Privacy Policy

The Data Controller for personal data collected through the ReachLoop platform is:

• Company name: NuMa Menu S.r.l.
• Registered office: Corso XXII Marzo, 4 — 20135 Milano (MI), Italia
• VAT number: IT14573500965
• Contact email: privacy@reachloop.io

Under art. 37 of EU Regulation 2016/679 (GDPR), the Data Controller is not required to appoint a Data Protection Officer (DPO) as it is a small-to-medium enterprise that does not carry out large-scale processing of special categories of data. All data protection requests can be directed to privacy@reachloop.io.

ReachLoop collects and processes the following categories of personal data:

a) Account data (via Clerk)

• Full name
• Email address
• Profile image

b) LinkedIn data (via Unipile)

• LinkedIn account ID
• Connection status
• We do not store your LinkedIn password. Authentication is handled via OAuth through Unipile.

c) Prospect data

• Public LinkedIn profile information: name, headline, company, location, work experience, education
• This data is obtained through LinkedIn searches performed on behalf of the user

d) Message data

• Connection invites, AI-generated first messages, and follow-ups
• Replies received from prospects

e) Usage data

• Daily action counts (invitations, messages, searches)
• AI token consumption
• Agent configurations

f) Payment data (via Polar)

• Subscription tier (trial, pro, expired)
• Payment history
• We do not store credit card numbers. Payment data is processed entirely by Polar.

g) Technical data

• IP address
• Browser type and device information
• Information derived from infrastructure access logs

Each processing activity is grounded in a specific legal basis under art. 6 of the GDPR:

a) Contract performance — art. 6(1)(b) GDPR

• User account management
• Agent execution (prospect search, connection requests, messaging)
• Message delivery and reply management
• AI-powered personalized message generation (necessary for service delivery)

b) Explicit consent — art. 6(1)(a) GDPR

• Creating an agent constitutes explicit consent to automated LinkedIn actions (searches, invitations, messages)
• Consent is recorded with a timestamp and policy version
• Users may withdraw consent at any time by deleting or pausing their agent

c) Legitimate interest — art. 6(1)(f) GDPR

• Platform security and fraud prevention
• Aggregated, anonymized analytics for service improvement
• System integrity monitoring

d) Legal obligation — art. 6(1)(c) GDPR

• Retention of tax and accounting records under Italian law
• Applicable regulatory compliance

Under art. 22 of the GDPR, we inform you that the service involves automated decision-making:

• Prospect selection: AI identifies which prospects to contact based on user-configured search criteria
• Message generation:OpenAI GPT-5.4 mini analyzes the prospect's public profile and agent instructions to generate personalized messages
• Follow-up timing: the system automatically determines when to send follow-up messages based on agent configuration

Your rights:

• Request human intervention in automated processes
• Express your point of view on automated decisions
• Contest decisions made automatically

User control: you maintain full control and can:

• Review and edit generated messages before they are sent
• Pause or delete agents at any time
• Skip individual prospects from campaigns
• Configure communication style, tone, and rules in detail

Some of our sub-processors are located outside the European Economic Area (EEA). For each transfer, appropriate safeguards are in place under Chapter V of the GDPR:

• OpenAI LLC (USA): Standard Contractual Clauses (SCCs) per EU Commission Decision 2021/914
• Clerk Inc. (USA): SCCs with additional safeguards
• Vercel Inc. (USA): SCCs
• Convex Inc.: EU-West hosting — no extra-EU transfer
• Unipile SAS: based in France/EU — no extra-EU transfer
• Polar Sh: based in the EU — no extra-EU transfer

You may request information on the specific safeguards in place by writing to privacy@reachloop.io.

Personal data is retained only for as long as necessary for the purposes for which it was collected:

• Account data: until account deletion + 30 days for backup recovery
• Prospect data: until the user deletes the agent or prospects, or until account deletion
• Message data: until user deletion or account deletion
• AI usage logs: 12 months for billing reconciliation
• Payment records: 10 years (Italian tax obligation under art. 2220 of the Italian Civil Code)
• Technical logs: 90 days
• Audit logs: 24 months for security purposes

At the end of the retention period, data is securely deleted or irreversibly anonymized.

Under articles 15-22 of the GDPR, you have the right to:

• Access (art. 15): request a copy of all personal data we hold about you
• Rectification (art. 16): correct inaccurate or incomplete data
• Erasure (art. 17):request deletion of your data ("right to be forgotten"). You can do this from the Settings page or via email request
• Portability (art. 20): receive your data in a structured, commonly used, machine-readable format (JSON)
• Restriction (art. 18): restrict processing in specific circumstances provided by law
• Objection (art. 21): object to processing based on legitimate interest
• Withdraw consent (art. 7(3)): withdraw consent at any time without affecting the lawfulness of processing based on consent given before its withdrawal
• Complaint: file a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (www.garanteprivacy.it)

Response time: within 30 days from receipt of the request, extendable by an additional 60 days for complex requests, with prior notice.

How to exercise your rights: send an email to privacy@reachloop.io or use the Settings page in your account.

To deliver the service, we rely on the following sub-processors:

The Data Controller ensures that all sub-processors provide sufficient guarantees to implement appropriate technical and organizational measures in compliance with the GDPR.

We implement appropriate technical and organizational measures to ensure a level of security proportionate to the risk, in accordance with art. 32 of the GDPR:

• Encryption in transit: all communications use TLS 1.2 or higher
• Encryption at rest: AES-256 provided by infrastructure providers
• Per-user data isolation: every database query includes ownership checks to prevent cross-user data access
• Webhook signature verification: all incoming webhooks are authenticated via cryptographic signatures
• Rate limiting: API request limits to prevent abuse
• Audit logging: sensitive operations are logged for traceability
• Access control: principle of least privilege
• No LinkedIn password storage: authentication is handled exclusively via OAuth through Unipile

ReachLoop is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, such data will be deleted immediately and without delay. If you believe we have collected data relating to a minor, please contact us at privacy@reachloop.io.

We reserve the right to update this Privacy Policy. Changes will be handled as follows:

• Substantial changes: notified via email at least 30 days before they take effect
• Non-substantial changes: published on this page with an updated date at the top
• Continued use of the service after notification constitutes acceptance of the changes

The date of the last update is always visible at the top of this page.