Cloop Privacy Policy
Effective date: 2026-03-01 Last updated: 2026-02-15 Data controller: ROFFI Oy, Business ID 1234567-8, Vantaa, Finland
In Brief
Cloop is built and operated in Finland by ROFFI Oy. All data is stored and processed in the EU. We collect only what we need to run the service, we do not sell your data, and we do not use your content to train AI models. This policy explains the details.
1. Who We Are
ROFFI Oy ("we", "us", "Cloop") is a Finnish customer experience consultancy that builds and operates the Cloop platform. We are the data controller for your account and usage data, and data processor for visitor data collected through your Widget (see our DPA).
Contact: Email: privacy@cloop.io Address: ROFFI Oy, Vantaa, Finland
We do not currently have a designated Data Protection Officer. For any data protection questions, contact privacy@cloop.io.
2. What Data We Collect
2.1 Account Data (You as a Customer)
| Data | Source | Purpose |
|---|---|---|
| Name, email, profile picture | Google OAuth (or other identity provider) | Account creation and authentication |
| Organization name | You provide during setup | Multi-tenant workspace |
| Role within tenant | Assigned by tenant owner | Access control |
| Preferences (theme, language) | You set in dashboard | Personalization |
| Email addresses of invited team members | You provide via team management | Sending invitations |
2.2 Content Data
| Data | Source | Purpose |
|---|---|---|
| Website pages (text, URLs, titles) | Crawled from your website | Building your knowledge base |
| Uploaded documents (PDF, DOCX, TXT, MD) | You upload | Building your knowledge base |
| Vector embeddings | Generated from your content | Enabling semantic search |
| Bot persona instructions | You configure | Customizing AI behavior |
| Widget settings (title, colors, language) | You configure | Widget appearance |
2.3 Visitor Data (Collected Through Your Widget)
When visitors interact with the chat widget on your website, we collect the following on your behalf (you are the data controller; we are the data processor):
| Data | Source | Purpose |
|---|---|---|
| Chat messages | Visitor types in widget | Generating AI responses |
| Visitor ID (random UUID) | Generated by widget, stored in visitor's browser (localStorage) | Recognizing returning visitors |
| Email address | Visitor provides voluntarily | Lead capture |
| Entry page URL | Browser | Context for conversation |
| Conversation phase | System-generated | Tracking conversation progression (discovery, value demonstration, lead capture, call-to-action) |
| Session metadata (timestamps, message count, lead status) | System-generated | Analytics and lead funnel |
| AI confidence scores | System-generated | Quality monitoring |
| Content source references | System-generated | Tracking which knowledge base content was cited in responses |
We do not collect: IP addresses of widget visitors (beyond standard server logs), precise geolocation, device fingerprints, or browsing history.
2.4 Demo/Trial Data
When a visitor uses the free trial on cloop.io:
| Data | Source | Purpose |
|---|---|---|
| Website URL pasted | Visitor provides | Crawling and demo |
| Email address | Visitor provides voluntarily | Lead follow-up |
| Demo chat messages | Visitor types | Demo experience |
Trial data is automatically deleted after 24 hours.
2.5 Technical and Usage Data
| Data | Source | Purpose |
|---|---|---|
| Server access logs (IP, user agent, timestamp) | Nginx | Security, debugging |
| API request metadata | Application | Rate limiting, abuse prevention |
| AI usage (model, token counts, cost) | Application | Budget enforcement |
| Audit log events (login, logout, settings changes) | Application | Security audit trail |
3. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis | Details |
|---|---|---|
| Account management | Contract (Art. 6(1)(b)) | Necessary to provide the service you signed up for |
| Content processing (crawl, embed, search) | Contract (Art. 6(1)(b)) | Core service functionality |
| Visitor data processing | Contract (Art. 6(1)(b)) + your instructions as controller | We process as your data processor per the DPA |
| Security logging and abuse prevention | Legitimate interest (Art. 6(1)(f)) | Protecting the service and users |
| Demo/trial | Consent (Art. 6(1)(a)) | User initiates the trial voluntarily |
| Email communications about the service | Legitimate interest (Art. 6(1)(f)) | Service updates, security alerts |
4. How We Use AI
4.1 AI Providers
We use Nebius AI Studio (Nebius B.V., Netherlands) for:
- Embedding generation — converting your content into vector representations for semantic search
- Chat response generation — producing answers to visitor questions based on your content
4.2 What We Send to AI Providers
When a visitor asks a question, we send:
- The visitor's question
- Relevant chunks of your content (retrieved via vector search)
- System instructions (persona, phase, language settings)
- Recent conversation history (within the same session)
4.3 What We Do NOT Do
- We do not send visitor personal data (email, name) to AI providers
- We do not use your content or visitor conversations to train AI models
- We do not allow AI providers to use the data for model training (confirmed via Nebius AI Studio terms)
- We do not use AI to make automated decisions with legal or significant effects on individuals
5. Data Sharing
5.1 Subprocessors
We use the following third-party services to operate Cloop (see Subprocessor List for details):
| Subprocessor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting, object storage | Helsinki, Finland (EU) |
| Nebius B.V. | AI inference (embeddings, LLM) | EU data centers |
| Let's Encrypt | TLS certificates | Global (no personal data) |
5.2 No Data Sales
We do not sell, rent, or trade personal data to anyone.
5.3 Legal Requirements
We may disclose data if required by Finnish or EU law, court order, or to protect the rights, safety, or property of our users or the public.
6. International Data Transfers
All data is stored and processed within the EU/EEA:
- Server infrastructure: Hetzner Helsinki, Finland
- AI processing: Nebius EU data centers
- Database: Self-managed on our Finnish server
We do not transfer personal data outside the EU/EEA. If this changes in the future (e.g., adding a CDN or analytics provider), we will update this policy and ensure appropriate safeguards (Standard Contractual Clauses or adequacy decision) are in place.
7. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account data | Until you delete your account | Permanent deletion upon request |
| Content (pages, documents, embeddings) | Until you delete the content or your account | Permanent deletion |
| Visitor chat sessions | Until you delete them or your account | Permanent deletion |
| Lead data | Until you delete it or your account | Permanent deletion |
| Demo/trial data | 24 hours | Automatic deletion |
| Server access logs | 90 days | Automatic rotation |
| Audit logs | 12 months | Automatic rotation |
| AI usage logs | 12 months | Automatic rotation |
When you delete your account, all associated data (content, sessions, leads, settings) is permanently deleted within 30 days.
8. Data Security
We implement appropriate technical and organizational measures:
- Encryption in transit: TLS 1.2+ for all connections (HSTS enforced)
- Encryption at rest: Full-disk encryption on our servers
- Access control: Role-based access, JWT authentication with token revocation
- Multi-tenant isolation: All database queries scoped by tenant/site
- Input validation: Parameterized queries, SSRF protection, file type validation
- Rate limiting: Multi-tier rate limiting to prevent abuse
- Infrastructure hardening: Hardened service configuration, mandatory access control, minimal attack surface
- Audit logging: Structured logging of authentication and administrative events
- Budget controls: Daily AI cost cap preventing runaway expenses
For more detail, see our Security Overview document.
9. Your Rights (GDPR Articles 15-22)
As a data subject, you have the right to:
| Right | How to Exercise |
|---|---|
| Access your data | Email privacy@cloop.io or export from dashboard |
| Rectify inaccurate data | Edit in dashboard or email us |
| Erase your data ("right to be forgotten") | Delete your account, or email us for specific deletions |
| Restrict processing | Email privacy@cloop.io |
| Data portability | Email us for a machine-readable export |
| Object to processing | Email privacy@cloop.io |
| Withdraw consent | Where consent is the basis, withdraw anytime via dashboard or email |
We will respond within 30 days (extendable by 60 days for complex requests, with notice).
If you believe we have violated your data protection rights, you may file a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu):
- Website: https://tietosuoja.fi/en
- Email: tietosuoja@om.fi
10. Cookies and Browser Storage
Cloop does not use cookies. The dashboard stores authentication tokens in localStorage. The embeddable Widget stores a random visitor identifier in localStorage (not cookies). All visitor interaction data (messages, session metadata, conversation phase) is stored server-side in our EU-hosted database. See our Cookie & Storage Policy for details.
11. Children
Cloop is a business-to-business service. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, contact privacy@cloop.io and we will delete it.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via email or dashboard notification at least 30 days before the effective date. The "Last updated" date at the top reflects the most recent revision.
13. Contact
For any privacy-related questions or requests:
ROFFI Oy Vantaa, Finland Email: privacy@cloop.io
For security concerns: security@cloop.io