AuthLoop

Privacy Policy

Last updated: March 14, 2026

1. Introduction

AuthLoop, a product of GoSi Tech (“we”, “our”, or “us”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our authentication assistance platform at authloop.ai (the “Service”).

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name
  • Profile information from your authentication provider (Clerk)

2.2 Session Data

When you use AuthLoop to resolve authentication challenges, we collect:

  • Session metadata (service name, blocker type, timestamps)
  • Session duration and resolution status
  • API key usage information

We do not collect, store, or log any credentials you enter during a session. AuthLoop streams rendered pixels (screen images) via WebRTC. Passwords, OTPs, captcha answers, and other sensitive inputs are typed directly into the agent's browser and never pass through our servers.

2.3 Usage Data

We automatically collect:

  • Session history and counts
  • Feature usage patterns
  • Error logs and performance data
  • Browser type, device information, and IP address

2.4 Payment Information

Payment processing is handled by Stripe. We do not store your credit card details. Stripe may collect billing information as described in their Privacy Policy.

3. How We Use Your Information

We use your information to:

  • Provide and maintain the Service
  • Coordinate authentication sessions between your AI agent and your device
  • Process payments and manage subscriptions
  • Send transactional emails (receipts, notifications)
  • Provide customer support
  • Improve and optimize the Service
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

4. Browser Streaming and Credentials

AuthLoop uses WebRTC (via LiveKit) to stream browser screen content from your AI agent to your device. This is how the Service works:

  • The stream is encrypted end-to-end using WebRTC DTLS-SRTP
  • Only rendered pixel data is transmitted — not DOM content, form data, or page source
  • Keystrokes you type are sent directly to the agent's browser via an encrypted data channel
  • AuthLoop's servers handle session signaling and room coordination only
  • We never see, intercept, store, or log any credentials, passwords, OTPs, or security answers

5. Data Storage and Security

5.1 Where We Store Data

  • Database: Neon (PostgreSQL) for account data, API keys, and session logs
  • Session State: Cloudflare KV for ephemeral session coordination (auto-expires via TTL)
  • Authentication: Clerk for secure user management
  • Streaming: LiveKit for WebRTC session coordination

5.2 Security Measures

We implement industry-standard security measures including:

  • Encryption in transit (TLS/HTTPS for all API traffic)
  • End-to-end encryption for browser streams (WebRTC DTLS-SRTP)
  • API keys hashed with bcrypt before storage
  • Session ownership verification on every access
  • Automatic session expiry via TTL

6. Data Sharing

We do not sell your personal information. We may share data with:

  • Service Providers: Third-party services that help us operate (Clerk, Stripe, Cloudflare, Neon, LiveKit)
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

7. Data Retention

  • Account Data: Retained while your account is active and for 30 days after deletion
  • Session State: Automatically deleted after session TTL expires (maximum 30 minutes)
  • Session Logs: Retained according to your plan (Free: 7 days, Pro: 90 days, Team: 1 year)
  • Usage Logs: Retained for up to 90 days

8. Open Source

The AuthLoop SDK and MCP server are open source. You can audit the code that runs on your machine at github.com/authloop/authloop. The client-side code does not collect or transmit any data beyond what is described in this policy.

9. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your data
  • Revoke API keys at any time
  • Cancel active sessions at any time
  • Opt out of marketing communications

To exercise these rights, contact us at support@authloop.ai.

10. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies.

11. Children's Privacy

AuthLoop is not intended for children under 16. We do not knowingly collect personal information from children under 16.

12. International Transfers

Your data may be processed in countries outside your residence. We ensure appropriate safeguards are in place for international transfers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the Service.

14. Contact Us

If you have questions about this Privacy Policy, contact us at:

Email: support@authloop.ai

GoSi Tech, Bangalore, India