Privacy Policy

Last updated: April 27, 2026

1. Who we are

The Inloopd mobile application and the Inloopd website at inloopd.com (together, the “Service”) are operated by Sarah Dufays, an individual sole proprietor based in Florida, doing business as Inloopd (“Inloopd”, “we”, “us”, “our”). Sarah Dufays is the controller of the personal data described in this policy.

The Service generates personalized AI news briefings — delivered as audio podcasts, text headlines, or weekly recaps — tailored to topics and expertise levels you choose.

Questions: legal@inloopd.com.

2. Information we collect

When you sign in to the app

You sign in with Apple Sign-In or Google Sign-In. We never see, receive, or store your Apple ID or Google account password. From your provider we receive:

  • Email address — Apple may share your real email or a Private Relay (@privaterelay.appleid.com) forwarding address. Google shares your Google account email.
  • Provider user identifier — A stable, app-scoped ID we use to recognize you on return visits.
  • Suggested first name — Pre-fills onboarding. You can change or remove it at any time.

During onboarding and in your profile

To personalize your briefings, you optionally provide:

  • First name, role (Learner / Practitioner / Researcher), background, and an optional free-text elaboration.
  • Topic preferences with familiarity (Just Learning / Comfortable / Advanced), specializations, and focus areas.
  • News sources you currently use to stay informed.
  • Notification preferences: whether you want a daily reminder and at what hour.
  • Briefing format: Podcast (audio) or Headlines (text).

All onboarding fields are optional and editable from the Profile screen at any time.

As you use the app

  • Bookmarks — Episodes and Learn More items you save are synced to your account.
  • Listening sessions — Start and end time, duration listened, furthest position reached, total episode duration, completion, skip count, and which segments you skipped.
  • Episode and story feedback — Reactions (“Too basic” / “Just right” / “Too dense”), free-text notes, suggested topics, and per-story “Worth exploring more?” / “Not interested” / “Cover this next time?” votes.
  • Followed stories — When you follow a story, we record its headline and summary so we can surface continuations and updates.
  • Learn More requests — Topics you ask us to cover in greater depth.
  • Episode shares — Share links you generate are tied to your account.
  • In-app analytics events — When you tap a story source link, an external Learn More link, or open a screen, we record the event name and contextual properties (canonical URL, host, source/title, the surrounding episode or item ID, and the app surface). We do not track what you do after a link opens in your browser.
  • App session telemetry — On open and background we record session duration, device model, OS version, app version, timezone, locale, and entry point (direct, notification, share link, or widget).
  • Push notification token — If you enable notifications, your iOS device push token is registered so we can deliver daily reminders, the Sunday Recap, and followed-story update alerts through Apple Push Notification service.
  • Account metadata — Account creation date and profile update timestamps.

On the website

  • Email address — When you join the waitlist, we collect your email solely to notify you when the app is available and to send occasional product updates. Every email includes an unsubscribe link.

Stored on your device only

  • A signed session token (JWT, 30-day lifetime) in the iOS Keychain — your user ID and an expiration only, no profile data.
  • Cached briefing audio in the app's Caches directory (7-day max age, 10-file cap, wiped on sign-out).
  • A local list of episodes you've started, kept in UserDefaults so the Library view renders quickly. Not transmitted to our servers.

What we do not collect

  • Location, contacts, photos, microphone access, calendar, or files on your device.
  • Browsing history outside of links you tap inside Inloopd.
  • Advertising identifiers (IDFA), tracking pixels, fingerprints, or cross-app or cross-site tracking signals.
  • Payment or financial information. The Service is currently free; future paid plans would be processed by Apple, not by us.
  • Data from any other app on your device.

We do not sell your personal data, and we do not share it with advertisers or data brokers.

3. How we use your information

  • Personalization — Your role, topics, familiarity, focuses, feedback signals, listened/skipped data, and link taps shape what stories appear in your briefing, in what order, and at what depth.
  • Content generation — Our AI pipeline synthesizes publicly available news into briefings. Profile fields (role, topics, familiarity) are included in generation prompts. We do not include your name, email, or any identifier in the prompts our LLM providers receive.
  • Audio synthesis — Briefing scripts are sent to ElevenLabs to produce the audio. Only the script — no profile, account, or identifier data.
  • Notifications — If you enable them, we use Apple Push Notification service to deliver daily reminders, the Sunday Recap, and followed-story update alerts.
  • Service operation — Authenticating you, syncing bookmarks, generating share links, and serving your Today screen.
  • Improving the Service — Aggregated, de-identified listening, feedback, and analytics data help us evaluate which topics and segments are working.

4. Third-party services

We use a small, fixed set of vendors. None are advertising or tracking networks.

  • Apple Sign-In and Google Sign-In — authentication.
  • Apple Push Notification service (APNs) — notification delivery.
  • Amazon Web Services (AWS) — database (RDS) and audio file storage (S3), in the United States.
  • ElevenLabs — text-to-speech audio generation. We send the briefing script only; no profile or identifier. See ElevenLabs' privacy policy.
  • OpenAI / Anthropic — large-language-model providers used for ranking, summarization, and script writing. We send news article text and de-identified profile fields (role, topics, familiarity); we do not send your name, email, or user ID.

We do not use third-party analytics SDKs, crash-reporting services, or advertising networks inside the App.

5. Storage and security

  • Database — PostgreSQL on AWS RDS, inside a private VPC with no public internet ingress.
  • Audio files — AWS S3, served exclusively via 24-hour presigned URLs.
  • Session tokens — Signed JWTs stored only in the iOS Keychain with device-only protection.
  • Encryption — TLS for all data in transit; AWS-managed encryption at rest.

No system is perfectly secure, but we apply industry-standard safeguards proportional to the sensitivity of the data.

6. Data retention

  • Waitlist emails — Retained until the app launches or until you ask to be removed.
  • Active accounts — Retained while your account exists.
  • Account deletion — Permanently removes your profile, episodes, feedback, listening sessions, bookmarks, followed stories, share links, analytics events, app sessions, and device tokens within 30 days.
  • Sign-out — Clears your session token, downloaded audio, and on-device cache. Server-side data is retained until you delete the account.
  • Backups — Encrypted and rotated within 35 days; deleted records are removed in the next rotation cycle.
  • Session tokens — Expire automatically after 30 days.

7. Your rights and choices

You can:

  • Access and update your profile from the Profile screen.
  • Withdraw consent for notifications by toggling them off in the App or in iOS Settings.
  • Delete your account from Profile → Account. This is permanent and irreversible.
  • Request a copy, correction, or deletion of your data by emailing legal@inloopd.com. We respond within 30 days.
  • Unsubscribe from waitlist or product-update emails at any time (every email includes an unsubscribe link).

If you are in the EEA, UK, or California, you also have the right to lodge a complaint with your local data protection authority.

8. Children's privacy

Inloopd is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact legal@inloopd.com and we will delete it.

9. International users

Inloopd is operated from the United States, and our infrastructure (AWS RDS, AWS S3) is located in the United States. By using the Service, you understand that your information will be processed in the United States, which may have different data protection laws than your country of residence.

10. Changes to this policy

We will notify you of material changes at least 30 days in advance through an in-app notice and (where we have it) by email. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact

For privacy questions, data requests, or to exercise any of the rights above:
legal@inloopd.com