DoLoop

Privacy Policy

Last updated: [DATE]

1. Introduction

DoLoop GmbH ("DoLoop," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform and services (the "Service").

We process personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the German Federal Data Protection Act, and other applicable data protection laws.

Please read this Privacy Policy carefully. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for processing your personal data is:

DoLoop GmbH

Address: [FULL ADDRESS]

Email: info@doloop.cc

Phone: [PHONE NUMBER]

Commercial Register: [REGISTER AND NUMBER]

Managing Director(s): [NAME(S)]

3. Data Protection Officer

Based on our current processing activities, we are not legally required to appoint a Data Protection Officer. For any questions regarding data protection, please contact us using the details in Section 2.

4. Personal Data We Collect

We collect and process the following categories of personal data:

4.1 Account Information

Data you provide when creating and managing your account:

  • Full name
  • Email address
  • Password (stored in encrypted form)
  • Company/business name (if applicable)
  • Billing address
  • Phone number (optional)

4.2 Payment Information

Data required to process your subscription payments:

  • Payment method details (credit card, direct debit, etc.)
  • Billing address
  • VAT identification number (if applicable)

Note: Payment processing is handled by our payment service provider. We do not store complete credit card numbers on our systems.

4.3 Service Usage Data

Data generated through your use of the Service:

  • Business strategies, hypotheses, and experiment data you create
  • Action items, sprint results, and progress tracking data
  • Notes, comments, and other content you enter
  • Feature usage and interaction patterns
  • Session duration and frequency of use

4.4 Technical Data

Data collected automatically when you access the Service:

  • IP address
  • Browser type and version
  • Operating system
  • Device type and identifiers
  • Referring website
  • Pages visited and features used
  • Date and time of access
  • Error logs and performance data

4.5 Communication Data

Data from your communications with us:

  • Support requests and correspondence
  • Feedback and survey responses
  • Email communication preferences

4.6 Research Data

Data retrieved from publicly available sources as part of the Service's market and competitive research features, powered by a third-party web search provider:

  • Publicly available business information
  • Market data and trends
  • Competitor information from public sources

Note: Search queries sent to the web search provider are system-generated by DoLoop and contain no personal data or Customer Data. Only generalized search terms (such as market categories, industry terms, or competitor names) are transmitted.

5. How We Use Your Personal Data

We process your personal data for the following purposes and legal bases:

5.1 To Provide the Service

Purpose: Creating and managing your account, providing access to features, processing your strategies and experiments, delivering AI-powered guidance and recommendations.

Legal Basis: Performance of a contract (Article 6(1)(b) GDPR)

5.2 To Process Payments

Purpose: Processing subscription fees, managing billing, issuing invoices, handling refunds.

Legal Basis: Performance of a contract (Article 6(1)(b) GDPR)

5.3 To Communicate With You

Purpose: Sending service-related notifications, responding to support requests, providing updates about the Service.

Legal Basis: Performance of a contract (Article 6(1)(b) GDPR) and legitimate interests (Article 6(1)(f) GDPR)

5.4 To Improve the Service

Purpose: Analyzing usage patterns to improve functionality, fix bugs, develop new features, and enhance user experience.

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) – our interest in improving our Service

5.5 To Ensure Security

Purpose: Detecting and preventing fraud, unauthorized access, and other security threats; maintaining the integrity of the Service.

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) – our interest in protecting the Service and our users

5.6 To Comply With Legal Obligations

Purpose: Fulfilling tax, accounting, and other legal requirements; responding to lawful requests from authorities.

Legal Basis: Legal obligation (Article 6(1)(c) GDPR)

5.7 To Send Marketing Communications

Purpose: Sending newsletters, product updates, and promotional materials (only with your consent).

Legal Basis: Consent (Article 6(1)(a) GDPR)

6. What We Do NOT Do With Your Data

We are committed to responsible data practices. Specifically:

6.1 No AI Training

We do not use your personal data or content to train artificial intelligence or machine learning models. Any AI-powered features within the Service process your data solely to provide you with real-time insights and recommendations. Your data is not retained or used for model training purposes.

The Service uses third-party large language models (LLMs) from OpenAI, Anthropic, and Google to power AI features. These models may be accessed directly from the native providers or via cloud-hosted versions on AWS Bedrock, Google Cloud Vertex AI, and Microsoft Azure. Under their standard API terms of service, these providers do not use data submitted via their APIs to train their models. Your prompts are processed to generate responses and are subject only to limited retention for abuse monitoring and safety purposes (typically 30 days or less, depending on the provider).

The Service uses a third-party web search provider to retrieve publicly available content for market and competitive research features. All search queries are system-generated by DoLoop and contain no personal data or Customer Data. The web search provider may use these system-generated queries to improve its own services. This does not affect our commitment that your personal data and Customer Data are never used for AI or model training.

6.2 No Selling of Data

We do not sell your personal data to third parties. Under no circumstances do we exchange your data for monetary or other valuable consideration.

6.3 No Unauthorized Sharing

We do not share your personal data with third parties for their own marketing or commercial purposes. We only share data with service providers who process data on our behalf to deliver the Service (see Section 8).

7. Data Storage and Location

7.1 Data Location

The majority of personal data is processed and stored within the European Union. Our primary infrastructure is hosted in Frankfurt, Germany. See Section 7.2 for information about specific services that process data outside the EU.

7.2 Transfers Outside the EU

The majority of your personal data is processed and stored within the European Union. However, certain services require data transfer outside the EEA:

  • AI/LLM Processing: User prompts are processed by large language models from OpenAI, Anthropic, and Google, accessed via OpenRouter. These models may run on the providers' native infrastructure or on cloud platforms (AWS Bedrock, Google Cloud Vertex AI, Microsoft Azure) located globally. Under their standard API terms, these providers do not use your data to train their models.
  • Document Extraction (Datalab): Uploaded documents are processed globally. Documents are deleted immediately after processing, with response data deleted within 4 hours.
  • Document Conversion (CloudConvert): Office documents converted to PDF are processed by CloudConvert GmbH within the EU (Frankfurt, Germany). Files are deleted immediately upon completion of conversion.
  • Subscription Management (Polar): Payment and subscription data is processed in the United States.

For these transfers, we rely on the data processing agreements and privacy commitments incorporated into each provider's standard terms of service. We select providers who demonstrate commitment to data protection and who implement appropriate technical and organizational measures to protect personal data.

See our Sub-processor List for detailed information about each sub-processor and their data handling practices.

7.3 Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Payment and billing data is retained for 10 years as required by German tax law. All other data is securely deleted or anonymized when no longer needed for its original purpose, or upon your request (subject to legal retention requirements).

8. Data Sharing and Sub-processors

8.1 Categories of Recipients

We may share your personal data with the following categories of recipients:

  • Service Providers: Third-party companies that help us deliver the Service (hosting, payment processing, email delivery, observability, analytics)
  • Professional Advisors: Lawyers, accountants, and auditors where necessary
  • Authorities: Government bodies and regulators when required by law
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with appropriate safeguards)

8.2 Sub-processor Obligations

All sub-processors are bound by Data Processing Agreements that require them to:

  • Process personal data only on our documented instructions
  • Ensure confidentiality of personnel processing data
  • Implement appropriate technical and organizational security measures
  • Assist us in responding to data subject requests
  • Delete or return data upon termination of services
  • Submit to audits and inspections

8.3 Current Sub-processors

A complete and up-to-date list of sub-processors, including details about the data they process and their locations, is maintained in our Sub-processor List, which is incorporated herein by reference.

8.4 Sub-processor Updates

We may update our sub-processors from time to time. When we make material changes to our Sub-processor List, we will notify you without undue delay via email to the address associated with your account.

You do not have a right to reject individual sub-processor changes. However, if you reasonably determine that a material change adversely affects the protection of your data, you may exercise your right to extraordinary termination of your subscription as described in our Terms and Conditions.

9. Cookies and Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies to operate the Service, support essential operational telemetry for security and reliability, and, with your consent where required, analyze product usage and improve your experience.

9.2 Types of Cookies We Use

Strictly Necessary Cookies

Required for the Service to function. These cannot be disabled.

  • Session management
  • Authentication
  • Security features
  • Load balancing
  • Operational telemetry for error diagnosis, service reliability, and performance monitoring

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR)

Functional Cookies

Enable enhanced functionality and personalization.

  • Language preferences
  • User interface settings
  • Remember login details

Legal Basis: Consent (Article 6(1)(a) GDPR)

Analytics Cookies

Help us understand how users interact with the Service.

  • Page views and navigation paths
  • Feature usage statistics
  • Product analytics
  • Session recordings where enabled

Legal Basis: Consent (Article 6(1)(a) GDPR)

Marketing Cookies

Used to deliver relevant advertisements (if applicable).

Legal Basis: Consent (Article 6(1)(a) GDPR)

9.3 Cookie Management

When you first visit the Service, you will be presented with a cookie consent banner allowing you to:

  • Allow optional analytics
  • Use essential technologies only

Essential cookies and operational telemetry remain active because they are required to secure, maintain, and improve the Service. You can change your optional analytics preference at any time through the Service settings or your browser settings where applicable.

9.4 Do Not Track

We currently do not respond to "Do Not Track" browser signals, as there is no industry standard for compliance.

10. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

10.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data along with information about the processing.

10.2 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate personal data and completion of incomplete data.

10.3 Right to Erasure (Article 17 GDPR)

You have the right to request deletion of your personal data under certain circumstances, including when:

  • The data is no longer necessary for its original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed

10.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request restriction of processing under certain circumstances, such as when you contest the accuracy of the data or have objected to processing.

10.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

10.6 Right to Object (Article 21 GDPR)

You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

You have an absolute right to object to processing for direct marketing purposes at any time.

10.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

10.8 Right to Lodge a Complaint (Article 77 GDPR)

You have the right to lodge a complaint with a supervisory authority. In Germany, you may contact:

  • The supervisory authority of your state, or
  • The Federal Commissioner for Data Protection

A list of German supervisory authorities is available at: https://www.bfdi.bund.de

10.9 Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: info@doloop.cc

We will respond to your request within one (1) month. This period may be extended by two (2) further months for complex requests, in which case we will inform you of the extension.

We may request additional information to verify your identity before processing your request.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

11.1 Technical Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Secure authentication mechanisms
  • Regular security updates and patch management
  • Regular backups with secure storage
  • Access logging and monitoring

11.2 Organizational Measures

  • Role-based access controls (principle of least privilege)
  • Employee confidentiality agreements
  • Incident response procedures
  • Periodic security reviews

11.3 Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay (where required)
  • Document all breaches and remediation measures

12. Automated Decision-Making

12.1 AI-Powered Features

The Service includes AI-powered features that provide recommendations, insights, and guidance. These features analyze your input data to generate suggestions but do not make legally binding or similarly significant decisions about you.

12.2 No Solely Automated Decisions

We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you without human involvement.

12.3 Your Rights

If you believe an automated decision has significantly affected you, you have the right to:

  • Request human intervention
  • Express your point of view
  • Contest the decision

13. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately, and we will take steps to delete such data.

14. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you access.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

For material changes, we will:

  • Notify you by email at least thirty (30) days before the changes take effect
  • Update the "Last updated" date at the top of this policy

We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

DoLoop GmbH

Address: [FULL ADDRESS]

Email: info@doloop.cc

We aim to respond to all inquiries within a reasonable timeframe and no later than one (1) month.

17. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The lead supervisory authority for DoLoop GmbH is:

Berliner Beauftrage für Datenschutz und Informationssicherheit Alt-Moabit 59-61 10555 Berlin

https://www.datenschutz-berlin.de/

This Privacy Policy is effective as of [EFFECTIVE DATE].

Privacy Policy