Data Ownership

Your data belongs to you. Here's how LoopKit handles data ownership, storage, and your rights as a customer.

Core Principles

1. You Own Your Data

• All event data you send to LoopKit remains your property
• We are a data processor, not a data controller
• You have complete control over your data lifecycle
• No vendor lock-in - export your data anytime

2. Transparent Processing

• We only process data to provide LoopKit services
• No selling or sharing of your data with third parties
• Clear documentation of how data is used
• Regular security audits and compliance reviews

3. Data Minimization

• We only collect data necessary for service functionality
• Automatic data retention policies
• Option to configure custom retention periods
• Secure deletion when data is no longer needed

Data Storage & Location

Geographic Storage

Default Regions:

• US: AWS us-east-1 (Virginia)
• EU: AWS eu-west-1 (Ireland)
• Asia-Pacific: AWS ap-southeast-1 (Singapore)

Data Residency:

• Your data is stored in the region closest to your primary users
• EU customers can require EU-only data storage
• Data never crosses regional boundaries without explicit consent

Storage Infrastructure

Security Measures:

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.3)
• Encrypted backups with separate key management
• Zero-trust network architecture

Backup & Redundancy:

• Real-time replication across multiple availability zones
• Daily encrypted backups retained for 30 days
• 99.9% uptime SLA with automated failover
• Point-in-time recovery capabilities

Data Retention Policies

Event Data

Standard Retention:

• Raw events: 2 years from ingestion date
• Aggregated insights: 5 years from generation date
• User profiles: Until account deletion
• System logs: 90 days

Custom Retention: Enterprise customers can configure:

• Shorter retention periods (minimum 30 days)
• Longer retention periods (up to 7 years)
• Different policies per data type
• Compliance-specific retention rules

Deletion Triggers

Automatic Deletion:

• Data exceeding retention period
• Account closure (30-day grace period)
• Subscription cancellation (90-day grace period)
• GDPR/CCPA deletion requests

Secure Deletion:

• Cryptographic deletion for encrypted data
• Physical media destruction for decommissioned hardware
• Deletion verification and audit logs
• Recovery prevention measures

Data Access & Control

Your Access Rights

Read Access:

• Real-time dashboard access to all your data
• Comprehensive export functionality
• API access for programmatic data retrieval
• Audit logs of all data access

Write Access:

• Modify user identification data
• Update group/team information
• Correct or append event properties (within 24 hours)
• Add data classification tags

Delete Access:

• Individual event deletion
• User data deletion (GDPR compliance)
• Group/team data deletion
• Complete account data deletion

Data Export

Export Formats:

# JSON format (structured data)
curl -X GET "https://api.loopkit.ai/v1/export/events?format=json" \
  -H "Authorization: Bearer your-api-key"

# CSV format (spreadsheet compatible)
curl -X GET "https://api.loopkit.ai/v1/export/events?format=csv" \
  -H "Authorization: Bearer your-api-key"

# Parquet format (big data compatible)
curl -X GET "https://api.loopkit.ai/v1/export/events?format=parquet" \
  -H "Authorization: Bearer your-api-key"

Export Scope:

• Complete historical data export
• Filtered exports by date range, event type, or user
• Incremental exports for ongoing data synchronization
• Schema and metadata included

Migration Support

Leaving LoopKit:

• Full data export assistance
• Schema mapping documentation
• Migration timeline coordination
• 90-day data retention grace period

Common Migration Targets:

• Self-hosted analytics solutions
• Data warehouses (Snowflake, BigQuery, Redshift)
• Other analytics platforms
• Custom data processing pipelines

Compliance & Legal

GDPR Compliance (EU)

Individual Rights:

• Right to Access: Complete data export within 30 days
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Delete personal data upon request
• Right to Portability: Machine-readable data export
• Right to Object: Opt-out of specific data processing

Implementation:

// GDPR deletion request
LoopKit.deleteUser('user_123', {
  reason: 'gdpr_request',
  verification: 'email_confirmed',
});

// Data portability export
LoopKit.exportUserData('user_123', {
  format: 'json',
  include_aggregated: true,
});

CCPA Compliance (California)

Consumer Rights:

• Right to know what data is collected
• Right to delete personal information
• Right to opt-out of data sales (not applicable - we don't sell data)
• Right to non-discrimination for exercising privacy rights

PIPEDA Compliance (Canada)

Privacy Principles:

• Consent for data collection and use
• Limited collection to identified purposes
• Accurate and up-to-date data maintenance
• Individual access to personal information

SOC 2 Type II

Compliance Areas:

• Security: Data protection and access controls
• Availability: System uptime and reliability
• Processing Integrity: Accurate data processing
• Confidentiality: Protection of confidential data

Data Processing Activities

Primary Processing

Event Analytics:

• Statistical analysis of user behavior patterns
• AI-powered insight generation
• Trend analysis and forecasting
• Performance metric calculation

User Identification:

• Linking anonymous and identified user sessions
• User journey mapping and analysis
• Cohort analysis and segmentation
• Retention and churn analysis

Secondary Processing

Service Improvement:

• Product feature usage analysis (aggregated only)
• System performance optimization
• Error detection and resolution
• Security monitoring and threat detection

Prohibited Processing

We Never:

• Sell or monetize your data
• Use your data for advertising targeting
• Share data with competitors
• Process data for unrelated business purposes

Data Sharing & Third Parties

Service Providers

Infrastructure Partners:

• AWS: Cloud hosting and storage (DPA signed)
• Cloudflare: CDN and DDoS protection (DPA signed)
• MongoDB Atlas: Database hosting (DPA signed)

Processing Restrictions:

• Contractual data processing agreements (DPAs)
• Strict purpose limitation clauses
• Regular security audits and certifications
• Immediate termination rights for violations

No Data Sharing

We Do Not Share Data With:

• Marketing companies
• Data brokers
• Advertising networks
• Social media platforms
• Government agencies (except legal requirements)

Data Portability

Standard Exports

Event Data Export:

{
  "events": [
    {
      "event_id": "evt_123",
      "name": "user_signup",
      "properties": {
        "method": "email",
        "source": "homepage"
      },
      "user_id": "user_456",
      "anonymous_id": "anon_789",
      "timestamp": "2025-01-15T10:30:00Z",
      "received_at": "2025-01-15T10:30:01Z"
    }
  ],
  "schema_version": "1.0",
  "export_metadata": {
    "exported_at": "2025-01-20T14:00:00Z",
    "total_events": 50000,
    "date_range": {
      "start": "2024-01-01T00:00:00Z",
      "end": "2025-01-20T14:00:00Z"
    }
  }
}

User Data Export:

{
  "users": [
    {
      "user_id": "user_456",
      "anonymous_ids": ["anon_789", "anon_abc"],
      "traits": {
        "email": "user@example.com",
        "plan": "pro",
        "signup_date": "2025-01-15"
      },
      "first_seen": "2025-01-15T10:30:00Z",
      "last_seen": "2025-01-20T12:00:00Z"
    }
  ]
}

Custom Export Formats

Enterprise customers can request:

• Custom JSON schemas
• Database-specific formats (SQL, MongoDB)
• Analytics platform formats (Mixpanel, Amplitude)
• Data warehouse formats (Snowflake, BigQuery)

Incident Response

Data Breach Protocol

Immediate Response (< 4 hours):

1. Incident containment and impact assessment
2. Customer notification via email and dashboard
3. Regulatory notification (where required)
4. Forensic investigation initiation

Recovery Process:

1. Root cause analysis and remediation
2. Security measure enhancement
3. Customer compensation (if applicable)
4. Public incident report publication

Historical Incidents

As of January 2025, LoopKit has maintained a zero-breach record with:

• No unauthorized data access incidents
• No data loss events
• 99.97% uptime over the past 12 months
• Regular third-party security audits

Account Closure & Data Handling

Subscription Cancellation

Grace Period (90 days):

• Full data access maintained
• All export functionality available
• Option to reactivate subscription
• No new data ingestion

After Grace Period:

• Account data securely deleted
• Export functionality disabled
• Billing data retained (legal requirement)
• Anonymized usage statistics may be retained

Account Deletion Request

Process:

1. Submit deletion request via dashboard or support
2. Identity verification (email confirmation)
3. 30-day confirmation period
4. Irreversible data deletion

What Gets Deleted:

• All event data associated with your account
• User profiles and group information
• Dashboard configurations and insights
• API keys and access tokens

What We Retain:

• Billing records (7 years, legal requirement)
• Support tickets (anonymized, 2 years)
• Security logs (anonymized, 1 year)

Contact & Data Rights

Data Protection Officer

For data privacy questions:

• Email: privacy@loopkit.ai
• Response Time: 48 hours
• Escalation: legal@loopkit.ai

Exercise Your Rights

Self-Service Options:

• Export data via dashboard or API
• Delete specific users via API
• Modify user traits and properties
• Configure retention settings

Support-Assisted Options:

• Complete account deletion
• Complex data requests
• Compliance-specific requirements
• Custom export formats

Support Channels

• Email: support@loopkit.ai
• Discord: Join our community
• Documentation: Full self-service guides
• Status Page: Real-time system status

Next Steps

• Review our privacy policy →
• Learn about security measures →
• Contact our DPO →

---

Your data, your control. Questions about data ownership? Contact us anytime.