LoopQuest

Privacy Policy

Last updated: 29 June 2026

This document is a good-faith starting template, not legal advice. Have it reviewed by qualified counsel for your jurisdiction before relying on it commercially.

1. Who we are & our role

LoopQuest is operated by Tom Phillips Labs, a trading name of Tom Phillips, a sole trader established in the United Kingdom ("we", "us", the "Operator"). This policy explains how we handle personal data, in line with the UK GDPR, the Data Protection Act 2018, and the EU GDPR where applicable. We are the data controller for the personal data described below, except where we act as a processor (see section 2). Contact: tom@tomphillips.uk.

2. Controller vs processor

We are the controller of the account, billing and usage data we collect to run the Service. For the task content you submit for review, you are the controller and we are your processor — we process that content only on your instructions to provide the Service. A data processing agreement is available on request.

3. Data we collect

Account & profile: email address, reviewer handle, display name, optional avatar, and authentication records.

Onboarding answers: the role, tools, review types, volume, goals and compliance context you tell us during onboarding, used to tailor the product and improve the Service.

Activity & oversight: reviews, verdicts, XP, badges, league and quest progress, reviewer trust scores, and audit records (including which tasks were decoys and whether they were caught).

Billing: your plan, subscription and customer identifiers, billing status and renewal dates. Card payments are handled by Stripe; we do not store full card numbers.

Task content: the payloads your systems send for review, which may contain personal or special-category data placed there by you, as controller.

Technical: a strictly necessary sign-in/session cookie, a workspace-selection cookie, a sound-preference stored locally in your browser, and basic logs needed to operate and secure the Service.

Communications: messages you send us and your email-preference choices.

4. How & why we use data

We use personal data to: provide, secure and improve the Service; manage accounts and workspaces; run the games, gamification and leaderboards; take payment and manage subscriptions; send service, invite and (where you opt in) product-update emails; and meet legal obligations.

Our legal bases under UK GDPR are: performance of a contract (providing the Service and billing), legitimate interests (securing and improving the Service, preventing abuse, recovering payment), consent where required (e.g. optional product-update emails, which you can withdraw at any time), and legal obligation (e.g. tax and accounting records).

5. Cookies & local storage

We use a strictly necessary cookie to keep you signed in and maintain your session, and a cookie to remember your selected workspace. We store your sound on/off preference locally in your browser. We do not use advertising or cross-site tracking cookies.

6. Payments

Subscription payments are processed by Stripe, which acts as an independent controller of your payment data under its own privacy policy. We receive and store only your customer and subscription identifiers, plan, and billing status — never your full card details.

7. Sub-processors & transfers

We rely on a small set of providers to run LoopQuest:

  • Supabase — database, authentication and file storage.
  • Vercel — application hosting and delivery.
  • Stripe — subscription billing and payments.
  • Resend — transactional, invite and product-update email.

We also send verdict and metadata to the callback URLs and integrations you configure; those transfers happen at your instruction and to destinations you control. Where data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (or the Addendum to the EU Standard Contractual Clauses).

8. Retention

We keep account, profile and activity data while your account is active and as needed for the purposes above. Task content is retained according to your workspace's configured retention period and is deleted or returned on request. Billing and tax records are kept for as long as the law requires (generally at least six years in the UK). On account closure we delete or anonymise personal data except where retention is legally required.

9. Security

We use row-level security, encrypted transport (TLS), hashed API keys, signed webhooks and least-privilege access. No system is perfectly secure, but we work to protect your data and to notify you and any relevant authority of material incidents as required by law.

10. Your rights

Subject to law, you may request access, rectification, erasure, restriction or portability of your personal data, object to certain processing, and withdraw consent at any time. To exercise these rights, contact us at tom@tomphillips.uk. Where we process task content as a processor, please direct such requests to the relevant controller (your workspace owner), and we will assist them as required.

11. Children

LoopQuest is not directed to children and is intended for users aged 18 and over.

12. Changes

We may update this policy; material changes will be notified through the Service or by email.

13. Contact & complaints

Privacy questions or requests: Tom Phillips Labs, tom@tomphillips.uk. If you are in the UK and unhappy with our response, you may complain to the Information Commissioner's Office (ico.org.uk).