Legal · Last updated May 26, 2026
Privacy Policy
What data we collect, why, and how to make us delete it. Honest and plain. Questions: nikhil@getflow.dev.
1. What we collect
- Account data:the email address you sign in with. That’s it for identity — no password (magic links), no name, no phone.
- Profile data: when you fill out onboarding, we store your primary skill, target audience, and weekly hours available. This shapes how agents tailor their output to you.
- Validation data: the ideas you submit, the research / landing copy / ad drafts / verdicts our agents produce, the activity log of pipeline events, and (if you connect them) your Google Ads campaign IDs and aggregate metrics.
- Payment data: Stripe handles your card. We store the Stripe checkout session ID, the tier you bought, and how many credits remain. Card details never touch our servers.
- Landing-page traffic:when someone visits a landing page you publish, we record the visit (referrer, UTM params, user-agent, a hashed IP). When they sign up via the form, we capture their email (per the published page’s purpose) to give you the lead.
- Operational logs: server logs (request timing, error stack traces) for debugging. These age out after 30 days.
2. Why we collect it
- To run the product you paid for.
- To send you transactional email (sign-in links, receipts, status changes).
- To debug crashes and improve reliability.
- To compute anonymized aggregate metrics (e.g., overall validation throughput, average verdict distribution) that we may share publicly to demonstrate the product works.
3. Who we share it with
We share data only with the third parties strictly necessary to run the platform. We don’t sell data. We don’t share your specific ideas, validation outputs, or signup leads with anyone outside the platform.
- Supabase — hosts the database and handles authentication. Stores your email, profile, validations, and signup leads.
- Stripe— processes payments. Receives your email and card details (entered into Stripe’s own checkout). We never see the card.
- Linchpin — runs the agents. Receives your idea text + research output as agent input. Linchpin runs on infrastructure we operate, not a third-party SaaS.
- OpenRouter — Linchpin uses OpenRouter to route agent calls to Claude / GPT / other LLMs. Your idea text + intermediate agent reasoning passes through here.
- Resend — sends transactional email (magic-link sign-in, validation status updates, signup notifications). Receives your email address.
- Google Ads / Meta Ads— only if you connect them. We use your OAuth token to read campaign metrics for validations you ran. We don’t write or change anything on your ads accounts.
- Vercel — hosts the Loopvalid web app. Sees request metadata (IP, user-agent) for serving pages.
4. Retention
- Account + validation data: kept as long as your account is active.
- Server logs: 30 days, then deleted.
- Payment records: 7 years (US tax law).
- Backups: aged out within 90 days.
- If you delete your account, everything except payment records (which we’re required to keep) is removed within 30 days.
5. Your rights
You can ask us to:
- Show you all the data we have about you.
- Correct anything that’s wrong.
- Delete your account and associated data.
- Export your validation data in a portable format (JSON).
- Stop using your data for analytics aggregates.
Email nikhil@getflow.devand we’ll handle it within 30 days.
6. Cookies and tracking
We use one strictly-necessary cookie for the auth session (managed by Supabase). We don’t use third-party analytics, advertising cookies, or trackers on the Loopvalid app itself.
Note: landing pages you publish on Loopvalid record visit data so you can see your validation traffic. That tracking applies to visitors of your landing page, not to you as a Loopvalid customer.
7. Security
All traffic is over HTTPS. Database access is gated by Supabase’s row-level security (each user can only read their own data). Service-role credentials are stored as encrypted environment variables on Vercel. Payment data never touches our servers — Stripe handles it.
That said: no system is bulletproof. If there’s a breach that affects you, we’ll email you within 72 hours of learning about it.
8. Children
Loopvalid is for adults building software businesses. We don’t knowingly collect data from anyone under 16. If you think we have, email us and we’ll delete it.
9. International users
Loopvalid is operated from the United States. If you’re accessing it from elsewhere, you consent to your data being processed in the US. We comply with GDPR and CCPA rights requests via the contact email above.
10. Changes
We’ll update this page when our practices change. Material changes get an email at least 14 days before they take effect.
11. Contact
Privacy questions, data requests, or anything else — email nikhil@getflow.dev.