loopful
ENDE
Join Waitlist

Legal

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement (“DPA”) applies when Loopful processes personal data on behalf of customers (“Controller”) in connection with the Loopful Schema or Loopful Convert services, upon commencement of an active paid or beta subscription. It supplements the Terms of Service and forms part of the agreement between Loopful and the Controller. During the pre-launch and early access period, no customer data is processed; this DPA is published for transparency and will take effect upon service activation.

1. Definitions

  • “Controller” means the customer who determines the purposes and means of processing.
  • “Processor” means Loopful, which processes personal data on behalf of the Controller.
  • “Personal Data” has the meaning given in Article 4(1) GDPR.
  • “Processing” has the meaning given in Article 4(2) GDPR.

2. Subject Matter and Duration

Loopful processes personal data of the Controller’s website visitors for the purpose of delivering structured data injection (Schema) and conversion optimisation (Convert) services. Processing continues for the duration of the service agreement.

3. Nature and Purpose of Processing

Personal data may be processed for the following purposes:

  • Injecting schema.org markup into web pages served to visitors
  • Running A/B tests to compare conversion variants
  • Measuring performance metrics (page views, event completions)

Categories of data subjects: visitors to the Controller’s website.

Categories of personal data: IP addresses (pseudonymised), session identifiers, page URLs visited.

4. Obligations of Loopful as Processor

Loopful shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorised to process data have committed to confidentiality
  • Implement appropriate technical and organisational security measures (Art. 32 GDPR)
  • Assist the Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of the service
  • Make available all information necessary to demonstrate compliance with Art. 28 GDPR

5. Sub-processors

The Controller authorises Loopful to engage the following sub-processors. Loopful will inform the Controller of any intended changes and give the Controller the opportunity to object:

  • Vercel Inc.: infrastructure hosting (EU edge network)
  • Resend Inc.: transactional email (for service communications only)

Loopful ensures all sub-processors are bound by data protection obligations equivalent to this DPA.

6. Security

Loopful implements appropriate technical and organisational measures including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Access controls limiting data access to authorised personnel
  • Regular security reviews
  • Incident response procedures

7. Data Subject Rights

Loopful will notify the Controller without undue delay upon receiving a data subject request relating to data processed under this DPA, and will provide reasonable assistance to the Controller in fulfilling such requests.

8. Data Breaches

Loopful will notify the Controller without undue delay and within 72 hours of becoming aware of a personal data breach affecting data processed under this DPA.

9. International Transfers

Personal data is processed within the EU/EEA. Any transfers outside the EEA are made only under appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

10. Governing Law

This DPA is governed by Austrian law (Republic of Austria), consistent with the Terms of Service.

11. Contact

DPA enquiries: hi@loopful.ai