Privacy Policy
Last updated: 2026-07-04
This is the plain-English version of what we do with your data and why. Short version: we only collect what we actually need to run the service, we do not sell your data to anyone, and analytics or advertising cookies stay off until you say yes in the banner.
1. Who is behind LooperTask
LooperTask is run by Ihor Dudnyk, a sole trader registered in Portugal (VAT PT314701346). Postal address: Rua Dr. José Laborinho Marques Silveira, n.º 34 – 2 ESQ, 2450-228 Nazaré, Portugal. Any question about your data goes to info@loopertask.com and I reply personally.
2. What we store, and why
- Your account — email, name, and a salted bcrypt hash of your password. Needed so you can sign back in. Sign in with Google also saves the Google account ID we receive from OAuth so we can match it next time.
- The stuff inside your workspace — projects, tasks, comments, and file attachments. This is literally the product; without it there is nothing to show you.
- Billing — plan code, workspace name, and invoices we generate from your payments. Card details go straight to Creem.io (our payment provider) and never touch our servers. We never see your full card number.
- Technical logs — IP address, browser user-agent, referrer, and timestamps. We keep these up to 30 days so we can debug crashes and spot abuse; after that they are wiped.
- Cookies — a session cookie so you stay logged in, a CSRF cookie to block form-forgery attacks, and a locale cookie so we remember your language. Everything else (analytics and ads) is opt-in via the banner. See §5 below.
3. On what legal basis
Because a lawyer will eventually ask, here is where each activity sits under GDPR Art. 6:
- Running the service you signed up to use — contract (Art. 6(1)(b)).
- Sending you an invoice and keeping VAT records — legal obligation (Art. 6(1)(c)).
- Keeping the site secure and stopping abuse — legitimate interest (Art. 6(1)(f)).
- Analytics and marketing cookies, product update emails — your consent (Art. 6(1)(a)), which you can withdraw whenever you like.
4. Who else touches your data
We use a small set of processors. Each one only sees the slice of data it needs to do its job, and each is under a data processing agreement.
| Processor | What they do for us | Where |
|---|---|---|
| Creem.io | Card payments and subscription billing. | EU (Netherlands) |
| Hetzner Cloud | Hosting, the database, and nightly backups. | EU (Germany / Finland) |
| Google LLC | Google Analytics 4, Google Ads, Google Tag Manager. See §5. | USA (SCCs) |
| Meta Platforms | Meta Pixel measures which Facebook / Instagram ads convert. See §5. | USA (SCCs) |
| Anthropic PBC | Claude API. Only sees the specific prompt when you invoke an AI agent that uses it. | USA (SCCs) |
5. Cookies and third-party pixels
Cookies fall into three buckets. Strictly necessary ones are set the moment you open the site because without them nothing works. Everything else waits until you say yes in the cookie banner. You can change your mind any time via the «Cookie settings» link in the footer.
Google Analytics 4
Aggregated numbers — how many people landed on which page, how long they stayed, which button they clicked. IP addresses are anonymised before Google sees them, and data older than 14 months is deleted. Global opt-out: Google Analytics Opt-out Browser Add-on.
Google Ads
When someone signs up after clicking one of our ads, we send a hashed version of the email to Google Ads so it can tell us which campaign brought the customer. The email stays hashed on Google's side too. Turn this off in your Google Ad Settings.
Google Tag Manager
GTM is the loader that fires GA4 and Google Ads. It does not set tracking cookies on its own. The tags GTM loads do, and every one of those tags sits behind the consent banner.
Meta Pixel
Same idea as Google Ads, but covers Facebook and Instagram campaigns instead. Opt out in your Facebook ad preferences.
6. How long we keep things
- Your account and workspace content — while your account exists, plus 30 days after deletion (in case you change your mind).
- Invoices and billing records — 10 years, because Portuguese tax law says so.
- Server logs — 30 days, rolling.
- Backups — 30 days, rolling.
7. What you can ask us to do
Under GDPR Chapter III you have the right to:
- See what we hold on you.
- Correct anything wrong.
- Have it deleted.
- Get a machine-readable copy of your workspace (Settings → Export gives you a ZIP with everything).
- Say no to processing based on legitimate interest.
- Withdraw consent from analytics or marketing whenever you like.
- Complain to the Portuguese data-protection authority (CNPD) whenever you think we are handling this wrong.
To exercise any of these, email info@loopertask.com. We reply within 30 days, usually much sooner.
8. Data leaving the EEA
A few of our processors are in the US. Whenever we ship personal data there, we rely on the Standard Contractual Clauses the European Commission approved (GDPR Art. 46(2)(c)). Should a processor change location or the rules shift, this page gets updated.
9. Changes to this policy
Meaningful changes (a new processor, a new retention window) get announced by email or an in-app banner at least 14 days before they kick in. Small copy edits (clarifications, typo fixes) happen quietly; you can spot them via the «Last updated» date at the top.
10. Contact
Questions, complaints, or requests about your data: info@loopertask.com.