Skip to content
Loop.
  • Features
  • Who it's for
  • Privacy
  • Terms

On this page

  • 1. The Short Version
  • 2. Who We Are
  • 3. What Loop Collects and Why
  • 4. What Loop Does Not Collect or Do
  • 5. Where Your Data Is Stored
  • 6. Third-Party Services
  • 7. How Long We Keep Your Data
  • 8. Your Rights
  • 9. Regional Notices
  • 10. Children
  • 11. Cookies and Similar Technologies
  • 12. Notice at Collection (Consolidated)
  • 13. Security
  • 14. Changes to This Policy
  • 15. Contact Us
← Back to Loop Effective July 14, 2026

Privacy Policy for Loop

Effective Date: July 14, 2026

Data Controller: SDougherty Holdings, LLC
Contact: admin@sdoughertyholdings.com
Mailing Address: 100 E Broad St STE 1350, Columbus, OH 43215


1. The Short Version

Loop is a personal task manager for iOS. Here's the plain-English summary:

  • We collect the minimum data needed to run the app: your name and email (from Google or Apple Sign-In), your year of birth (for age verification), and the tasks, goals, journal entries, and preferences you create.
  • We do not integrate any third-party analytics, advertising, attribution, or crash-reporting SDK in the shipping binary as of the Effective Date above.
  • We do not sell or share your personal information.
  • Your data lives on your device and on our Supabase-hosted PostgreSQL backend in the United States.
  • You can view, edit, and delete your data — including your entire account — at any time from inside the app.

If anything below is unclear, email admin@sdoughertyholdings.com and we will explain in plain language.


2. Who We Are

Loop is published by SDougherty Holdings, LLC ("Loop," "we," "us," or "our"). We are the data controller for the personal data described in this policy.

  • App name: Loop (iOS)
  • Category: Productivity / Personal Task Management
  • Distribution: Apple App Store
  • Supported platforms: iOS 17 and later

Data Protection Officer. We are not required to appoint a Data Protection Officer under GDPR Art. 37, because our processing does not meet the mandatory thresholds. Direct all privacy inquiries to admin@sdoughertyholdings.com.

EU / UK representative. Loop is not established in the EU or UK. Under GDPR Art. 27(2) and UK GDPR Art. 27(2), we invoke the low-risk / occasional-processing exemption from the obligation to appoint an EU/UK representative, because our processing is occasional, does not include large-scale processing of special-category or criminal-conviction data, and is unlikely to result in a risk to the rights and freedoms of individuals. EU and UK users can contact us directly at admin@sdoughertyholdings.com regarding any privacy inquiry.


3. What Loop Collects and Why

3.1 Account Identity (required)

  • What: Your name and email address, provided through Google Sign-In or Sign in with Apple.
  • Why: To create your account, sign you in securely, greet you by name, and sync your data across your devices.
  • Legal basis (GDPR): Performance of a contract — Art. 6(1)(b).

3.2 Your Content (required to use the app)

  • What: Tasks, goals, daily and weekly journal entries, notification preferences, and theme preferences you create inside Loop.
  • Why: This is the core function of the app — a task manager cannot work without your tasks.
  • Legal basis (GDPR): Performance of a contract — Art. 6(1)(b).

3.3 Contacts (optional)

  • What: If you use Loop's Delegate feature and choose to pick a person from your iOS Contacts, Loop reads that contact's name and their email address or phone number.
  • Why: So Loop can pre-fill an email or SMS composer when you delegate a task to that person.
  • Where it goes: Loop itself does not upload, transmit, or store this contact data on our servers or to any third party. The selected contact's information is used only to pre-fill the standard iOS Mail or Messages composer on your device. Whether that message is actually sent — and to whom — is entirely under your control via the system composer sheet. Once sent, the message is handled by Apple's Mail/Messages apps and your carrier or mail provider, outside of Loop.
  • Legal basis (GDPR): Your explicit consent — Art. 6(1)(a). You can withdraw consent at any time by revoking Contacts access in iOS Settings.

3.4 Authentication Tokens

  • What: OAuth tokens issued by Google or Apple when you sign in.
  • Why: To keep you signed in without asking for your password every time.
  • Where: Stored in the iOS Keychain, which is encrypted by the operating system.
  • Legal basis (GDPR): Performance of a contract — Art. 6(1)(b). Storing an authentication token is necessary to keep you signed in and to provide the service you requested.

3.5 Age Verification (year of birth)

  • What: When you first launch Loop, we ask for your year of birth so we can confirm you meet the age of digital consent in your country. We store the year only — not your full date of birth.
  • Why: To prevent account creation by children under the applicable age (13 in the US and UK; 13, 14, 15, or 16 in EU member states depending on national law). See Section 10.
  • Legal basis (GDPR): Compliance with a legal obligation — Art. 6(1)(c) — and legitimate interest in ensuring lawful processing — Art. 6(1)(f).

3.6 App Store Privacy Nutrition Label

Below is how the data in this policy maps to Apple's App Store Privacy questionnaire. What we declare in App Store Connect matches this table.

Data Type (Apple category) Collected? Linked to You? Used for Tracking? Purpose
Contact Info → Name Yes Linked No App Functionality
Contact Info → Email Address Yes Linked No App Functionality, Account Management
User Content → Other User Content Yes Linked No App Functionality
Identifiers → User ID Yes Linked No App Functionality
Identifiers → Device ID Yes (only APNs push token, if you enable notifications) Linked No App Functionality (delivering reminders you configured)
Contacts Not Collected — — On-device only via iOS Contacts framework; no data transmitted off device.
Everything else (health, financial, location, browsing, search, purchases, diagnostics, advertising) Not Collected — — —

4. What Loop Does Not Collect or Do

  • No analytics, attribution, or crash-reporting SDKs. Loop does not integrate any third-party analytics, advertising, attribution, or crash-reporting SDK (for example, Firebase Analytics, Mixpanel, Amplitude, Sentry, TelemetryDeck, PostHog, RevenueCat) in the shipping binary as of the Effective Date above. If this changes, we will update this policy before the new version ships.
  • No advertising. We do not display ads and do not include any ad networks.
  • No cross-app tracking. Loop does not track you across other apps or websites. iOS will not show you an App Tracking Transparency prompt for Loop.
  • No data selling or sharing for profit. We do not sell or share your personal information, as those terms are defined by the CCPA/CPRA.

5. Where Your Data Is Stored

Your data lives in three places:

  1. On your iPhone or iPad, in a local database (SwiftData / SQLite) so the app works offline.
  2. On our Supabase-hosted PostgreSQL database, running on Supabase infrastructure in the United States, under a signed Data Processing Addendum. All data is encrypted in transit (HTTPS/TLS) and at rest.
  3. In the iOS Keychain on your device, for authentication tokens only.

If you live outside the United States (including the EU, UK, or elsewhere), your data will travel to and be stored on US servers when you use Loop. Where the law requires it, we use approved legal safeguards for that transfer — see Section 9.1.


6. Third-Party Services

Loop uses a small number of third-party services. Each is listed here with what it does.

Service Purpose Data shared Privacy policy
Supabase Hosts our PostgreSQL database. Supabase is our data processor — meaning they store data on our behalf under a signed Data Processing Addendum (DPA), which contractually binds them to protect your data on the same terms we do. All account and app content described in Section 3 supabase.com/privacy · DPA
Google Sign-In Authenticates users who choose to sign in with Google Your Google account email and name at the moment of sign-in policies.google.com/privacy
Sign in with Apple Authenticates users who choose to sign in with Apple; Apple's private email relay may be used at your option Your Apple ID email (or relay email) and name at the moment of sign-in apple.com/legal/privacy
Apple Push Notification Service (APNs) Delivers task reminders and notifications you have opted into Notification payloads routed through Apple; no personal content beyond what you scheduled apple.com/legal/privacy

The iOS Contacts framework is an on-device Apple API, not a data recipient. It is described in Section 3.3 for transparency; no contact data leaves your device via Loop.

We do not use any other analytics, advertising, tracking, or third-party SDKs.


7. How Long We Keep Your Data

Active accounts. We keep your account and content for as long as your account is active — this is your own data, and Loop needs it to function.

Retention by category:

  • Identifiers (name, email, user ID): for the life of your account; deleted immediately from live systems on account deletion.
  • User-generated content (tasks, goals, journal entries, preferences): for the life of your account; deleted immediately from live systems on account deletion.
  • Authentication tokens (OAuth): stored in the iOS Keychain until you sign out or uninstall the app; retained on our backend only as needed to validate active sessions.
  • Year of birth (age verification): for the life of your account; deleted with the account.

Deleted accounts. When you delete your account inside the app, Loop performs the following within seconds:

  1. All rows keyed to your user ID in every application table are deleted (every table that references your user ID drops your records automatically — nothing user-linked remains in our live databases).
  2. Your record in the Supabase auth.users table is deleted via an admin API call, which revokes any active refresh tokens.
  3. On the device, the local SwiftData store is dropped, the iOS Keychain entries for Loop are removed, and any queued local notifications are cancelled.

Backups. Supabase keeps encrypted backups of the database for approximately 30 days as part of standard disaster recovery. If you delete your account, your data will still exist inside those backups until they age out — typically within 30 days. We do not access those backups for any purpose other than disaster recovery, and we cannot expedite deletion from them. We disclose this because GDPR Art. 13 requires it.


8. Your Rights

You control your data in Loop. Depending on where you live, you may have additional rights described in Section 9.

8.1 Access (GDPR Art. 15)

You can view every task, goal, journal entry, and setting in the app at any time. You may also request a copy of your personal data, together with information about how we process it (purposes, categories, recipients, retention, transfers, and your rights), by emailing admin@sdoughertyholdings.com. We respond within one month, as required by GDPR Art. 12(3).

8.2 Correction (GDPR Art. 16)

You can edit any content at any time inside the app.

8.3 Deletion (GDPR Art. 17 — "Right to Erasure")

Open the app, go to Settings, and tap Delete Account. Your account and content are removed from our live database immediately (see Section 7 for the exact steps). Encrypted disaster-recovery backups will contain your data for approximately 30 days after deletion, after which they roll off automatically. During that window your data is not accessible or used for any purpose except potential disaster recovery.

8.4 Data Portability (GDPR Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format. We don't have a data-export button in the app yet — we plan to add one in the next major update (version 1.2). Until then, email admin@sdoughertyholdings.com from the address on your account and we will send you a machine-readable copy of your data (as JSON or CSV) within one month, as required by GDPR Art. 12(3). For complex or numerous requests we may extend by up to two further months and will tell you within the first month if that applies.

8.5 Right to Withdraw Consent (GDPR Art. 7(3))

The only processing we perform on the basis of your consent is accessing your iOS Contacts for the Delegate feature (Section 3.3). You can withdraw this consent at any time from iOS Settings → Privacy & Security → Contacts → Loop — withdrawal is as easy as granting it, and does not affect the lawfulness of processing carried out before you withdrew.

8.6 Right to Object (GDPR Art. 21)

You may object to our processing of your personal data at any time by emailing admin@sdoughertyholdings.com. Because our processing is necessary to perform our contract with you (deliver the app), objection generally results in account closure; we will not continue processing your data against your wishes.

8.7 Right to Restriction (GDPR Art. 18)

You can ask us to restrict processing of your data in specified circumstances — for example, while we verify a correction request — by emailing admin@sdoughertyholdings.com.

8.8 Automated Decision-Making and Profiling (GDPR Art. 22)

Loop does not use automated decision-making or profiling within the meaning of GDPR Art. 22. No decisions producing legal or similarly significant effects are made about you by algorithm.

8.9 Right to Lodge a Complaint

If you believe we have mishandled your data, you may lodge a complaint with your local data protection authority:

  • EU/EEA residents: a directory is available at edpb.europa.eu/about-edpb/about-edpb/members_en.
  • UK residents: the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.
  • Swiss residents: the Federal Data Protection and Information Commissioner (FDPIC).

We would appreciate the chance to address your concern first — please write to admin@sdoughertyholdings.com.


9. Regional Notices

9.1 EU and UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (or its UK equivalent) applies.

  • Data controller: SDougherty Holdings, LLC (contact details above).
  • Legal bases are identified for each processing purpose in Section 3.
  • Your rights are described in Section 8. In plain-language shorthand:
  • See your data (Art. 15)
  • Fix mistakes (Art. 16)
  • Delete your account (Art. 17)
  • Limit how we use your data (Art. 18)
  • Take your data with you (Art. 20)
  • Object to how we use it (Art. 21)
  • Not be subject to solely automated decisions (Art. 22)
  • Transfers to the United States. Your personal data is transferred to the United States and processed there by our data processor, Supabase. This transfer is governed by the European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor) executed with Supabase, supplemented by a Transfer Impact Assessment and technical safeguards including TLS in transit and encryption at rest. A copy of these safeguards is available on request.
  • Right to complain: See Section 8.9.

9.2 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights and disclosures.

Categories of personal information we collect

We use the statutory categories from Cal. Civ. Code § 1798.140(v)(1)(A)–(K). We have collected the categories marked "Yes" in the preceding 12 months:

CCPA/CPRA Category Collected? Examples in Loop
A. Identifiers Yes Name, email address, unique user ID, OAuth token identifiers
B. Customer records (Cal. Civ. Code §1798.80(e)) Yes Name and email tied to your account
C. Protected classification characteristics No —
D. Commercial information No —
E. Biometric information No —
F. Internet or other electronic network activity No —
G. Geolocation data No —
H. Audio, electronic, visual, thermal, olfactory, or similar No —
I. Professional or employment-related No —
J. Non-public education information No —
K. Inferences drawn from any of the above No —

Categories of sources

  • Directly from you (tasks, goals, journal entries, preferences, year of birth).
  • From identity providers you choose to sign in with (Google or Apple), which provide your name and email at the moment of sign-in.
  • From your device, only if you use the Delegate feature and grant Contacts permission (this data stays on your device and is not transmitted to us).

Categories of third parties with whom we share personal information for business purposes

In the preceding 12 months, we have disclosed personal information to the following categories of third parties, each acting as a service provider or contractor under a written contract that restricts their use of the data to the purpose of providing services to us:

  • Cloud hosting and database providers (e.g., Supabase).
  • Identity / authentication providers (e.g., Google, Apple).
  • Push-notification providers (Apple Push Notification Service).

We have not sold or shared personal information (as those terms are defined by the CCPA/CPRA) with any third party in the preceding 12 months.

Business and commercial purposes for collection

We collect personal information for the following business purposes as defined by Cal. Civ. Code §1798.140(e): (i) providing, maintaining, and servicing the Loop app; (ii) authenticating you and securing your account; (iii) delivering the reminders and notifications you configure; (iv) responding to your requests and providing customer support; (v) detecting and preventing fraud, abuse, and security incidents; and (vi) complying with legal obligations. We do not collect personal information for any "commercial purpose" (as defined by §1798.140(f)) beyond providing the Loop app.

Retention

Retention periods by category are set out in Section 7.

Sensitive personal information

The only "sensitive personal information" (as defined by the CPRA) Loop collects is your account log-in credential (an OAuth token from Google or Apple, stored in the iOS Keychain), which we use solely to keep you signed in and to authenticate requests to our backend. We do not use or disclose this sensitive personal information for any purpose other than what is necessary to provide the service you requested, as permitted by 11 CCR §7027(m). We do not collect any other sensitive personal information (no Social Security number, driver's license, precise geolocation, race, religion, health data, contents of your mail/email/texts, or genetic/biometric data).

"Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information"

Loop does not sell your personal information and does not share it for cross-context behavioral advertising, as those terms are defined by the CCPA/CPRA. We never have, and we don't plan to. Because we do not sell or share, we are not required to provide a "Do Not Sell or Share My Personal Information" link. Because we do not use sensitive personal information for any purpose beyond what is necessary to provide the service you requested, we are not required to provide a "Limit the Use of My Sensitive Personal Information" link. If either of these practices ever changes, we will update this policy and provide the required opt-out mechanisms before doing so.

Right to know

You have the right to request that we disclose, for the 12-month period preceding your request (and, for data collected on or after January 1, 2022, for periods beyond 12 months unless doing so proves impossible or would involve disproportionate effort): (i) the categories and specific pieces of personal information we have collected about you, (ii) the categories of sources from which we collected it, (iii) the business or commercial purpose for collecting it, and (iv) the categories of third parties to whom we disclosed it. Sections 3, 5, 6, and 7 of this policy are our general disclosure — contact us for a personalized report.

Right to delete

See Section 8.3.

Right to correct

See Section 8.2.

Right to non-discrimination

We will not deny you service, charge you a different price, or provide a different level of quality because you exercised any of these rights.

California minors

In accordance with Cal. Civ. Code §1798.120(c), we do not sell or share the personal information of consumers we know to be under 16. Because we do not sell or share any personal information at all, this restriction applies universally.

Automated decision-making and profiling

Loop does not use your personal information to engage in automated decision-making that produces legal or similarly significant effects, and does not profile you.

Financial incentives

We do not offer any financial incentives, price differences, or service-level differences in exchange for the collection, sale, sharing, retention, or deletion of personal information.

California "Shine the Light" (Cal. Civ. Code §1798.83)

We do not share personal information with third parties for their own direct marketing purposes. California residents may still email admin@sdoughertyholdings.com to confirm this.

Global Privacy Control

Loop is a native iOS app and does not process browser-based opt-out signals such as Global Privacy Control. Because we do not sell or share personal information, there is nothing for GPC to opt out of.

How to submit a request

Because Loop operates exclusively online and has a direct relationship with you as an account holder, we designate email — admin@sdoughertyholdings.com — as our method for receiving privacy requests, as permitted by 11 CCR §7020(c). We plan to add an in-app submission path (Settings → Privacy Requests) in a future release.

Verification

For deletion or access requests, we verify your identity by (i) requiring the request to originate from an authenticated session in the app (once in-app submission is available), or (ii) matching the requesting email address to your account and sending a one-time confirmation link to that email that you must click to confirm. We may ask for additional information if we cannot verify your identity with the information provided, and we will not use verification data for any other purpose.

Authorized agents

You may designate an authorized agent to submit a request on your behalf. The agent must provide (i) written and signed permission from you authorizing them to act on your behalf, or a valid power of attorney under Cal. Prob. Code §§ 4000–4465, and (ii) proof of the agent's own identity. We may also require you to directly verify your own identity with us and to confirm you provided the agent with permission before we act on the request.

Response times

We will confirm receipt of your verifiable request within 10 business days and will respond substantively within 45 calendar days. If we need more time (up to an additional 45 calendar days), we will notify you of the reason and extension in writing within the initial 45-day period.

Notice at Collection

A short-form Notice at Collection listing the categories collected, the purposes, the retention period, and the "we do not sell or share" statement is displayed to California residents on the sign-in screen with a link to this Privacy Policy.

9.3 Other US States

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy laws generally have similar rights to those described above. Contact us using the details in Section 15 to exercise them.


10. Children

Loop is a general-audience productivity app intended for adults and teenagers who meet the age of digital consent in their country (13 in the US and UK; 13, 14, 15, or 16 in EU member states depending on national law). Although the App Store age rating for Loop is 4+ (reflecting the absence of any objectionable content), Loop is not designed for, marketed to, or directed at children under 13, and Loop is not eligible for or listed in the App Store Kids Category.

On first launch, Loop asks for your year of birth to confirm you meet the age of digital consent where you live. If you don't, we cannot create an account for you. We do not knowingly collect personal information from children under the applicable age. If you believe a child has provided us with personal information, please email admin@sdoughertyholdings.com and we will delete the account and its data promptly.


11. Cookies and Similar Technologies

Loop is a mobile-only iOS app. It does not use browser cookies, web pixels, or similar tracking technologies. We do not operate a companion website that collects personal information.


12. Notice at Collection (Consolidated)

For California residents and anyone else who wants a one-page snapshot, this section consolidates what we collect at or before the point of collection:

  • Categories collected: Identifiers (name, email, user ID, OAuth token identifiers); customer records (name and email); user-generated content (tasks, goals, journal entries, preferences); year of birth (age verification only); and, if you enable notifications, an APNs push-token identifier.
  • Purposes: Providing, servicing, and securing the Loop app; authenticating you; delivering reminders you configured; responding to your requests; complying with legal obligations.
  • Retention: See Section 7.
  • Sold or shared: No. We do not sell or share your personal information as those terms are defined by the CCPA/CPRA.

A short-form version of this notice is displayed inside the app on the sign-in screen with a link to this policy.


13. Security

We take reasonable steps to protect your data:

  • All network traffic between the app and our backend is encrypted with HTTPS (TLS).
  • Our Supabase database encrypts data at rest.
  • Authentication tokens are stored in the iOS Keychain, which is encrypted by iOS.
  • We do not store passwords — authentication is handled by Google and Apple.

No system is perfectly secure, but we do our best to reduce risk. In the event of a personal-data breach that affects your account, we will notify the relevant supervisory authority within 72 hours of becoming aware where required by GDPR Art. 33, and will notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34), as well as under applicable US state breach-notification laws.


14. Changes to This Policy

We may update this Privacy Policy from time to time — for example, when we add a feature or change a data-processing practice. When we do:

  • We will update the Effective Date at the top of this document.
  • For material changes, we will notify you inside the app (for example, with a one-time notice on the next sign-in) before the new version takes effect.
  • The previous version will remain available on request via admin@sdoughertyholdings.com.

This Privacy Policy describes how we process your data; it is not a contract you can accept by continued use. Where a change involves processing that requires your consent (such as expanding how we use your Contacts data), we will ask for fresh consent — continued use of Loop will not by itself be treated as consent to new processing. For California residents, we will not use previously-collected personal information for materially different, unrelated, or incompatible purposes without first providing notice and, where required, obtaining your consent. If you do not agree with a revised policy, you can stop using Loop and delete your account under Section 8.3 before the revised policy takes effect.


15. Contact Us

SDougherty Holdings, LLC
Email: admin@sdoughertyholdings.com
Mailing address: 100 E Broad St STE 1350, Columbus, OH 43215

We respond to privacy rights requests within one month of receipt, as required by GDPR Art. 12(3). For complex or numerous requests we may extend by up to two additional months and will tell you within the first month if that applies. California-specific response timelines are set out in Section 9.2.


© SDougherty Holdings, LLC. All rights reserved.

Loop.

A personal task manager for iOS. Capture, clarify, route, review — and close every open loop.

About Features Who It's For Privacy Terms Support

© 2026 SDougherty Holdings, LLC. All rights reserved.

100 E Broad St STE 1350, Columbus, OH 43215