Back to MultiloopBack
PrivacyTermsCookiesPreferences
Sign In
PrivacyTermsCookiesPreferences

Privacy Policy

Last updated: May 23, 2026

This policy explains what personal data Multiloop processes, why we process it, and which service providers may receive it when you use the product.

Plain English Summary

  • We use your data to provide the app, secure accounts, handle support, and operate the service.
  • We do not sell personal data, and we do not share it with advertisers.
  • Some providers are always part of running the service; others only receive data when a feature is enabled or you choose to use it.
  • Optional cookie-based analytics and marketing controls are available in the cookie preferences page.

1. Introduction

This Privacy Policy explains how Multiloop processes personal data when you use our service. Multiloop is currently operated by an individual based in Denmark. If the operating entity changes in the future, we will update this policy.

2. Data Controller

The controller for personal data processed through Multiloop is the individual operator of Multiloop. For privacy questions or rights requests, contact privacy@multiloop.app. For general support, contact contact@multiloop.app.

3. Personal Data We Process

3.1 Account and Identity Data

  • Email address and account identifiers
  • Authentication and session data from our auth provider
  • Security settings metadata, such as two-factor and trusted-device settings
  • Terms, privacy, and cookie preference timestamps, versions, and related audit metadata
  • Provider identity attributes from Discord, Google, or Apple if you choose those login or linking flows

3.2 User Content

We process content you create, import, upload, or share through the app, including:

  • Campaign data, reusable reference content, character data, session notes, timelines, and related metadata
  • One-shot and collaboration content
  • Images and other uploaded media

Uploaded media is validated and stored in Supabase Storage. When media moderation is enabled, the app registers uploads in an internal moderation queue for safety and abuse review. In the current audit/manual-review posture, pending media may remain available to the uploader and authorized authenticated users while share access is blocked. If enforce mode or an approved moderation provider is configured later, access rules may become stricter and the provider may receive a short-lived signed media URL and related metadata for review.

3.3 Usage, Security, and Diagnostics Data

We process operational and security data such as:

  • Request metadata used for abuse prevention, rate limiting, and security controls
  • Device and browser metadata used for security and diagnostics
  • Audit and security events for sensitive operations
  • Error, uptime, and performance telemetry for reliability
  • Pseudonymous share analytics, such as hashed viewer identifiers, referrer, and user-agent data for shared links

3.4 Waitlist and Communications Data

If you use the waitlist or receive service emails, we process:

  • Email address
  • Verification token and verification status
  • Consent timestamp and signup source metadata
  • Transactional email delivery and webhook metadata

3.5 Assistant, Analysis, and Generated-Output Data

If you use model-backed features, such as campaign or session analysis, assistant workflows, or generated output, we send only the content needed for that request to the configured model provider. Depending on the feature, this can include submitted notes and related campaign context. These features run when you initiate them; they are not background monitoring.

3.6 Cookies and Similar Technologies

We use cookies and browser storage for authentication, security, consent records, and app functionality. Optional first-party analytics cookies require analytics consent. Marketing pixels are not loaded today and require marketing consent if introduced later.

Vercel Web Analytics is active in production for service measurement and is described separately in our Cookie Policy. You can change optional cookie choices any time on the cookie preferences page.

3.7 Consent Records

When you accept or change cookie preferences, we record an append-only audit row with the version of the cookie and privacy policies, the categories you chose, a coarse browser bucket, and a timestamp. We do not store your IP address with this record.

4. Legal Bases

Depending on the activity, we process personal data under one or more of:

  • Contract: to provide the service you request
  • Legitimate interests: security, abuse prevention, illegal-content review, reliability, and service improvement
  • Consent: where required, including optional cookie categories and some communications
  • Legal obligation: where required by law

5. How We Use Your Data

We use personal data to:

  • Create and manage accounts and sessions
  • Provide campaign, collaboration, sharing, and content-management features
  • Protect the service through security, anti-abuse, and access controls
  • Detect, review, quarantine, remove, or restrict illegal or policy-violating uploads and shared content
  • Send transactional communications, such as verification, account, and security emails
  • Provide optional integrations and model-backed features when you choose to use them
  • Operate, troubleshoot, and improve reliability
  • Comply with legal obligations and enforce our Terms

6. Processors and Service Providers

We use service providers to run Multiloop. Some are part of the core service. Others only receive data when the related feature is configured or you choose to use it.

  • Supabase: authentication, database, storage, and related app infrastructure
  • Vercel: hosting, serverless/runtime execution, deployment logs, and Vercel Web Analytics in production
  • Cloudflare: edge security, traffic processing, caching controls, and Turnstile challenge processing on signup and waitlist forms
  • Resend: transactional email delivery and related provider event webhooks, such as delivery, bounce, complaint, open, or click events when available
  • Upstash/Redis: distributed rate limiting and abuse-prevention state when production Redis is configured; this may include IP addresses or IP-derived request identifiers, authenticated user IDs, route or tier identifiers, counters, and expiry metadata
  • Better Stack: uptime monitoring, incident alert routing, production log telemetry, and operational observability
  • Google: OAuth login when you choose Google sign-in, and model-backed features when configured and when you initiate a request that uses them
  • Apple: OAuth login when you choose Sign in with Apple
  • Discord: OAuth login, account linking, identity import, and Discord-related campaign data when you choose those flows
  • Content moderation provider: media/content safety review only if an approved provider is configured for that purpose

We do not sell personal data. We do not share personal data with advertisers or unrelated third parties. Data sharing is limited to providers needed to run the service and the features you use.

7. International Transfers

Primary persistent application data is intended to be hosted in EU infrastructure. Because Multiloop uses cloud, edge, email, analytics, model, and security providers, some processing may occur in other regions. Where required, we rely on safeguards such as adequacy decisions, data processing terms, and contractual transfer protections.

8. Data Retention

  • Active accounts: retained while your account is active and the data is needed to provide the service.
  • Account deletion flow: deletion requests are scheduled with a 14-day grace period before permanent deletion processing. Some provider backups or legal/security records may remain for a limited period.
  • Security, audit, activity, and diagnostic data: our normal operational target is up to 180 days unless a longer period is needed for security, abuse, support, legal obligations, or provider backup behavior.
  • Moderation and abuse-review records: retained as needed to investigate abuse, enforce Terms, and meet legal obligations.
  • Backups: may persist for a limited provider-controlled period.

We avoid promising automatic deletion before it is proven. Some retention controls are still being verified, so records may persist longer than the normal target where a manual waiver, legal need, provider backup, or safety investigation applies.

9. Your Rights

Subject to applicable law, including GDPR where it applies, you may request:

  • Access to personal data
  • Correction of inaccurate data
  • Deletion or erasure
  • Restriction of processing
  • Objection to certain processing
  • Data portability
  • Withdrawal of consent where processing relies on consent

You can export a machine-readable copy of core account data in-app. For additional rights requests, contact privacy@multiloop.app.

You may also lodge a complaint with your local supervisory authority.

10. Security

We use technical and organizational measures appropriate to risk, including encrypted transport, authentication safeguards, access controls, monitoring, rate limiting, and review controls for uploaded media.

No system is perfectly secure, and we cannot guarantee absolute security.

11. Children

Multiloop is not intended for children under 16. By creating an account or accepting the Terms, you confirm that you meet the eligibility requirements. If you believe a child has provided personal data, contact privacy@multiloop.app.

12. Changes to This Policy

We may update this Privacy Policy. We will update the effective date and provide notice for material changes where required by law or where the change affects your choices.

13. Contact

For privacy requests or questions, contact privacy@multiloop.app. For general support, contact contact@multiloop.app.

Privacy Policy·Terms of Service·Cookies·Cookie Preferences

© 2026 Multiloop. All rights reserved.

Questions? Contact us at contact@multiloop.app. Privacy requests: privacy@multiloop.app