Loop keeps your information confidential
Types of information and data we collect, store and use
We collect, store and use the following types of information and data:
1. Personally identifiable information (PII);
2. Non-personal information (NPI);
3. Your private email data (email data including metadata and email content)
4. Your shared communications (instant messages and team communications)
Personally identifiable information
Personally identifiable information (PII) is information that can be used to identify an individual person and includes information such as IP addresses, Account details, emails addresses, names, contact lists and all similar information retrieved by any other email client when accessing public email exchange information. We collect, store, and use PII for the sole purpose of being able to deliver our Services to you. Accounts are added to Loop through OAuth 2.0 protocol where possible. OAuth 2.0 is an open standard authorization protocol that allows third parties to access user data without needing to know or store user passwords. Also, OAuth 2.0 authentication allows users to revoke app access at any moment in app settings. If a user revokes Loop app access, our Services do not have access to any of the user data anymore. Where OAuth 2.0 is not supported, we need to get your account username and password secure in our Services. To ensure the greatest possible levels of security, user passwords are never stored in our databases. For secure storage of user credentials, we use a certified secure storage service called MS Azure Key Vault, with special purpose Hardware Security Modules (HSMs) accessed using a 2048 bit digital certificate. We then use the authorization provided to download your emails to our cloud servers and push to your device. We use Amazon Web Services (AWS) infrastructure to store your data. Apart from AWS security policies, we take a number of measures to ensure that your data is never read by anyone else. We ensure that all transmission is secured with HTTPS so that no one else can access your data. For this, we use a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM) with industry standard 256 bit encryption using TLS/SSL (HTTPS).
Non-personal information (NPI) is information which cannot be used to identify an individual person, such as technical information about your device, location, time zone, activity usage, performance metrics, configuration settings, anonymous behavioral information and other aggregated information.
Additionally, whenever you interact with our Services, we automatically receive and record ‘cookie’ information from your browser or device. ‘Cookies’ are identifiers we transfer to your browser or device that allow us to recognize your browser or device and tell us how and when pages and features in our Services are visited and by how many people. You may be able to change the preferences on your browser or device to prevent or limit these, but this may prevent you from taking advantage of some of our features.
We use NPI to customize content for you and to provide the functionality of the Services, such as email follow-ups and categorization, based on your usage patterns. We also use NPI in order to improve your user experience when using our Services. We may use internal and third party processing and analytic systems to analyze user experience, behavior and trends with NPI.
Online survey data To improve the websites, online stores or apps of our clients, we use online surveys. We only collect information that you give us. We securely store that information and don’t share it with third parties. All answers are processed anonymously.
Cookies Our website needs cookies to function properly. A cookie is a small file that is sent by a web server and stored on the hard disk of your computer. A cookie holds anonymous information about your visit to a website, which helps us improve our website services.
We use the following cookies:
- Google Analytics: to see how well our website is performing. This information is not personalized. This means we don’t know how much time you spend on a specific page, for example. We don’t store information on your individual behavior on our website or any of your personal information.
- Google Analytics Remarketing: to show you offers of products that might interest you. Without this cookie, you miss out on personal recommendations on our website, in our newsletter and in our emails with personal tips.
- Facebook: to show you relevant ads on Facebook. Without this cookie, you miss out on customized offers.
- Instagram: to show you relevant ads on Instagram. Without this cookie, you miss out on customized offers.
Your private email data
Private emails (message headers, subject, body, attachments and other metadata) are stored by Loop’s cloud service and some of that content is stored locally on your device. They are used exclusively to provide you with our Services. Loop is an email provider and needs to process emails in order to provide a new email experience. We understand the responsibility of handling such data, that’s why we have the highest security measures implemented to protect your data. You can request the deletion of your data from Loop at any time by writing to our DPO at email@example.com. Email content stored locally on your device can be removed by deleting the Loop apps.
Exchanged instant messages and team communications are also stored by Loop’s cloud service and some of that content is stored locally on your device. They are used exclusively to provide you with our Services. Loop acts also as an instant messaging and team collaboration platform and needs to process messages and team communications in order to provide our Services. We understand the responsibility of handling such data, that’s why we have the highest security measures implemented to protect your data. Exchanged messages and team communications are considered shared communications which cannot be unilaterally deleted.
Third party services
Access to data
Except as described elsewhere in these Terms, no Loop employees, contractors, agents or other personnel (collectively ‘Loop personnel’) will access or use your data in a manner that would identify you as an individual. We have strict controls and processes in place which are designed to limit access to and use of your data by Loop personnel. We have technical controls and audit policies in place which are designed to ensure that any access to such data by Loop personnel is logged. All Loop personnel who may have or require access to your data as part of their services to Loop are bound to our policies regarding your data and we treat the privacy and security of your data with utmost respect. Loop personnel may need to access your data in connection with troubleshooting or responding to a problem, system maintenance or upgrades, or other activities in the ordinary course of operating our Services. In most cases, we will notify you and ask for your permission prior to giving Loop personnel permission to access your data. However, we may access and disclose certain data if we have a good-faith belief that such access, use, preservation or disclosure of your data is reasonably necessary to: meet any applicable law, regulation, legal process or enforceable governmental request; enforce these Terms, including investigation of potential violations; detect, prevent, or otherwise address fraud or security issues; and/or protect against harm the rights, property or safety of Loop, our users or the public as required or permitted by law.
How Loop secures your data
Data protection and our commitment
Loop considers the security, confidentiality and availability of your information to be of the upmost importance. It is policy that manifests itself through all aspects of the delivery of our Services, including the infrastructure our Services run on and all Loop personnel. Loop’s approach to information security management is based on adherence to best practice methodologies such as ISO 27001, regular third-party penetration testing and close monitoring of customer security requirements.
Loop is a web, mobile & desktop email client that works with other email providers (Gmail, Office 365 and Microsoft Exchange accounts). In order to send and receive user emails, our Services need to have access to user email accounts. To ensure safe and reliable operations of our Services, we rely on the most advanced and secure solution available in the industry – Amazon Web Services (AWS). Apart from AWS security policies, we encrypt all data between the client and our service. For client encryption and authentication, we user a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM) with industry standard 256 bit encryption using TLS/SSL (HTTPS).
When you log in with your email account through our Services, you are granting Loop permission to securely access the information contained in or associated with that account. The whole process is similar to connecting any other email client. In order for our Services to achieve this, we need to store user email account access tokens: For services that support it (i.e. Gmail), Loop uses OAuth 2.0, which is an open standard authorization protocol that allows us to access you email data without needing to know your password. This helps keep your information as secure as possible. We never know or store your passwords on our servers. With OAuth 2.0 authentication, our Services use application specific tokens that you can revoke at any moment in the app settings. If you revoke our access to your email account, our Services do not have access to any of your data anymore. When OAuth 2.0 authentication is not available (i.e. hosted Exchange), the access token is composed of your email username and password. To ensure the greatest possible levels of security, we never store user passwords in our databases. For secure storage of user credentials our Services use a certified secure storage service called MS Azure Key Vault with special purpose Hardware Security Modules (HSMs) accessed using a 2048 bit digital certificate.
To provide our services, Loop stores personal information, including user’s email address and contents of user’s emails that may include but is not limited to, attachments, documents, images and videos. We limit access to personal data to only those employees, contractors and service providers who we believe reasonably need access to that information for operating our Services. We also keep detailed access logs to uniquely identify individual accounts that has accessed our Services. We have physical, electronic, and procedural safeguards that are designed to comply with regulations to protect user personal data. We only allow access to our systems from a secure VPN address.
Physical access to your data
Our premises have an ID-approved access only and video monitoring implemented at all entrances. We keep a log of every entrance and exit to the premises of our company. Our premises are a part of a technology driven ecosystem that is under security surveillance 24/7.
Additional limits on use of your Google user data
- The App will only use access to read, write, modify or control Gmail message bodies (including attachments), metadata, headers, and settings to provide an email client that allows users to compose, send, read, and process emails and will not transfer this Gmail data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets.
- The App will not use this Gmail data for serving advertisements.
- The App will not allow humans to read this data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for the App’s internal operations and even then only when the data have been aggregated and anonymized.
Vulnerability disclosure policy
At Loop Email, trust is our #1 value and we take the protection of our customers’ data very seriously.
The Loop Email security team acknowledges the valuable role that independent security researchers play in internet security. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Loop Email is committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us. Please review these terms before you test and/or report a vulnerability. Loop Email pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.
Testing for security vulnerabilities
Whenever a Trial or Developer Edition is available, please conduct all vulnerability testing against such instances. Always use test or demo accounts when testing our online services.
Reporting a potential security vulnerability:
- Privately share details of the suspected vulnerability with Loop Email by sending an email to firstname.lastname@example.org
- Provide full details of the suspected vulnerability so the Loop Email security team may validate and reproduce the issue
Loop Email does not permit the following types of security research:
- While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Performing actions that may negatively affect Loop Email or its users (e.g. Spam, Brute Force, Denial of Service…)
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on Loop Email personnel, property or data centers
- Social engineering any Loop Email service desk, employee or contractor
- Conduct vulnerability testing of participating services using anything other than test accounts (e.g. Developer or Trial Edition instances)
- Violating any laws or breaching any agreements in order to discover vulnerabilities
The Loop Email security team commitment:
We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Loop Email security team and associated development organizations will use reasonable efforts to:
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Provide an estimated time frame for addressing the vulnerability report
- Notify you when the vulnerability has been fixed
We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Loop Email.
We are constantly trying to improve our Services, so this Policy may change occasionally too. We reserve the right to change the Policy at any time. When we do, we will update the date to make it clear that a new version has been created and we will bring the update to your attention in a timely manner by sending you an email or by some other means within the app. If you don’t agree with the new Policy, that unfortunately means that you will no longer be able to use our Services. Continued use of Services after a change to the Policy is effective means that you agree to any changes made to the Policy.
Public accounts are a mess to
Try Loop Email with your team.