Privacy Policy
Last updated · 27 June 2026
This Privacy Policy explains how ClientLoop handles personal data when you visit clientloop.digital, use the application at app.clientloop.digital, or upload information into a workspace you were invited to. Because ClientLoop is used to collect and store documents that can be highly sensitive, we have tried to be specific about what we hold, why, and the protections we apply.
Quick summary. ClientLoop is a secure workspace that businesses use to collect documents, forms and information from their clients. For the files and form responses uploaded into a workspace, the business that owns the workspace is the data controller and ClientLoop acts as its data processor. For account, billing and our own marketing data, ClientLoop is the controller. We never sell personal data.
1. Who we are and how to contact us
ClientLoop (“ClientLoop”, “we”, “us”, “our”) provides a secure client-workspace platform. ClientLoop is operated by Pleesys Technology Limited, registered at [registered address].
For any privacy question, or to exercise your rights, contact us at:
- Email: privacy@clientloop.digital
- General contact: hello@clientloop.digital
- Post: [registered address]
If we have appointed a Data Protection Officer or UK/EU representative, their details will be published here.
2. Who this policy is for
ClientLoop serves two groups of people, and this policy covers both:
- Customers — the businesses and individuals who create an account, configure a workspace, and subscribe to a plan (e.g. accountants, agencies, consultants, solicitors, mortgage brokers, financial advisers, recruiters and similar service businesses), and their team members.
- Clients (recipients) — the individuals a Customer invites into a workspace to provide documents, complete forms, or exchange messages.
It also covers visitors to our marketing website.
3. Our role: controller vs processor
This distinction matters and determines who you should contact about your data.
- ClientLoop is the controller for: account and profile data, authentication, billing, support correspondence, security logs, website analytics, and our own marketing. This policy governs that data.
- ClientLoop is a processor for: everything a Customer or their Clients put inside a workspace — uploaded files and documents, form responses, messages, and related metadata (“Workspace Content”). Here the Customer is the controller, and we only process Workspace Content on the Customer’s documented instructions, under our Terms and our data-processing commitments.
If you are a Client and you want to access, correct or delete documents you submitted into a workspace, please contact the business that invited you — they control that data. We will support that business in responding to you.
4. Information we collect
4.1 Information you provide to us
- Account & profile data: name, email address, password (stored only as a salted hash — we never store it in plain text), company or practice name, job role, time zone, and preferences.
- Branding & workspace configuration: logo and brand assets you upload, colours, workspace name, sender names, and — on paid plans — any custom domain you connect.
- Billing data: your plan, subscription status, billing email and country, and limited card metadata (such as card brand and last four digits). Full card numbers are processed directly by our payment provider, Stripe, and are never stored on ClientLoop’s systems.
- Workspace Content: the documents, files (PDFs, images, spreadsheets, scans and similar), form responses, and messages that you or your Clients upload or send, together with metadata such as file names, file types, sizes, upload status, request titles, and timestamps.
- Support and communications: the contents of messages you send us and any information you choose to share when contacting support.
4.2 Information we collect automatically
- Usage and log data: actions taken in the app, pages and features used, request/response metadata, and error and diagnostic logs.
- Device and connection data: IP address, browser type and version, operating system, device identifiers, and approximate location derived from IP address.
- Cookies and similar technologies: see Section 11.
4.3 Information from third parties
- Payment and fraud signals from Stripe (e.g. whether a payment succeeded).
- Email deliverability information from our email provider (e.g. whether a message bounced).
5. Sensitive and special-category information
ClientLoop is built for professions that routinely handle confidential and regulated information. The files and form responses placed into a workspace may therefore contain sensitive personal information, which can include:
- financial information — bank statements, tax returns, payroll, invoices, accounts;
- identity and verification documents — passports, driving licences, proof of address, national insurance / tax identifiers;
- legal and contractual documents;
- employment, recruitment and right-to-work information;
- and, on occasion, special-category data (Article 9 UK/EU GDPR — for example health information) or criminal-offence data (Article 10), where a Customer or Client chooses to upload it.
Important points:
- We do not request or require special-category data ourselves. It may be present because a Customer or Client uploads it into a workspace.
- For all Workspace Content, ClientLoop acts only as a processor on the Customer’s instructions. The Customer (controller) is responsible for ensuring it has a valid lawful basis and, where required, an appropriate Article 9 condition or explicit consent before collecting or sharing such data through ClientLoop.
- We apply the same heightened security controls to all Workspace Content regardless of its sensitivity (see Section 8).
6. How we use information, and our legal bases
Where data-protection law applies (including the UK GDPR and the EU GDPR), we rely on the following legal bases for the data we control:
| Purpose | Typical data used | Legal basis |
|---|---|---|
| Create and operate your account and workspace | Account, profile, configuration | Performance of a contract |
| Store and serve Workspace Content to the right people | Workspace Content (as processor) | Customer’s instructions / Customer’s legal basis |
| Take payment and manage subscriptions | Billing data | Performance of a contract; legal obligation |
| Keep the service secure and prevent fraud or abuse | Log, device, usage data | Legitimate interests; legal obligation |
| Provide support | Account, communications | Performance of a contract; legitimate interests |
| Send service / transactional emails (invites, reminders, receipts, security notices) | Account, contact data | Performance of a contract; legitimate interests |
| Send marketing about ClientLoop | Contact data, preferences | Consent, or our legitimate interests where permitted — you can opt out at any time |
| Improve and analyse the service | Usage data (aggregated where possible) | Legitimate interests |
| Comply with legal and accounting obligations | Billing, account, logs | Legal obligation |
Where we rely on legitimate interests, we have balanced those interests against your rights. You can object to that processing (see Section 12). For Workspace Content we process as a processor, the relevant legal basis is the Customer’s, not ours.
7. How we share information
We do not sell your personal data and we do not share it for third-party advertising. We share personal data only as follows:
7.1 Sub-processors
We use trusted service providers (“sub-processors”) to run ClientLoop. Each is bound by contract to protect data and to process it only on our instructions. Our current sub-processors include:
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Vercel | Application hosting and encrypted file storage (Vercel Blob) | USA / EU |
| Stripe | Payment processing and subscription billing | USA / EU |
| Resend | Transactional email delivery (invites, reminders, receipts) | USA / EU |
| Upstash | Rate limiting and caching | USA / EU |
This list may change as the service evolves. An up-to-date list is available on request from privacy@clientloop.digital, and Customers may ask to be notified of new sub-processors.
7.2 Other recipients
- Professional advisers (such as auditors, lawyers and accountants) under confidentiality obligations.
- Authorities, regulators or courts where we are legally required to disclose, or to protect our rights, property or safety, or those of others.
- A successor entity in connection with a merger, acquisition, financing or sale of assets — in which case we will ensure your data remains subject to protections consistent with this policy.
8. How we protect information
We maintain technical and organisational security measures appropriate to the sensitivity of the data, including:
- Encryption in transit (TLS/HTTPS) for all connections, and encryption at rest for stored files and databases.
- Logical isolation between workspaces, so one Customer’s data is not accessible to another.
- Access controls on the principle of least privilege, with authentication and audited administrative access.
- Passwords stored only as salted hashes (bcrypt); we cannot read your password.
- Scoped, time-limited secure invite links so Clients reach only their own workspace.
- Logging, monitoring and backups, with rate limiting to deter abuse.
No system can be guaranteed 100% secure. If we become aware of a personal-data breach that is likely to present a risk, we will act promptly and notify the relevant Customer(s) and supervisory authorities as required by law.
9. International data transfers
ClientLoop and some of our sub-processors operate in countries that may be outside the UK or the European Economic Area, including the United States. Where we transfer personal data internationally, we rely on an appropriate safeguard, such as an adequacy decision, the EU Standard Contractual Clauses, and/or the UK International Data Transfer Addendum, together with additional measures where needed.
10. How long we keep information
- Account and profile data: for as long as your account is active, and for a limited period afterwards to handle wind-down, disputes and legal obligations.
- Workspace Content: retained while the workspace and account are active, and according to the Customer’s instructions. On termination, Workspace Content is deleted or made available for export within [30] days, unless we are required by law to retain it.
- Billing and transaction records: retained for the period required by tax and accounting law (typically 6–7 years).
- Logs and security records: retained for a limited period appropriate to their purpose.
11. Cookies and similar technologies
- Strictly necessary cookies keep you signed in, maintain your session, and protect against fraud and abuse. These are required for the app to work.
- The marketing website is designed to use minimal cookies. Where we use analytics, we aim to use privacy-respecting, aggregated measurement and avoid intrusive tracking.
You can control cookies through your browser settings; blocking strictly necessary cookies may prevent the app from functioning.
12. Your rights
Subject to applicable law (including the UK and EU GDPR), you have the right to:
- access the personal data we hold about you;
- request rectification of inaccurate data;
- request erasure (“right to be forgotten”);
- restrict or object to certain processing, including direct marketing;
- request portability of data you provided to us;
- withdraw consent at any time where we rely on consent; and
- complain to a supervisory authority. In the UK this is the Information Commissioner’s Office (ICO), ico.org.uk.
To exercise any right regarding data we control, email privacy@clientloop.digital. We may need to verify your identity, and we will respond within the time required by law (generally one month).
If you are a Client whose documents sit inside a Customer’s workspace, those rights are usually exercised through that Customer, who controls the data. Contact the business that invited you; we will assist them in responding.
US/California residents: where applicable, you may have rights to know, access, delete, and opt out of “sale”/“sharing” of personal information. We do not sell personal information. To make a request, contact privacy@clientloop.digital.
13. Children
ClientLoop is a business tool and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.
14. Changes to this policy
We may update this policy from time to time. We will change the “Last updated” date above and, where changes are material, take reasonable steps to notify Customers (for example by email or an in-app notice).
15. Contact
Questions, requests or complaints about privacy:
- privacy@clientloop.digital
- Pleesys Technology Limited, [registered address]
If you are in the UK or EU and are not satisfied with our response, you may contact your local data-protection authority (in the UK, the ICO at ico.org.uk).