Legal

Privacy Policy

Effective: March 23, 2026 · Last updated: March 30, 2026

MarkLoop ("we", "us", "our") is operated by SOP (sop.build), a company based in New York, NY. We operate the MarkLoop platform at markloop.build. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding that data.

By creating an account or using our platform, you consent to the practices described in this policy. If you do not agree with this policy, please do not use our services.

1. Information We Collect

1.1 Account Information

When you sign up, we collect the following through our authentication provider (Clerk):

  • Email address
  • Full name
  • Profile picture (if provided via your authentication method)

1.2 Business Profile Information

During onboarding, you voluntarily provide information about your business to receive personalized filming plans:

  • Business name and type (e.g., restaurant, bar, cafe)
  • Business location
  • Content preferences and marketing goals

1.3 Instagram Data

If you choose to connect your Instagram account, we access data through the Instagram API (using the Instagram Login with Business permissions). You must explicitly authorize this connection, and you can disconnect at any time. We collect:

Profile information:

  • Instagram username
  • Instagram user ID
  • Account type (business, creator, or personal)
  • Profile picture URL
  • Biography
  • Followers count
  • Following count
  • Total media (post) count

Post-level data (for your recent posts):

  • Post ID, caption, media type (image, video, reel, carousel), and permalink
  • Post timestamp
  • Like count and comment count
  • Post insights: reach, impressions, saves, shares, and plays (video/reel content)
  • Calculated engagement rate (based on reach)

How we use Instagram data: We use your Instagram metrics solely to provide you with performance insights within the MarkLoop dashboard, inform your personalized content strategy, and help you understand which types of content perform best for your business. We do not use your Instagram data for advertising, sell it to third parties, or share it with anyone outside the services described in this policy.

Data refresh: Instagram data is synced when you manually trigger a sync from your dashboard. We store a long-lived access token (valid for 60 days) to access your data. If the token expires, you will need to re-authorize the connection.

1.4 Video Content and Footage

When you or your team upload video clips through our filming links, we collect and store that footage to produce auto-edited Reels for your business. Specifically, we collect:

  • Raw video clips uploaded by you or your designated team members
  • Auto-edited videos produced by our editing pipeline
  • Video metadata: file size, duration, resolution, and upload timestamp

How we process your video content: We use AI-powered services to analyze your footage and produce edited videos. This includes:

  • Video analysis to understand what is shown in each clip (e.g., food preparation steps, product shots, atmosphere)
  • Scene matching to align your clips with your filming plan
  • Voiceover generation synchronized to your video content
  • Automated video editing including transitions, captions, and music

Aggregated video insights: We analyze patterns across videos on our platform to improve our service — for example, understanding which filming angles, clip lengths, or content styles tend to perform well for different types of businesses. This analysis uses aggregated, de-identified data and is never linked back to your specific business or shared in a way that could identify you.

Your footage is yours: You retain full ownership of all raw footage and edited videos. We do not sell, license, or distribute your video content to third parties. See our Terms of Service for the full content license details.

1.5 Payment Information

Credit card details and billing information are collected and processed exclusively by Stripe, our payment processor. We never see, access, or store your full card number, CVC, or other sensitive payment details. We receive only a limited record from Stripe: the last four digits of your card, the card brand, and your subscription status.

1.6 Usage and Analytics Data

We collect anonymized and pseudonymized analytics about how you interact with the platform:

  • Pages visited and features used
  • Session duration and frequency
  • Browser type, device type, and operating system
  • IP address (anonymized for analytics)
  • Referring URL

This data is collected through PostHog (self-hosted proxy at t.markloop.build) and Google Analytics to help us improve the product and understand usage patterns.

2. How We Use Your Data

We use your information for the following purposes:

  • To create, maintain, and secure your account
  • To generate personalized filming plans, shot lists, captions, and content strategies based on your business profile
  • To display Instagram performance metrics in your dashboard and improve your content recommendations
  • To process subscription payments and manage billing
  • To send essential account notifications (subscription changes, security alerts, service updates)
  • To analyze your uploaded video footage and produce auto-edited Reels
  • To generate voiceovers, captions, and visual effects for your edited videos
  • To derive aggregated, de-identified insights about video content performance across the platform (e.g., which filming techniques work best for restaurants)
  • To improve the platform based on aggregate usage patterns
  • To detect and prevent fraud or abuse of the platform

We do not sell your personal information to anyone. We do not use your business data or Instagram data to train AI models for third parties. We do not use your Instagram data for targeted advertising.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Performance of a contract: To provide you with the MarkLoop service, process payments, and manage your account.
  • Consent: When you connect your Instagram account, you explicitly consent to our collection and use of your Instagram data. You can withdraw consent at any time by disconnecting your Instagram account.
  • Legitimate interest: To improve our platform, prevent fraud, and ensure security. We balance our interests against your rights and do not process data where your interests override ours.
  • Legal obligation: To comply with applicable laws and regulations.

4. Third-Party Services

We use the following third-party services to operate MarkLoop. Each service processes data as described below and maintains its own privacy policy:

  • Clerk — Authentication and user management. Stores your email, name, and login credentials.
  • Stripe — Payment processing and subscription billing. Processes and stores your payment details.
  • Supabase — Database and data storage. Hosts your business profile, generated content, and Instagram metrics.
  • PostHog — Product analytics (proxied through our domain for privacy). Collects anonymized usage data.
  • Google Analytics — Website traffic analysis. Collects anonymized browsing data.
  • Vercel — Application hosting and content delivery.
  • Amazon Web Services (AWS) — Cloud storage for uploaded video footage and rendered videos. Data is stored in the US (us-east-1 region).
  • Twelve Labs — Video understanding AI. Analyzes your uploaded clips to identify contents and match scenes to your filming plan. Processes video content only; does not store it permanently.
  • Anthropic (Claude) — AI assistant used to generate content strategies, shot lists, captions, and to match video clips to scene descriptions. Processes text and image data.
  • ElevenLabs — AI voice generation. Creates voiceovers for your auto-edited videos based on your content script. Processes text only; does not receive your video files.
  • Meta / Instagram — When you connect your Instagram account, we access your data through the Instagram Graph API. Instagram data is governed by Meta's Privacy Policy.

We do not share your personal data with third parties beyond what is described in this section. We do not sell data to data brokers, advertisers, or any other entities.

5. Cookies and Tracking Technologies

We use the following types of cookies:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Analytics cookies: PostHog and Google Analytics use cookies to understand usage patterns. These help us improve the product.
  • Marketing cookies: Meta Pixel and Google Ads conversion tracking help us measure the effectiveness of our advertising campaigns.

You can disable non-essential cookies in your browser settings, though some platform features may not work correctly without them.

6. Data Retention

  • Active accounts: We retain your data for as long as your account is active and your subscription is current.
  • After cancellation: Your data remains accessible for 30 days after subscription cancellation. After 30 days, your business profile and generated content are queued for deletion and removed within 90 days.
  • Instagram data: If you disconnect your Instagram account, we delete your stored Instagram profile data, post metrics, and access tokens within 30 days.
  • Analytics data: Anonymized, aggregated analytics data may be retained indefinitely as it cannot be linked back to individual users.
  • Billing records: Payment transaction records are retained as required by applicable tax and financial regulations.

7. Data Security

We take the security of your data seriously and implement industry-standard measures to protect it:

  • All data in transit is encrypted using TLS/SSL
  • Data at rest is encrypted via our infrastructure providers
  • Instagram access tokens are stored encrypted in our database
  • Access to production data and systems is restricted to essential personnel
  • We conduct regular security reviews of our codebase and infrastructure
  • Authentication is handled by Clerk, which implements industry-standard security practices including rate limiting and brute-force protection

8. Your Rights

8.1 All Users

Regardless of your location, you have the right to:

  • Access your data: Request a copy of the personal data we hold about you.
  • Correct your data: Update inaccurate or incomplete information in your account settings.
  • Delete your data: Request deletion of your account and all associated data.
  • Disconnect Instagram: Revoke our access to your Instagram data at any time from your dashboard. You can also revoke access from your Instagram account settings under "Apps and Websites."

8.2 European Economic Area, UK, and Swiss Residents (GDPR)

In addition to the rights above, if you are in the EEA, UK, or Switzerland, you have the right to:

  • Data portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Restrict processing: Request that we limit how we use your data in certain circumstances.
  • Object to processing: Object to our processing of your data based on legitimate interests.
  • Withdraw consent: Withdraw previously given consent at any time, without affecting the lawfulness of processing performed before withdrawal.
  • Lodge a complaint: File a complaint with your local data protection authority.

8.3 California Residents (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you in the preceding 12 months.
  • Right to delete: You may request that we delete your personal information, subject to certain exceptions.
  • Right to opt out of sale: We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

9. Data Deletion Requests

You can request deletion of your data through any of the following methods:

  • Email: Send a request to moe@markloop.build with the subject line "Data Deletion Request." Include the email address associated with your account.
  • Instagram data only: Disconnect your Instagram account from your MarkLoop dashboard. All stored Instagram data (profile info, post metrics, access tokens) will be deleted within 30 days.
  • Full account deletion: Contact us at moe@markloop.build to request complete account and data deletion. We will process your request within 30 days and confirm once complete.

When we receive a deletion request, we will verify your identity, delete the applicable data, and send you a confirmation email. Some data may be retained as required by law (e.g., billing records for tax compliance).

10. Instagram Data Deletion Callback

In compliance with Meta Platform requirements, we support Instagram data deletion callbacks. When a user removes our app from their Instagram account settings, we receive a callback from Meta and automatically delete all Instagram data associated with that user, including profile information, post metrics, and access tokens.

11. Children's Privacy

MarkLoop is designed for business owners and is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete that information promptly. If you believe a child has provided us with personal data, please contact us at moe@markloop.build.

12. International Data Transfers

MarkLoop is based in the United States. If you are accessing our platform from outside the United States, your data will be transferred to and processed in the United States. We rely on our service providers' data protection agreements and, where applicable, Standard Contractual Clauses approved by the European Commission, to ensure appropriate safeguards for international data transfers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and/or by posting a prominent notice on our platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your information, contact us:

SOP, operating as MarkLoop

New York, NY

Email: moe@markloop.build

Website: markloop.build

We aim to respond to all privacy-related inquiries within 30 days.

MarkLoop by sop.build