AuthLoop

Privacy Policy

Last updated: April 18, 2026

1. Introduction

AuthLoop, a product of GoSi Tech (“we”, “our”, or “us”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our auth-infrastructure service for agent platforms at authloop.ai (the “Service”). AuthLoop is designed so that end-user credentials never touch our infrastructure or yours — they remain on the end user’s own device.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name
  • Profile information from your authentication provider (Clerk)

2.2 Session Data

When you use AuthLoop to resolve authentication challenges, we collect:

  • Session metadata (service name, blocker type, timestamps)
  • Session duration and resolution status
  • API key usage information

We do not collect, store, or log any credentials you enter during a session. AuthLoop streams rendered pixels (screen images) via a secure WebSocket connection. Passwords, OTPs, captcha answers, and other sensitive inputs are relayed directly to the agent's browser and never stored on our servers.

2.3 Usage Data

We automatically collect:

  • Session history and counts
  • Feature usage patterns
  • Error logs and performance data
  • Browser type, device information, and IP address

2.4 Analytics Data

We use Google Analytics and Microsoft Clarity to understand how visitors use authloop.ai. These services may collect:

  • Pages visited, time on page, and navigation paths
  • Click patterns, scroll depth, and interaction events
  • Session recordings and heatmaps (Microsoft Clarity)
  • Device type, browser, operating system, and screen resolution
  • Approximate geographic location (derived from IP address)
  • Referral source and campaign parameters

Analytics are collected on public marketing pages only (landing page, docs, blog). The session viewer where end users resolve authentication walls does not load analytics scripts. No credentials, passwords, or authentication codes are ever captured by analytics tools.

2.5 Payment Information

Payment processing is handled by Stripe. We do not store your credit card details. Stripe may collect billing information as described in their Privacy Policy.

3. How We Use Your Information

We use your information to:

  • Provide and maintain the Service
  • Coordinate authentication sessions between your AI agent and your device
  • Process payments and manage subscriptions
  • Send transactional emails (receipts, notifications)
  • Provide customer support
  • Improve and optimize the Service
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

4. Browser Streaming and Credentials

AuthLoop uses a WebSocket relay to stream browser screen content from the agent to the end user’s device and to carry the user’s input back to the agent. The relay is designed so that credentials never touch our infrastructure:

  • All connections are encrypted in transit using TLS (WSS)
  • Only rendered pixel data (JPEG frames) is transmitted from the agent to the end user’s browser — not DOM content, form data, or page source
  • End-to-end encrypted input: keystrokes, clicks, scrolls, paste, navigation, and resolve/cancel signals are encrypted between the end user’s browser and the agent’s MCP server using ECDH P-256 key exchange and AES-256-GCM. The relay forwards ciphertext it cannot decrypt
  • AuthLoop’s relay forwards messages in transit but never stores or reads the content. No screencast frames are persisted after the session ends
  • We never see, intercept, store, or log any credentials, passwords, OTPs, or security answers

5. Data Storage and Security

5.1 Where We Store Data

  • Web hosting: Vercel for the authloop.ai dashboard and landing page
  • API hosting: Cloudflare Workers for the public REST API
  • Database: Neon (PostgreSQL) for account data, API keys, and session logs
  • Session State: Cloudflare KV for ephemeral session coordination (auto-expires via TTL)
  • Authentication: Clerk for secure user management
  • Streaming: Cloudflare Durable Objects for WebSocket session relay
  • Webhooks: Svix for outbound webhook delivery to developer endpoints
  • Transactional email: Resend for account and notification emails

5.2 Security Measures

We implement industry-standard security measures including:

  • Encryption in transit (TLS/HTTPS for all API traffic, WSS for streaming)
  • Streaming relay forwards data in transit without storing or reading content
  • API keys hashed with bcrypt before storage
  • Session ownership verification on every access
  • Automatic session expiry via TTL

6. Data Sharing and Sub-processors

We do not sell your personal information. We may share data only as described below.

6.1 Sub-processors

We use the following third-party services (“sub-processors”) to operate AuthLoop. Each is contractually bound to protect your data and is subject to its own privacy policy. Our data is primarily hosted in the United States.

  • Vercel (United States) — hosts the authloop.ai web app (dashboard, landing page, session viewer). Processes HTTP request logs. Privacy
  • Cloudflare (Global edge network) — hosts the public API (Workers), ephemeral session state (KV), and the WebSocket streaming relay (Durable Objects). Requests are served from the nearest edge location; session relay instances are regionally distributed based on customer location. Privacy
  • Neon (United States — AWS us-east-2) — managed PostgreSQL database for account data, hashed API keys, and session metadata. Privacy
  • Clerk (United States) — user authentication and session management for the dashboard. Privacy
  • Svix (United States) — outbound webhook delivery for session lifecycle events to developer endpoints. Privacy
  • Resend (United States) — transactional email delivery (welcome emails, account notifications, quota warnings). Privacy
  • Stripe — payment processing for paid plans. Not active during early access; will process billing data when paid plans launch. Privacy
  • Google (United States) — Google Analytics for website usage analytics and Google Tag Manager for tag management. Collects page views, navigation paths, device information, and approximate location. Privacy
  • Microsoft (United States) — Microsoft Clarity for behavioral analytics including session recordings, heatmaps, and click tracking to improve our website and marketing. Privacy

6.2 Other disclosures

  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

7. Data Retention

  • Account Data: Retained while your account is active and for 30 days after deletion
  • Session State: Automatically deleted after session TTL expires (maximum 30 minutes)
  • Session Logs: Retained according to your plan. Free and Starter plans do not include audit logging. Growth plans include 15 days of audit log retention; Scale plans include 30 days; Enterprise plans include 12 months with SIEM export. Session metadata used for usage counting is retained indefinitely for billing reconciliation
  • Usage Logs: Retained for up to 90 days

8. Open Source

The AuthLoop SDK and MCP server are open source. You can audit the code that runs on your machine at github.com/authloop/authloop. The client-side code does not collect or transmit any data beyond what is described in this policy.

9. Your Rights

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your data
  • Revoke API keys at any time
  • Cancel active sessions at any time
  • Opt out of marketing communications

To exercise these rights, contact us at support@authloop.ai.

10. Cookies and Tracking Technologies

We use the following types of cookies and tracking technologies:

  • Essential cookies: Required for authentication and session management (Clerk). These cannot be disabled.
  • Analytics cookies: Google Analytics uses first-party cookies to measure website usage (pages visited, session duration, traffic sources). Data is aggregated and used to improve our marketing pages.
  • Behavioral analytics: Microsoft Clarity uses first and third-party cookies to capture session recordings, heatmaps, and interaction data. This helps us understand how visitors use authloop.ai so we can improve the experience.

Analytics and behavioral tracking run on public marketing pages only. They do not run on the session viewer (where end users resolve authentication walls) or on dashboard pages behind login. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement. For Google, visit Google’s Privacy Policy.

11. Children's Privacy

AuthLoop is not intended for children under 16. We do not knowingly collect personal information from children under 16.

12. International Transfers

AuthLoop is operated by GoSi Tech (India) and primarily hosts data in the United States through the sub-processors listed in section 6.1. If you are located outside the United States, your data will be transferred to, stored, and processed in the United States. For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses or equivalent safeguards with our sub-processors.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the Service.

14. Contact Us

If you have questions about this Privacy Policy, contact us at:

Email: support@authloop.ai

GoSi Tech, Bangalore, India