Back
Start

Privacy Policy

Last updated: April 8, 2026

1. Introduction

This Privacy Policy explains how Multiloop processes personal data when you use our service. Multiloop is currently operated by an individual based in Denmark. If the operating entity changes in the future, we will update this policy accordingly.

2. Data Controller

The controller for personal data processed through Multiloop is the individual operator of Multiloop. For privacy questions or requests, contact: privacy@multiloop.app. For general support, contact contact@multiloop.app.

3. Personal Data We Process

3.1 Account and Identity Data

  • Email address
  • Authentication and session data from our auth provider
  • Security settings metadata (for example 2FA and trusted-device settings)
  • Terms/privacy acceptance timestamps, accepted document versions, and related settings metadata
  • If you use Discord linking/login, Discord provider identity attributes

3.2 User Content

We process content you create or upload, including:

  • Campaign data, reusable reference content, character data, session notes, timelines, and related metadata
  • One-shot and collaboration content
  • Images and other uploaded media

Uploaded media may be subject to automated and manual review for abuse prevention, illegal-content detection, and enforcement of our Terms.

3.3 Usage, Security, and Diagnostics Data

We process operational and security data such as:

  • Request metadata used for abuse prevention and security controls
  • Device and browser metadata for security and diagnostics
  • Audit/security events for sensitive operations
  • Error and performance telemetry for reliability
  • Pseudonymous share analytics such as hashed viewer identifiers, referrer, and user-agent data for shared links

3.4 Waitlist and Communications Data

If you use the waitlist or receive service emails, we process:

  • Email address
  • Verification token and verification status
  • Consent timestamp and signup source metadata
  • Transactional email delivery metadata

3.5 AI Feature Data

If you use AI features (for example campaign/session analysis, AI chat, or prompt generation), we send the content needed for that specific request to the currently enabled AI provider to generate the requested output. Depending on feature, this can include submitted notes and related campaign context. AI processing is triggered by your in-product action; it does not run automatically in the background.

3.6 Cookies and Similar Technologies

We use cookies and browser storage for authentication, security, and app functionality. Optional analytics and (future) marketing categories require your consent and default to off. You can change your choices any time on the cookie preferences page. See our Cookie Policy for the full list of cookies and durations.

3.7 Consent Records

When you accept or change cookie preferences, we record an append-only audit row with the version of the cookie and privacy policies you accepted, the categories you chose, a coarse browser bucket (for example mobile-safari or desktop-chrome), and a timestamp. We do not store your IP address with this record. The record exists so we can demonstrate, if asked, that we honored your choice.

4. Legal Bases (GDPR)

Depending on the activity, we process personal data under one or more of:

  • Contract: to provide the service you request
  • Legitimate interests: security, abuse prevention, illegal-content review, and reliable operations
  • Consent: where required (for example specific communications)
  • Legal obligation: where required by law

5. How We Use Your Data

We use personal data to:

  • Create and manage accounts and sessions
  • Provide core app features and collaboration features
  • Protect the service through security, anti-abuse, and access controls
  • Detect, review, quarantine, remove, or restrict illegal or policy-violating uploads and shared content
  • Send transactional communications (for example verification and security emails)
  • Provide optional integrations and AI features when you choose to use them
  • Operate, troubleshoot, and improve service reliability
  • Comply with legal obligations and enforce our Terms

6. Processors and Service Providers

We use providers acting on our instructions, including:

  • Supabase: authentication, database, storage
  • Vercel: hosting, runtime execution, and Vercel Web Analytics in production
  • Cloudflare: edge security, proxying, caching controls, and traffic processing
  • Upstash: distributed rate limiting and abuse-prevention state
  • Resend: transactional email delivery
  • Better Stack: uptime monitoring, incident alert routing, and operational observability handling
  • Content moderation provider(s) (if enabled): uploaded-media review for abuse, safety, and legal compliance
  • Google AI services (only when you initiate AI features that use the currently enabled AI provider)
  • Discord (when Discord auth/linking is used)

We do not sell personal data. We do not share personal data with advertisers or unrelated third parties. Data sharing is limited to providers required to run service features you use.

7. International Transfers

Primary persistent application data is intended to be hosted in EU infrastructure. Because we serve a global audience, some processing may occur in additional regions (for example edge/runtime execution). Where required, we apply transfer safeguards, such as adequacy decisions and/or contractual safeguards.

8. Data Retention

  • Active accounts: while your account is active
  • Account deletion flow: deletion requests are scheduled with a 14-day grace period before permanent deletion processing
  • Security/audit/diagnostic data: retained as needed for security and reliability, then deleted or anonymized
  • Moderation and abuse-review records: retained as needed to investigate abuse, enforce Terms, and meet legal obligations
  • Backups: may persist for a limited provider-controlled period

9. Your Rights

Subject to applicable law (including GDPR), you may request:

  • Access to personal data
  • Correction of inaccurate data
  • Deletion (erasure)
  • Restriction of processing
  • Objection to certain processing
  • Data portability
  • Withdrawal of consent where processing relies on consent

You can export a machine-readable copy of core account data in-app. For additional rights requests, contact privacy@multiloop.app.

You may also lodge a complaint with your local supervisory authority.

10. Security

We implement technical and organizational measures appropriate to risk, including encrypted transport, authentication safeguards, access controls, monitoring, and review controls for uploaded media.

No system is perfectly secure, and we cannot guarantee absolute security.

11. Children

Multiloop is not intended for children under 16. If you believe a child has provided personal data, contact privacy@multiloop.app.

12. Changes to This Policy

We may update this Privacy Policy. We will update the effective date and provide notice for material changes where required by law.

13. Contact

For privacy requests or questions, contact privacy@multiloop.app. For general support, contact contact@multiloop.app.