Privacy Policy

We collect the following categories of information:

Personal Information

When you create an account, we collect your name, email address, phone number, business name, and billing address. If you are a team member added to an organization account, your name and email address are collected.

Business Data

To provide the Service, we store business-related data you enter, including customer contact information, estimates, contracts, invoices, booking records, service histories, follow-up sequences, marketing campaigns, and related business records.

Usage Data

We automatically collect information about how you interact with the Service, including pages viewed, features used, timestamps, browser type, operating system, IP address, and referring URLs.

Google Account Data

If you connect a Google account to the Service (for example, to sync bookings with Google Calendar), we receive data from Google APIs solely with your explicit consent. See Section 6 ("Google API Services and Limited Use") for the specific scopes requested, how we use that data, and how to revoke access. We do not sell, share for advertising, or use Google data to train machine-learning models.

Cookies and Tracking Technologies

We use cookies and similar technologies to maintain session state, remember your preferences, and analyze usage patterns. You can control cookie preferences through your browser settings; however, disabling cookies may limit certain features of the Service.

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Process subscriptions, billing, and payments through our payment processor (Stripe).
• Send transactional communications, including account confirmations, billing receipts, and service notifications.
• Provide customer support and respond to your inquiries.
• Analyze usage trends to improve the Service's features and performance.
• Detect, prevent, and address technical issues and security threats.
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information to third parties. We do not use information obtained from Google APIs to develop, improve, or train generalized or non-personalized AI or machine-learning models.

When you use the Service to manage your business, you may upload or create data relating to your end customers, including contact information, estimates, bookings, invoices, and communication history. In this context, you are the data controller and we act as a data processor.

We process this data solely on your behalf and in accordance with your instructions as provided through the Service. We do not use your end customers' data for our own marketing purposes. You are responsible for ensuring that you have obtained appropriate consent from your end customers for the collection and processing of their data.

The Service enables you to send SMS and email messages to your customers. All messaging through the Service is consent-based. You are responsible for obtaining proper consent from recipients before sending messages.

The Service provides built-in opt-out mechanisms. SMS recipients can reply STOP to unsubscribe, and email recipients can use the unsubscribe link included in each message. When a recipient opts out, the Service automatically suppresses future messages to that recipient.

We retain message delivery logs (including sender, recipient, status, and timestamp) for compliance and troubleshooting purposes. Message content may be retained for a limited period as needed to provide delivery status and support.

We integrate with and share data with the following third-party services as necessary to provide the Service:

• Stripe — Payment processing and subscription billing. Privacy Policy
• Twilio — SMS delivery and phone number provisioning. Privacy Policy
• Mailgun — Transactional and marketing email delivery. Privacy Policy
• Google — Google Calendar integration and "Sign in with Google" authentication. See Section 6 for detailed scope disclosure. Privacy Policy
• Meta (Facebook) — Optional Meta Pixel and Conversions API integration, used only when you provide your own Pixel ID and access token. Privacy Policy
• Intuit QuickBooks — Accounting and invoicing synchronization. Privacy Policy
• Supabase — Managed database, authentication, and serverless function hosting (our data processor). Privacy Policy

Each third-party service operates under its own privacy policy. We encourage you to review their policies. We only share the minimum data necessary to provide the relevant integration functionality.

ClosedLooops' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes requested and how they are used

When a user connects their Google account in Settings → Integrations → Google Calendar, ClosedLooops requests the minimum OAuth scopes necessary to provide the calendar-sync functionality:

• https://www.googleapis.com/auth/calendar.events — Write access to calendar events only (not to calendars themselves). Used to create, update, and delete the user's Google Calendar events when bookings are created, rescheduled, or cancelled in ClosedLooops so the user sees their ClosedLooops jobs alongside their other appointments in the Google Calendar app they already use.
• https://www.googleapis.com/auth/calendar.readonly — Read access to existing calendar events within a bounded time window. Used to detect scheduling conflicts before a customer booking is written to the user's calendar, so ClosedLooops does not double-book the user's time.
• https://www.googleapis.com/auth/userinfo.email — Read access to the connected Google account's email address only. Used to confirm which Google account was connected and display it in the Integrations settings screen ("Connected as [email]") so the user can verify and disconnect the correct account.

What we store

We store the minimum data needed to maintain the integration:

• The OAuth refresh token, encrypted at rest using AES-GCM, so the Service can continue to sync on the user's behalf between active sessions.
• The connected Google account's email address (for display and re-authentication disambiguation).
• Pointers between ClosedLooops bookings and Google Calendar event IDs, so the Service can update or delete the correct event when the corresponding ClosedLooops booking changes.

We do NOT store the content of other events on the user's calendar, attendee lists from events we did not create, or any data unrelated to scheduling conflict detection and booking synchronization.

Limited Use commitments

In accordance with the Google API Services User Data Policy's Limited Use requirements, ClosedLooops commits that:

• We use data received from Google APIs only to provide and improve user-facing features of the Service (specifically: calendar conflict detection and booking synchronization).
• We do not transfer data received from Google APIs to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use data received from Google APIs for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not use data received from Google APIs to develop, improve, or train generalized or non-personalized AI or machine-learning models. We do not use Google user data for any generative AI features.
• We do not allow humans to read data received from Google APIs except (i) with the user's explicit consent for specific messages, (ii) when necessary for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) when the data has been aggregated and anonymized so it cannot be used to identify any individual user.

Revoking access

You can revoke ClosedLooops' access to your Google account at any time by either:

• Clicking "Disconnect" in the ClosedLooops Settings → Integrations → Google Calendar panel, which deletes our stored OAuth tokens.
• Visiting https://myaccount.google.com/permissions and removing ClosedLooops from the list of applications with access to your account.

When access is revoked, ClosedLooops will cease calling Google APIs on your behalf. We also respect token revocation responses from Google in real time: when Google reports that a token has been revoked, we purge our stored tokens immediately.

We retain your account data and business records for as long as your account is active or as needed to provide the Service. Upon account termination, you may request an export of your data within 30 days. After that period, we may delete your data from our active systems.

For Google-connected accounts specifically: when you disconnect a Google account from ClosedLooops or revoke access via Google's permissions page, we purge the associated OAuth refresh token and stop making Google API calls on your behalf. Historical booking records that reference Google event IDs are retained with your business data but no longer used to call Google.

We may retain certain data for longer periods as required by law, for legitimate business purposes (such as resolving disputes or enforcing our agreements), or for backup and disaster recovery.

Anonymized and aggregated data that cannot be used to identify you may be retained indefinitely for analytics and service improvement purposes.

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit using TLS 1.2+ / HTTPS.
• Encryption of sensitive secrets at rest using AES-GCM. This includes OAuth refresh tokens (Google, QuickBooks), SMS provider credentials (Twilio), email provider credentials (Mailgun), and Meta Conversions API access tokens.
• Secure infrastructure hosted on Supabase with row-level security policies that prevent cross-tenant data access at the database layer.
• Regular security reviews and access controls for internal systems.
• Multi-factor authentication (MFA) available for user accounts.

While we strive to protect your data, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

The Service is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 13, please contact us at [email protected].

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal information.
• Deletion: Request that we delete your personal information, subject to certain legal exceptions.
• Data Portability: Request a copy of your data in a structured, commonly used, and machine-readable format.
• Opt-Out: Opt out of receiving marketing communications from us at any time.
• Disconnect integrated accounts: Disconnect Google, QuickBooks, and other OAuth-connected accounts from Settings → Integrations at any time, which purges the corresponding stored tokens.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Do Not Sell My Personal Information: We do not sell personal information as defined by the CCPA.

To exercise your CCPA rights, contact us at [email protected]. We will verify your identity before processing your request.

The Service is operated from the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Service, you consent to the transfer of your information to the United States and the processing of your information in accordance with this Privacy Policy.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. Material changes affecting how we use Google user data will be communicated to affected users in advance of taking effect. Your continued use of the Service after such changes constitutes your acceptance of the revised Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

If you have any questions about this Privacy Policy or our data practices, please contact us at:

ClosedLooops LLC
Privacy inquiries: [email protected]
General inquiries: [email protected]
Website: closedlooops.com