Privacy Policy

Last updated: January, 2026

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Where applicable, we also comply with the EU General Data Protection Regulation (GDPR), UK GDPR, and the EU Artificial Intelligence Act.

1. What we collect

1.1 From all users

  • Account details (such as name, email, org, role),
  • Authentication data,
  • Communications/support tickets,
  • Billing/contact information,
  • Usage data such as browser, IP, logs, cookies, keystroke data.

1.2 Telemetry from enterprise deployments

We collect telemetry necessary to run and improve Solutions, such as:

  • Performance/latency/error metrics,
  • Model inputs/outputs when configured to be logged, ideally in redacted form,
  • Usage events (feature interactions, API calls),
  • Environment metadata (version, region, system health).

Enterprises should avoid providing personal information unless necessary and allowed by applicable laws in the jurisdiction in which they operate.

Enterprises and AI Researchers & developers should:

  • Avoid collection of unnecessary personal data in telemetry,
  • Redact or hash identifiers where possible,
  • Document any telemetry streams containing personal information.

1.3 From Enterprises and AI researchers & developers (as applicable)

  • Solution artifacts and documentation,
  • Training/evaluation data sets, metadata you provide,
  • Optional debug logs you authorise.
  • Implementation proposals, ethics approvals, and reporting materials.
  • For Enterprises: confirmation that users are authorised on behalf of the organisation to represent, have access to and can enter into contractual relationships on its behalf (as applicable).
  • For AI researchers & developers: confirmation that the Ecosystem/Platform is being used in compliance with any applicable policies or requirements for any current roles or engagements from time to time.

2. Why we collect and how we use it

We use personal information to:

  • Provide accounts and platform functionality,
  • Support Enterprises and AI Researchers & developers
  • Secure the Platform, prevent fraud/abuse, and audit activity,
  • Process payments/contractual obligations,
  • Comply with applicable laws, and
  • Learn and optimise Solutions and Platform performance, mainly using telemetry and de-identified aggregates.

We aim to minimise identifiable data and use de-identification/aggregation wherever practicable.

We aim to reduce the risk of bias and unintended outcomes by minimising personal data, using de-identified or aggregated telemetry where practicable, and supporting monitoring and evaluation workflows configured by Enterprises.

3. Legal grounds

We process personal information under one or more of the following legal bases:

  • Consent, where required or obtained;
  • Performance of a contract, including to provide the Platform and related services;
  • Legitimate interests, including securing the Platform, preventing fraud and abuse, improving performance, and ensuring service reliability, balanced against your rights and interests;
  • Compliance with legal obligation

    • For the purposes of the GDPR:

  • LoopSoup acts as a data controller for account management, billing, security, and Platform operations.
  • LoopSoup acts as a data processor when processing personal information on behalf of Enterprise customers or AI researchers & developers, in accordance with their instructions and applicable agreements.

4. Sharing / disclosure

We may disclose personal information to:

  • Service providers (cloud hosting, observability, payments, support), who are bound by confidentiality and security obligations (as appropriate to their role) .
  • Enterprise Customers (e.g., telemetry dashboards, results, performance), as appropriate to their role and access.
  • AI Researchers & developers (only under approved protocols and data access controls).
  • Professional advisers and regulators where required.
  • Security, verification, and abuse-prevention providers (including bot-detection services such as Google reCAPTCHA).

We do not sell personal information.

5. Overseas disclosures

As Enterprise customers, and AI researchers & developers are based across the globe, we may store/process/disclose information in or outside Australia.

Before any cross-border disclosure, we take reasonable steps to ensure overseas recipients protect information consistently with the APPs, and we remain accountable where required.

Where personal information is transferred from the European Economic Area (EEA) or the United Kingdom to countries without an adequacy decision, we rely on appropriate safeguards, such as:

  • Standard Contractual Clauses approved by the European Commission; and
  • Contractual, organisational, and technical measures designed to ensure an equivalent level of protection.

6. Human-in-loop and risk notice:

  • Enterprises decide deployment posture and ensure the solutions meet their legal and regulatory obligations,
  • Platform outputs are decision support unless they explicitly choose automation,
  • Certain uses (employment, credit, safety, biometric identification) require heightened safeguards and compliance with local law.

6A - AI Act transparency and high-risk use notice

Certain uses of the Platform and Solutions may qualify as high-risk AI systems under the EU Artificial Intelligence Act when deployed in regulated contexts, including but not limited to employment, credit, access to essential services, safety-critical environments, or biometric identification.

LoopSoup designs the Platform to support human oversight, auditability, and risk controls. However, Enterprises determine the intended purpose, deployment context, and legal classification of AI systems deployed using the Platform.

Unless explicitly configured and permitted by applicable law:

  • Platform outputs are provided as decision support, not fully automated decisions; and
  • Enterprises remain responsible for ensuring appropriate human review, lawful use, and regulatory compliance.

    • Enterprises deploying Solutions in high-risk contexts are responsible for:

  • Risk management, bias evaluation, and monitoring;
  • Required user or subject disclosures;
  • Logging, record-keeping, and post-deployment monitoring.

7. Security

We use reasonable safeguards including:

  • Encryption in transit/at rest,
  • Least-privilege access controls,
  • Logging and monitoring,
  • Secure development and testing,
  • Vendor risk review.
  • Logging and traceability mechanisms to support audit, security investigations, and regulatory compliance where required.

If an eligible data breach likely causes serious harm, we notify affected individuals and the OAIC as required under Australia's Notifiable Data Breaches scheme.

8. Data retention

We retain personal information only as long as needed for:

  • Ecosystem/ Platform operations,
  • Contractual or compliance duties,
  • Security and audit requirements.

We may retain de-identified or aggregated telemetry for longer in order to undertake integrity reviews, performance monitoring, and improvements. Retention periods are determined based on the nature of the information, legal and contractual requirements, security considerations, and legitimate operational needs.

9. Your rights

You may request access to and correction of your personal information.

Depending on your location, including if you are in the EEA or UK, you may also have the right to:

  • Request deletion or erasure;
  • Restrict or object to certain processing;
  • Request data portability;
  • Withdraw consent at any time (where processing is based on consent);
  • Lodge a complaint with a supervisory authority.

We will respond within the timeframes required by applicable law. Certain rights may be limited where we are required to retain information for legal, security, or contractual reasons.

10. Cookies & analytics

We use cookies and similar tools for login, preferences, security (including bot detection and abuse prevention), and analytics.

10A - Google reCAPTCHA

We use Google reCAPTCHA, a service provided by Google LLC, to protect the Platform from fraud, abuse, and automated access.

reCAPTCHA analyses interactions with the Platform to assess whether activity is generated by humans or automated systems. In this process, information such as IP address, device and browser characteristics, interaction signals, and page activity may be collected and transmitted to Google.

This processing is carried out for security and abuse-prevention purposes and is based on our legitimate interests under Article 6(1)(f) GDPR and consistent with the Privacy Act 1988 (Cth).

The use of Google reCAPTCHA is subject to Google's:

  • Privacy Policy: https://policies.google.com/privacy
  • Terms of Service: https://policies.google.com/terms

11. No children's use

The Platform is not intended for users under 16 years of age or the relevant age as applicable in their home jurisdictions. We do not knowingly collect their information without valid consent.

12. Updates

We may update this policy and will notify users of material changes.

13. Contact / complaints

Please reach out to us at:

Email: admin@loopsoup.ai

Address: Ground Floor, 10 Pulteney Street, Adelaide, SA, Australia 5000.