights Depending on your location and applicable law, you may have the following rights with respect to your personal information. We honor these rights regardless of your jurisdiction to the extent practicable. ### Right of Access You have the right to request a copy of the personal information we hold about you, along with information about how we use it, who we share it with, and how long we retain it. ### Right to Rectification You have the right to request correction of any inaccurate or incomplete personal information we hold about you. You can update much of your account information directly through your account settings at app.closedloop.sh. ### Right to Erasure You have the right to request deletion of your personal information (the "right to be forgotten") in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or when you withdraw consent and there is no other legal basis for processing. Some information may be retained where we have a legal obligation or legitimate interest to do so. ### Right to Restriction of Processing You have the right to request that we restrict the processing of your personal information in certain circumstances, for example while we verify the accuracy of data you have contested, or while we consider an objection you have raised. ### Right to Data Portability You have the right to receive a copy of personal information you have provided to us in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit that data to another controller where technically feasible. ### Right to Object You have the right to object at any time to processing of your personal information that is based on our legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, or unless the processing is necessary for the establishment, exercise, or defense of legal claims. ### Right to Withdraw Consent Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. ### Right to Lodge a Complaint If you believe your privacy rights have been violated, you have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction. In the EEA, this is the supervisory authority in your country of residence or where the alleged infringement occurred. In the UK, this is the Information Commissioner's Office (ICO). ### How to Exercise Your Rights To exercise any of the rights described above, please contact our Data Protection Officer at [dpo@closedloop.sh](mailto:dpo@closedloop.sh). We will respond to all requests within 30 days. In some cases we may need to verify your identity before processing your request. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive. We will not discriminate against you in any way for exercising your privacy rights. ## 10. California Privacy Rights (CCPA/CPRA) If you are a California resident, you have additional privacy rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section describes those rights and how to exercise them. ### Categories of Personal Information Collected In the preceding 12 months, we have collected the following categories of personal information from California residents: - **Identifiers:**Name, email address, IP address, account credentials - **Commercial information:**Subscription details, billing records, transaction history - **Internet or other electronic network activity information:**Browsing activity on our website, platform usage logs, pages visited - **Professional or employment-related information:**Job title, company name, professional role - **Inferences:**Preferences or characteristics inferred from usage patterns for product improvement purposes ### Purposes for Collection We collect this information for the purposes described in Section 3 of this policy, including providing our Services, processing payments, ensuring security, improving our platform, and complying with legal obligations. ### Your California Rights - **Right to Know:**You have the right to request that we disclose the specific categories and pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it - **Right to Delete:**You have the right to request deletion of personal information we have collected from you, subject to certain exceptions - **Right to Correct:**You have the right to request correction of inaccurate personal information we maintain about you - **Right to Opt-Out of Sale or Sharing:**We do not sell your personal information to third parties, and we do not share it for cross-context behavioral advertising purposes. You do not need to take any action to opt out - **Right to Limit Use of Sensitive Personal Information:**To the extent we collect sensitive personal information as defined by the CPRA, we use it only for purposes permitted under the CPRA - **Right to Non-Discrimination:**We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you our Services, charge you a different price, or provide you with a different level of service because you exercised your rights ### How to Submit a Request California residents may submit requests to exercise the above rights by: - Emailing us at [support@closedloop.sh](mailto:support@closedloop.sh)with "California Privacy Request" in the subject line - Managing data preferences through your account settings at [app.closedloop.sh](https://app.closedloop.sh) We will respond to verifiable consumer requests within 45 days. We may extend the response period by an additional 45 days where necessary, in which case we will notify you of the extension. ## 11. Children's Privacy Our Services are designed for and directed exclusively to business professionals and are not intended for individuals under the age of 18. We do not knowingly collect, solicit, or maintain personal information from anyone under the age of 18. If we learn that we have inadvertently collected personal information from a child under 18 without appropriate parental or guardian consent, we will take prompt steps to delete that information from our systems. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at [support@closedloop.sh](mailto:support@closedloop.sh). If you are under 18, please do not attempt to register for or use our Services or provide any personal information to us. ## 12. Third-Party Links Our website and platform may contain links to third-party websites, services, or resources that are not operated by ClosedLoop AI. These links are provided for your convenience and information only. We have no control over the content, privacy practices, or security of those third-party sites, and we are not responsible for them. We encourage you to review the privacy policies of any third-party sites you visit. A link to a third-party website or service does not constitute our endorsement of that site, its content, or its privacy or security practices. When you connect third-party integrations to our platform — such as Gong, Slack, HubSpot, Jotform, or others — you do so subject to those services' own terms of service and privacy policies. We recommend reviewing the privacy documentation for any integration you enable. Your authorization of an integration grants ClosedLoop AI access only to the data scopes you approve during the OAuth or API key authorization flow. If you access our platform through a third-party marketplace or partner portal, the third party's own privacy policy governs any information they collect about you in connection with that access. ## 13. Changes to This Policy We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will update the "Last Updated" date at the top of this page. For material changes — those that significantly affect your rights or the way we use your personal information — we will provide additional notice. This may include: - Sending an email notification to the address associated with your account - Displaying a prominent notice on our website or within the platform - Requesting your consent where required by applicable law Your continued use of our Services after we post an updated Privacy Policy constitutes your acceptance of the revised policy. If you do not agree with the changes, you should stop using our Services and may request deletion of your account and personal data by contacting us at [support@closedloop.sh](mailto:support@closedloop.sh). We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your information. Previous versions of this policy are available upon request. ## 14. Contact Us If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us. We are committed to resolving privacy inquiries promptly and transparently. ### Data Protection Officer ClosedLoop AI has designated a Data Protection Officer (DPO) responsible for overseeing compliance with applicable data protection laws and serving as the point of contact for data subjects and regulatory authorities. **Data Protection Officer:**Jiri Kobelka, CEO **DPO Email:**[dpo@closedloop.sh](mailto:dpo@closedloop.sh) ### Privacy Inquiries For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern: **Email:**[dpo@closedloop.sh](mailto:dpo@closedloop.sh) ### General Support For product questions, technical support, or account-related issues: **Email:**[support@closedloop.sh](mailto:support@closedloop.sh) ### Company Information **ClosedLoop Labs LLC** Doing business as ClosedLoop AI ### Account Self-Service Many data management actions — including updating your information, managing integrations, and requesting data exports — can be performed directly through your account settings at [app.closedloop.sh](https://app.closedloop.sh). We will respond to all privacy-related inquiries within 30 days of receipt. Questions about your privacy? [dpo@closedloop.sh](mailto:dpo@closedloop.sh)[Previous Terms](https://closedloop.sh/terms)[Next Cookies](https://closedloop.sh/cookies) --- ## More Information - Website: https://closedloop.sh - Documentation: https://docs.closedloop.sh - Pricing: https://closedloop.sh/pricing - Contact: https://closedloop.sh/contact