Last updated 2026-06-10
Here is how OnLoop handles your data. The short version: we collect what is needed to run the product, we do not sell it, we do not train AI models on your private saves, and you can ask us to delete it whenever you want.
The detail is below. Read it. If you do not agree, do not use OnLoop.
In short: We collect information you give us (like your email and name), and information that gets collected automatically when you use OnLoop (like your IP address and how you interact with the app).
We collect personal information that you voluntarily provide when you register, use OnLoop, contact us, or otherwise interact with the service. This may include:
Sensitive information. We do not collect or process sensitive information such as health data, biometrics, or political views.
Payment data. If you upgrade to a paid plan, payment information (card number, security code, billing details) is handled and stored entirely by Stripe. We never see or store your card data. Stripe's privacy notice: stripe.com/in/privacy.
Social login data. If you sign in with Google, we receive the basic profile information that Google shares — typically name, email address, and profile picture. We use that information only to create and manage your OnLoop account. See section 7 for more.
All personal information you provide must be true, complete, and accurate. Tell us when something changes.
Some information — your IP address, browser type, device characteristics, operating system, language, and details about how you use OnLoop — is collected automatically when you visit the site or use the app. This data does not directly identify you, but it helps us keep the service secure and figure out what to fix.
We collect this information through cookies and similar tracking technologies. The full breakdown is in our Cookie Policy.
Specifically, the information we collect includes:
Our use of information received from Google APIs adheres to Google's API Services User Data Policy, including the Limited Use requirements.
In short: We process your information to run OnLoop, communicate with you, keep things secure, and comply with the law. We only process it when we have a valid reason to.
We process your personal information for the following reasons:
In short: We only process your information when we have a valid legal reason — your consent, our contract with you, our legitimate business interests, or legal obligations.
If you are in the EU or UK, this section applies to you.
The GDPR and UK GDPR require us to explain the legal bases we rely on. We may rely on:
If you are in Canada, this section applies to you.
We may process your information if you have given us specific permission (express consent) to use it for a particular purpose, or where permission can be inferred (implied consent). You can withdraw your consent at any time.
In some exceptional cases, applicable law permits processing without your consent — for example: investigations and fraud prevention, business transactions, witness statements for insurance claims, identifying injured or deceased persons, preventing financial abuse, complying with subpoenas or court orders, journalistic purposes, or processing publicly available information specified by regulation.
In short: Yes. OnLoop uses AI to generate your brief, clarify content, and make the product smarter. Your data is processed by AI service providers under strict terms — and is not used to train their models.
OnLoop uses third-party AI service providers — including Anthropic — to power features like the Morning Brief, Clarify modes, and item classification. When you use these features, your input and the resulting output are processed by these providers.
Critically: the data sent to AI providers is processed solely to provide the OnLoop service to you. It is not used to train their models. This is enforced through our agreements with them.
All personal information processed using our AI features is handled in line with this Privacy Policy and our agreements with the AI providers. Standard security and privacy safeguards apply throughout.
If you want to opt out of AI processing:
In short: Yes. Our servers are mostly in the US. We use Standard Contractual Clauses to protect EU/UK transfers.
Our servers are located in the United States. Your information may be transferred to, stored by, and processed by us and our third-party service providers — see section 4 — including in the United States, India, Singapore, and other countries.
If you are in the EEA, UK, or Switzerland, those countries may not have data protection laws as comprehensive as your own. We have measures in place to protect your information in line with this Privacy Policy and applicable law.
We have implemented measures to protect your personal information, including using the European Commission's Standard Contractual Clauses for transfers between us and our third-party providers. These clauses require recipients to protect EEA and UK personal data in accordance with European data protection law. Our SCCs and similar safeguards with our service providers can be made available on request.
In short: If you are in India, the DPDP Act 2023 applies. You have rights to access, correct, and erase your data. We process it only with your consent and never sell it.
If you are located in India, the Digital Personal Data Protection Act 2023 (DPDP Act) governs the processing of your personal data. OnLoop acts as a Data Fiduciary under this law.
We process your personal data only on the basis of your consent, which you provide when you create an account and connect your WhatsApp number. You may withdraw consent at any time by deleting your account or emailing hello@onloop.so.
Your personal data may be transferred outside India to our hosting and AI processing providers (Supabase in Singapore, Anthropic in the US, Twilio in the US) solely to operate the Services. We ensure these providers maintain adequate data protection standards consistent with the DPDP Act.
We do not sell your personal data to any third party. We do not use your saved content or WhatsApp messages to train AI models.
To exercise any of your rights or raise a grievance, contact us at hello@onloop.so.
In short: As long as you have an OnLoop account. After that, we delete or anonymize it, except where law requires us to keep it longer.
We keep your personal information only as long as necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law (for example, tax or accounting requirements). The active retention period is for as long as you have an OnLoop account with us.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it. If that is not possible — for example, because the information is in encrypted backup archives — we will securely store it and isolate it from further processing until deletion is possible.
In short: Strong technical and organizational measures, but no system is bulletproof.
We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process — including row-level security on every database table, encrypted authentication tokens, HTTPS everywhere, rate limiting, and infrastructure hosted on SOC 2 Type 2 certified providers (Supabase, Vercel).
That said, no system over the internet is 100% secure. We cannot guarantee that hackers, cybercriminals, or other unauthorized parties will not be able to defeat our security and improperly access, steal, or modify your information. Although we will do our best, transmission of personal information to and from OnLoop is at your own risk.
In short: Depending on where you live, you may have rights to access, correct, or delete your personal information. You can review or terminate your account at any time.
In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right to:
If a decision producing legal or similarly significant effects is made solely by automated means, we will inform you, explain the main factors, and offer a way to request human review. In certain circumstances you may also have the right to object to processing. Contact us via section 15 to exercise any of these rights.
We will consider and act upon any request in accordance with applicable data protection laws.
If you are in the EEA or UK and believe we are unlawfully processing your information, you also have the right to complain to your Member State data protection authority or the UK data protection authority. If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner.
If we are relying on your consent to process your personal information, you have the right to withdraw it at any time. Contact us using the details in section 15. Withdrawing consent does not affect the lawfulness of processing before your withdrawal, or processing based on lawful grounds other than consent.
You can unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email we send, or by contacting us. We will still send you essential service messages — receipts, security alerts, important account updates — that are necessary for the administration of your account.
If you want to review or change the information in your account or terminate the account, you can:
When you ask us to delete your account, we will deactivate it and remove your information from our active databases. We may retain some information to prevent fraud, troubleshoot problems, assist investigations, enforce our terms, or comply with legal requirements.
Most browsers accept cookies by default. You can usually set your browser to refuse cookies or remove them. If you do, some features of OnLoop may not work properly. For details, see our Cookie Policy.
If you have questions about your privacy rights, email us at privacy@onloop.so.
Most browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature you can activate to signal your privacy preference. There is currently no uniform technology standard for recognizing and implementing DNT signals, so OnLoop does not respond to them at this time. If a standard is adopted that we are required to follow, we will update this notice.
California law specifically requires us to disclose how we respond to DNT signals. As above: because no industry or legal standard exists yet, we do not respond to them.
In short: If you live in California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia — you have rights to access, correct, delete, or get a copy of your personal information. You can also withdraw your consent.
The table below shows the categories of personal information we have collected in the past twelve months, with examples. For a full inventory, see section 1.
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Name, alias, postal address, phone, online identifier, IP address, email, account name | YES |
| B. California Customer Records | Name, contact information, education, employment, employment history, financial information | YES |
| C. Protected classifications | Gender, age, date of birth, race, ethnicity, national origin, marital status, demographics | NO |
| D. Commercial information | Transaction info, purchase history, financial details, payment information | NO |
| E. Biometric information | Fingerprints and voiceprints | NO |
| F. Internet activity | Browsing history, search history, online behavior, interactions with our and other websites | YES |
| G. Geolocation data | Device location | YES |
| H. Audio, electronic, sensory | Images, audio, video, or call recordings created in connection with our business | NO |
| I. Professional or employment | Business contact details, job title, work history, professional qualifications | NO |
| J. Education information | Student records and directory information | NO |
| K. Inferences | Profiles or summaries about preferences and characteristics | NO |
| L. Sensitive personal information | — | NO |
We may also collect other personal information outside these categories when you interact with us in person, online, or by phone — for example through customer support, surveys, or facilitation of the services.
We use and retain the collected information as needed to provide OnLoop, and for the duration described above (as long as you have an account):
Learn more about the sources of personal information we collect in section 1.
Learn more about how we use your personal information in section 2, and who we share it with in section 4.
Will your information be shared with anyone else?
We disclose your personal information to our service providers under written contracts. We may use your information for our own internal business purposes — such as research and product development. This is not "selling" your information.
We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve months.
The categories of third parties we have disclosed personal information to for business or commercial purposes can be found in section 4.
You have rights under certain US state data protection laws. These rights are not absolute, and in some cases we may decline a request as permitted by law. They include:
Depending on your state, you may also have:
To exercise these rights, you can submit a data subject access request, email us at privacy@onloop.so, or use the contact details below.
You can designate an authorized agent to make a request on your behalf. We may deny a request from an agent that does not provide proof they have been validly authorized to act on your behalf.
Upon receiving a request, we will verify your identity to make sure you are the person whose information we hold. We will only use information from your request to verify identity or authority. If we cannot verify identity from information already on file, we may ask for more.
If you submit through an authorized agent, we may need additional information to verify your identity, and the agent will need to provide written and signed permission from you.
Under certain US state data protection laws, if we decline a request you may appeal by emailing privacy@onloop.so. We will inform you in writing of any action taken or not taken in response to the appeal, with reasons. If your appeal is denied, you may submit a complaint to your state attorney general.
California Civil Code Section 1798.83 lets California residents request, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes, plus the names and addresses of those third parties for the previous calendar year. To make such a request, contact us using the details in section 15.
In short: Yes. We will update it when needed.
We may update this Privacy Policy from time to time. The updated version will be marked with a new "Last updated" date at the top. If we make material changes, we will notify you — either by posting a prominent notice or by sending you a direct notification. Worth checking back occasionally.
Questions or comments about this notice? Email our Data Protection Officer at privacy@onloop.so, call us at +91 78921 70581, or write to:
You have the right to request access to the personal information we collect, get details about how we have processed it, correct inaccuracies, or delete it. You can also withdraw your consent. These rights may be limited in some circumstances by applicable law.
To request access, an update, or deletion: submit a data subject access request.
If you use the OnLoop Chrome extension, the extension may process the current page URL, page title, selected text, and notes you choose to save.
The extension does not automatically transmit page content just because you visit a website or select text. The Highlight Bubble appears locally when you select text on supported HTTPS pages. Selected text is sent to OnLoop only when you explicitly click Save or Clarify.
The extension may store pending saves locally in Chrome storage if you are offline or if a save needs to be retried. These pending saves may include the URL, title, selected text, and note you chose to save. They are synced to your OnLoop account when the connection is restored.
The extension also uses a small detector script on OnLoop-owned pages to show the web app that the extension is installed. This detector only sets a local page attribute and does not transmit browsing data.
Authentication and session data are used only to connect the extension to your OnLoop account.
We do not sell extension data, use it for advertising, or use your private saved content to train AI models.
How do we handle social logins?
In short: When you sign in with Google, we get basic profile info from Google. We use it only to manage your OnLoop account.
OnLoop lets you register and sign in using your Google account. When you do, we receive certain profile information — typically your name, email address, and profile picture, plus whatever else you have made public on Google.
We use this information only for the purposes described in this Privacy Policy. We do not control how Google itself uses your information. Review their privacy notice to understand their practices and adjust your privacy settings on their side.