Privacy Policy

Last updated: March 2026

This Privacy Policy explains how Dualoop SRL (“Dualoop”, “we”, “us”), as data controller, collects, uses, and protects your personal data when you use the dualoop.coach platform (“Service”), in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Belgian Data Protection Act of 30 July 2018.

1. Data Controller

Dualoop SRL, Brussels, Belgium.
Contact: coaching@dualoop.com

2. Data We Collect

  • Account data: Name, email address, authentication credentials, profile information (role, intent)
  • Conversation data: Messages you send and AI-generated responses
  • Uploaded files: Documents submitted for analysis
  • Coaching memory: AI-extracted insights from your conversations, generated automatically to improve coaching continuity
  • Voice data: Voice session transcripts and synthesis, if you use the voice sparring feature
  • Stakeholder agents: Agent definitions, evidence files, and external sources you configure for stakeholder simulations
  • Payment data: Billing information, transaction history, and subscription status (processed by Stripe; we do not store full card numbers)
  • Credit & usage data: Credit balances, consumption history
  • Analytics data: Anonymized feature usage and session timestamps
  • Technical data: IP address, browser type (via Supabase authentication logs)
  • Contact form data: Name, email, company, team size, and message when submitted through our contact form
  • Error monitoring data: Anonymized error reports and masked session replays (all text and user inputs are masked)

3. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service, including AI processing of your data to deliver coaching responses, generate deliverables, and extract learning insights
  • Legitimate interest (Art. 6(1)(f) GDPR): Service improvement, security, error monitoring, cost monitoring, lead qualification

4. AI Processing

Your data is processed by two AI providers to deliver the coaching service. Both act as data processors and neither uses your data for model training under their commercial API terms.

  • Anthropic Claude: Processes coaching conversations, routing decisions, critic reviews, and synthesis of coaching responses
  • Google Gemini: Processes file text extraction, voice sparring, history summarization, memory extraction, and diagram generation

AI processing is necessary to provide the core coaching service and is performed under the contract performance legal basis (Art. 6(1)(b) GDPR).

5. Service Providers (Sub-Processors)

We use the following sub-processors to deliver the Service. Where data is transferred outside the EEA, appropriate safeguards are in place (Standard Contractual Clauses per Art. 46(2)(c) GDPR and/or EU-US Data Privacy Framework certification).

  • Anthropic (Claude API) — AI coaching responses. US-based. DPF + SCCs.
  • Google (Gemini API) — File extraction, voice processing, summarization. EU/US. DPF + SCCs.
  • Supabase — Database and authentication. EU region. DPF + SCCs.
  • Stripe — Payment processing. US-based. DPF + SCCs.
  • Sentry — Error monitoring and session replay (with full text masking). US-based. DPF + SCCs.
  • Railway — Application hosting and compute. EU region. DPF + SCCs.

6. Data Retention

Conversation data is retained for the duration of your account. Upon account deletion, your data is permanently deleted within 30 days. Cost and audit logs may be retained for up to 7 years for accounting purposes under Belgian law. Contact form submissions are retained for 24 months for lead management purposes.

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (“right to be forgotten”) (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3))

To exercise these rights, contact coaching@dualoop.com. We will respond within 30 days.

8. Cookies and Tracking

We use essential cookies for authentication and session management.

We use Sentry for error monitoring, which includes masked session replay on error sessions. All text and user inputs are masked in these replays. This helps us diagnose and fix technical issues.

We do not use advertising cookies. No data is shared with advertising networks.

9. Supervisory Authority

You have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit):

Rue de la Presse 35, 1000 Brussels
www.autoriteprotectiondonnees.be

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect.