GDPR Compliance
Loopion is built with data protection at its core. Here's how we comply with GDPR.
Our GDPR Commitments
The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law. As a UK-based company processing data of EU/EEA residents, Loopion fully complies with both GDPR and the UK Data Protection Act 2018.
Data Processing Principles
We adhere to all six GDPR principles:
- Lawfulness, fairness, and transparency: We have a clear legal basis for all data processing and explain our practices openly
- Purpose limitation: Data is collected for specific purposes (meeting accountability) and not processed incompatibly
- Data minimisation: We only collect data necessary for the service. Audio is deleted after processing
- Accuracy: We provide tools to correct inaccurate data, including AI-generated content
- Storage limitation: We retain data only as long as necessary, with clear retention periods
- Integrity and confidentiality: We implement robust security measures to protect all data
Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract performance |
| Meeting recording & transcription | Contract performance + Legitimate interest |
| Action extraction & tracking | Contract performance |
| Teams recap posting | Contract performance |
| Analytics & service improvement | Legitimate interest |
| Marketing communications | Consent |
| Security monitoring | Legitimate interest |
Your Rights Under GDPR
Right of Access
Request a copy of all personal data we hold about you
Right to Rectification
Correct any inaccurate or incomplete personal data
Right to Erasure
Request deletion of your personal data
Right to Restriction
Restrict how we process your data
Right to Portability
Receive your data in a structured, machine-readable format
Right to Object
Object to processing based on legitimate interests
To exercise any right, email privacy@loopion.ai. We respond within 30 days.
Data Location
- Primary database: EU (eu-north-1, eu-west-1) via Supabase
- Application hosting: Vercel (edge network with EU presence)
- Compute: Microsoft Azure (UK South / West Europe)
International Transfers
Where data is transferred outside the EU/EEA (e.g., to US-based AI providers), we use Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by technical measures including encryption in transit and at rest.
Data Processing Agreements
We have Data Processing Agreements (DPAs) in place with all subprocessors. Enterprise customers can request a DPA at our DPA page.
Data Protection Officer
For GDPR enquiries, contact our data protection team at dpo@loopion.ai.
Supervisory Authority
Our lead supervisory authority is the UK Information Commissioner's Office (ICO). EU/EEA residents may also contact their local Data Protection Authority.