LoopIt is a Premiere Pro extension and companion desktop app that helps editors and journalists hand off video projects via the sender's own Google Drive. This policy describes what data we collect, why, and the choices you have over it.
1. Who we are
LoopIt is operated by the developer behind loopit.video. For any privacy question or request, email support@loopit.video.
2. What we collect
Account & licence data
- Your email address and name (used to issue and identify your licence key).
- A one-way hardware fingerprint hash of the machine you activate on (a SHA-256 of your volume serial, hostname, and Windows user SID — we never see the underlying values, only the hash). This enforces your per-licence machine limit.
- Last-seen timestamps from periodic activation heartbeats.
Project metadata (sender side)
- Project names, recipient email addresses, invite codes, and the Drive folder ID your project lives in. We do not store project video, audio, or transcript content — those stay in your Google Drive.
Diagnostic logs (if you choose to send them)
- The LoopIt apps record local diagnostic logs to help debug crashes. These stay on your machine until you click Send logs in the app, at which point a redacted bundle is uploaded to us. Sensitive values (OAuth tokens, full Drive file IDs, full email addresses) are hashed or truncated before they leave your device.
3. Google Drive access
When you connect Google Drive, LoopIt requests access to two scopes:
- drive.file — to create and write files in folders the LoopIt extension creates on your behalf.
- drive.readonly — to read project files in folders you've granted recipients access to (so the return-path poller can pick up edited XML the recipient uploads).
Your Google OAuth tokens are stored only on your local machine, in a path managed by the operating system's user-data directory. They never reach our servers. You can revoke LoopIt's access at any time from your Google Account at myaccount.google.com/permissions.
4. Why we collect it
- Licence enforcement. Email + hardware fingerprint + heartbeat let us issue and revoke licences and enforce per-licence machine limits.
- Project handoff. Invite codes and folder IDs let recipients open the right project in their LoopIt app.
- Support. If you choose to send a diagnostic log bundle, we use it to investigate the issue you reported.
5. Sub-processors
We use the third parties below to deliver LoopIt. Each one operates under their own published Data Processing Addendum (DPA), which includes Standard Contractual Clauses (SCCs) governing the transfer of personal data outside the EU/UK. The links go straight to their current DPA — review them for the canonical terms.
Vercel — application hosting
Vercel hosts both the public LoopIt site at loopit.video and the LoopIt admin + licence server at dashboard.loopit.video. Every API request the LoopIt extension or LoopIt desktop app makes — activating a licence, minting a project code, sending an invite email, uploading a diagnostic-log bundle — passes through Vercel's infrastructure on its way to our database.
What their DPA covers: Vercel processes data only on our documented instructions, is SOC 2 Type 2 certified, and publishes its own sub-processor list in their Trust Center. SCCs for EU/UK→US transfer are included.
DPA: vercel.com/legal/dpa · Trust Center: vercel.com/security
Supabase — database and storage
Supabase is where every LoopIt record lives: licence rows, per-machine activation records, project codes, email-send metadata, claim/open links, and any diagnostic-log metadata. Both the LoopIt extension (when it activates a licence or sends an invite) and the LoopIt desktop app (when it resolves a code or returns logs) ultimately read from and write to Supabase.
What their DPA covers: data is hosted on AWS in a region we select at project creation, encrypted at rest and in transit, with row-level security available. Supabase is SOC 2 Type 2 certified. SCCs for EU/UK→US transfer are included.
DPA: supabase.com/legal/dpa · Security overview: supabase.com/security
Resend — transactional email delivery
Resend delivers every email LoopIt sends: licence-key claim links to LoopIt extension users, and project-invite emails to recipients who use the LoopIt desktop app. Sensitive payloads (your licence key, your project name) are never placed in the email body — Resend receives only the recipient address, the LoopIt sender address, a generic subject, and a short-lived opaque link back to loopit.video.
What their DPA covers: Resend processes data only as needed to deliver email, is SOC 2 Type 2 certified, and applies a defined retention window to email content. SCCs for EU/UK→US transfer are included. Resend has no public API for deleting sent emails, so erasure requests you make to LoopIt are forwarded to them by us within our 30-day response window.
DPA: resend.com/legal/dpa
Cloudflare — DNS and edge protection
Cloudflare provides DNS for loopit.video and edge protection for traffic flowing into our hosts. It does not store LoopIt application data; it sees request metadata only (IP address, request URL, response code) for the duration needed to route and protect the request.
What their DPA covers: Cloudflare is SOC 2 Type 2 and ISO 27001 / 27018 certified, with extensive published trust documentation. SCCs for EU/UK→US transfer are included.
DPA: cloudflare.com/cloudflare-customer-dpa · Trust hub: cloudflare.com/trust-hub
Google — Drive storage you control
Project media — your rushes, your audio, your transcripts, the edited XML the recipient returns — never reaches LoopIt's servers. It lives in your Google Drive (sender side) and is accessed by the recipient's LoopIt desktop app through the OAuth grant you authorise. Google's handling of that data is governed by your own Google Account terms, which you accepted directly with Google.
What Google's DPA covers: the Google Cloud / Workspace Data Processing Addendum governs commercial Drive usage; consumer Drive usage is governed by the Google Privacy Policy. Either route includes SCCs for EU/UK→US transfer. LoopIt only ever holds an OAuth grant against your account — we never see your Drive credentials.
DPA: cloud.google.com/terms/data-processing-addendum · Privacy: policies.google.com/privacy
6. Your rights
If you are in the EU, UK, or another jurisdiction with data protection laws (GDPR, UK GDPR, CCPA), you have the right to:
- access the data we hold about you,
- correct it if it's inaccurate,
- have it deleted, and
- export it in a portable format.
Email support@loopit.video with your request. We'll respond within 30 days.
7. Retention
Licence records are kept for the lifetime of your licence plus 12 months for audit. Diagnostic log bundles are kept for 90 days. Project-code records are kept for the project's lifetime plus 12 months. Hardware fingerprint hashes are deleted when you deactivate that machine from your licence.
We keep our own metadata record of every email LoopIt sends — sender, recipient, subject, timestamp, provider message ID. We do not duplicate the email body in our database; the body lives at our email provider Resend, governed by their retention policy. On request we will delete our metadata record and forward the deletion request to Resend. Resend has no public API for deleting sent emails, so this step is handled by us emailing them on your behalf within the 30-day response window described in section 6.
Sensitive content — your licence key, your project name, the Google Drive folder pointer — is never sent in the body of an email. Instead the email carries a short-lived opaque link to loopit.video that resolves the sensitive payload only when you click it. Licence-claim links are single-use and expire after 7 days; project-open links are valid for 30 days. The link table is automatically purged every 24 hours: redeemed links older than 30 days, and unredeemed links past their expiry, are removed.
Backups held by our infrastructure providers (Vercel, Supabase, Cloudflare, Resend) are purged on each provider's automatic schedule and are not directly accessible to us; deletion requests you make to LoopIt clear our operational systems immediately and are reflected in those backups as they roll over.
8. Children
LoopIt is a professional tool intended for video editors and journalists aged 18 and over. We do not knowingly collect data from children.
9. Changes
Material changes will be announced by email to active licence holders before they take effect. The “last updated” date at the top of this page reflects the current version.
10. Contact
Email support@loopit.video for anything privacy-related.