Privacy Policy
Legacy-Loop Tech LLC · Waterville, Maine · Effective June 24, 2026 · Last updated June 30, 2026
This Privacy Policy explains how Legacy-Loop Tech LLC (filed in Maine as LEGACY-LOOP TECH LLC) (“Legacy-Loop,” “we,” “us”) collects, uses, shares, and protects information when you use the Legacy-Loop platform, websites, and applications, including app.legacy-loop.com and legacy-loop.com (the “Service”). Legacy-Loop is an AI-assisted resale automation platform based in Maine, United States.
Soft-beta note.
The Service is currently provided as a limited soft beta. We are putting these privacy and data-handling practices in place before opening the Service to the general public.
2. Information We Collect
- Information you provide. Account details (name, email, password); item photos and descriptions; listing information; messages you send or receive; shipping and pickup addresses; phone number (if you opt into SMS); and support communications.
- Payment information. When you make a purchase, card details are entered through our payment processor (Stripe). We do not store full payment card numbers — only processor references (e.g., Stripe customer/payment IDs).
- Connected-platform data. If you connect a third-party account (such as eBay, Facebook, or Instagram), we receive information from that platform needed to perform the actions you authorize (see Sections 6 and 7).
- Documents you upload to the Document Vault (e.g., receipts, certificates, appraisals, manuals, and title/ownership or estate documents) to help value and document your items. Please do not upload documents containing sensitive personal data such as Social Security numbers, full financial-account numbers, government IDs, or health records — the Vault is for item and ownership documentation only.
- Location information. Approximate location (e.g., from your IP address or the ZIP/area you provide) for regional pricing, and — with your consent — meetup/pickup location for local sales, which may be shared with Google Maps to display and coordinate meetups. We do not perform precise background GPS tracking.
- Automatically collected data. Device, log, and usage information such as IP address, browser type, pages viewed, and actions taken, used to operate and secure the Service.
- Waitlist information. If you join our pre-launch waitlist, we collect the name and email address you provide and the tier or cohort you express interest in, and we generate an internal estimate of your likely interest to prioritize outreach. To produce that estimate we share only the interest category with our AI provider, never your name or email.
3. How We Use Information
- To provide the Service: analyze items, estimate value, generate listings, research comparable prices, match and reach buyers, coordinate messages, and produce shipping options;
- To process transactions and manage your plan, fees, commissions, and add-ons;
- To operate connected accounts at your direction;
- To communicate with you about your account, items, and the Service (SMS only where you have consented);
- To maintain security, prevent abuse, and comply with legal obligations; and
- To operate and improve the Service.
Our stance on AI model training.
We use third-party AI providers to process your content so we can deliver features (see Section 4). This real-time processing is inference (using content to operate the Service), not training. Today, we do not use your content to train our own AI or machine-learning models, and we do not sell your content. We use AI providers whose API terms prohibit using content submitted through their APIs to train their models (for example, OpenAI and Anthropic). We do intend to begin using your content to train and improve our own AI in the near future, and we will do it transparently: we will update this Policy, notify you, and obtain your opt-in consent before we begin. This choice is off by default, presented as a clear and separate choice (not bundled into your acceptance of the Terms), and withdrawable at any time in your account settings. If and when we train, the inputs will be the opted-in content you provide (your photos, descriptions, and item data) together with aggregate market and pricing data from public marketplaces (which is not your personal content); we will never train on Meta-origin data, and we will never use your content in a hidden or exploitative way.
4. AI Processing
To deliver core features, we send only the minimum content needed to the AI providers listed in Section 10:
- Item photos you upload are sent to OpenAI (GPT-4o vision) for item identification and analysis;
- Buyer and customer message text, including messages from connected Facebook, Instagram, or Messenger accounts, may be sent to Anthropic (Claude) in real time to draft suggested replies that you choose to send;
- Item and listing text may be sent to Google (Gemini), xAI (Grok), and Perplexity for routing, search, and assistant features; and
- Text you choose to have narrated may be sent to ElevenLabs for text-to-speech.
Inference, not training.
The processing above is inference: real-time use of your content to operate the Service for you (identifying items, estimating prices, and drafting replies you choose to send). It is not used to train our own AI models. We do not use any Meta Platform Data to train any AI model, and Meta Platform Data is excluded from any future training. To operate messaging features at your direction, message content from connected Facebook, Instagram, or Messenger accounts may be processed in real time by the AI sub-processors in Section 10 to draft a suggested reply; it is not retained by us to train a model. AI outputs are informational estimates, not professional appraisals or guarantees (see our Terms of Service).
5. How We Share Information
We do not sell your personal information. We share information only as follows:
- Service providers / sub-processors who help us run the Service, under confidentiality and security obligations (see Section 10);
- Buyers and connected platforms, when you choose to list an item or publish/message through a connected account;
- Legal and safety, to comply with law, valid legal process, or to protect rights, safety, and the integrity of the Service (see Section 13); and
- Business transfers, in connection with a merger, acquisition, or sale of assets, subject to this Policy.
6. Connected Third-Party Platforms and Marketplace Data
When you connect a platform such as eBay, we access and use the information necessary to perform the actions you authorize. You can disconnect a connected account at any time, which ends future access for that platform. Separately, to estimate prices we research publicly available comparable listings from marketplace sources (via Apify); this comparable-price research uses item keywords and does not require your personal account information.
7. Facebook, Instagram, and Meta Platform Data
Legacy-Loop integrates with Meta Platforms, Inc. services including Facebook, Instagram, and Messenger. If you connect a Facebook Page or Instagram Business account, Legacy-Loop operates as a technology provider acting on your behalf and accesses Meta Platform Data only to operate your own connected accounts at your direction.
These integrations enable:
- Facebook Login. Public profile (name, profile picture, Facebook user ID) and email to create/identify your account (public_profile).
- Facebook Page connection. The list of Pages you manage (pages_show_list); a token to publish listings to your Page (pages_manage_posts); and engagement metrics (pages_read_engagement).
- Page webhooks. Real-time updates about messages, comments, and feed activity (pages_manage_metadata).
- Comments and moderation. Reading comments and taking moderation actions you choose (pages_read_user_content, pages_manage_engagement).
- Messenger. Receiving and replying to Page messages (pages_messaging).
- Instagram Business. Display the connected account and manage its DMs and comments (instagram_business_basic, instagram_business_manage_messages, instagram_manage_comments).
- Business assets. Confirming the linked Page and Instagram account belong to you (business_management).
What we do with Meta Platform Data.
- We store Meta-derived data (Facebook user ID, Page identifiers, access tokens, message contents, post metadata) in our database, hosted by Turso (Chiselstrike Inc.) in the U.S., which provides encryption at rest at the database layer. We additionally encrypt Meta Page access tokens with AES-256-GCM at the application layer.
- We use this data solely to provide Legacy-Loop’s features to you. We do not use it to train AI models, for advertising/remarketing, or for any undisclosed purpose.
- To operate messaging features at your direction, Meta message content may be processed in real time by the AI sub-processors listed in Section 10 (for example, to draft a suggested reply you choose to send). This is real-time inference only; Meta Platform Data is never used to train any AI model.
- We do not sell or rent Meta Platform Data.
- We share it only with the sub-processors in Section 10, each under written agreement.
- We handle it in accordance with the Meta Platform Terms and Developer Policies.
Retention of Meta Platform Data.
We retain Meta Platform Data while your account is active and your Meta connections remain authorized. When you disconnect a Page or delete your account, the associated Meta Platform Data is deleted promptly; backups are purged within 30 days, except as required for legal compliance or fraud prevention.
Your rights regarding Meta Platform Data.
- Disconnect any Facebook Page or Instagram account via Settings → Integrations;
- Revoke access at Facebook → Settings → Apps and Websites → Legacy-Loop → Remove;
- Request deletion at https://app.legacy-loop.com/data-deletion or privacy@legacy-loop.com; and
- Request a copy of the Meta Platform Data we hold by emailing privacy@legacy-loop.com.
We honor Meta’s data-deletion callback (it validates Facebook’s signed request and returns a confirmation). We respond to verified requests within 30 days as required by applicable law.
Meta’s own practices.
Meta operates Facebook, Instagram, and Messenger. Meta’s use of your data on its platforms is governed by Meta’s Privacy Policy, not this document. Review Meta’s policies at https://www.facebook.com/privacy/policy.
8. Cookies and Similar Technologies
We use essential cookies and similar technologies (such as local storage) to keep you signed in, remember preferences, and secure the Service. We do not currently use third-party advertising or cross-site tracking cookies.
You can control cookies through your browser; disabling essential cookies may affect the Service.
9. Data Security
In transit: HTTPS/TLS everywhere, with HSTS (one year, preload), a Content-Security-Policy, and additional security headers. At rest: our primary database (Turso) provides encryption at rest at the database layer, and we additionally encrypt connected-platform (Meta Page) access tokens with AES-256-GCM at the application layer. We also use access controls, authenticated sessions, and per-user rate, size, and cost limits. No method of transmission or storage is perfectly secure.
10. Sub-processors
We rely on the following service providers, each processing data on our behalf under confidentiality and security obligations. We keep this list current and disclose new sub-processors here.
| Sub-processor | Function | Data it touches | Location |
|---|---|---|---|
| Vercel Inc. | Application hosting and content delivery (CDN), including the waitlist intake endpoint | Web/app traffic, server logs, IP addresses, and waitlist form submissions in transit (name, email, interest) | United States |
| Turso (Chiselstrike Inc.) | Primary database; encryption at rest at the database layer | Account data, listings, messages, encrypted connected-platform tokens | United States |
| Stripe, Inc. | Primary payment processing | Card data entered client-side via Stripe (held by Stripe); we store only Stripe IDs | United States |
| OpenAI, L.L.C. | AI vision — item identification/analysis (GPT-4o) | Item photos you upload | United States |
| Anthropic PBC | AI — drafting suggested message replies (Claude) | Buyer and customer message text, including messages from connected Facebook, Instagram, or Messenger accounts, processed in real time to draft suggested replies you choose to send (inference only; never used to train any model) | United States |
| Google LLC (Gemini) | AI — text routing, search, assistant features | Item/listing text and queries | United States |
| Google LLC — Gemini | AI scoring and classification of waitlist leads (deriving a likely persona, an interest score, a short internal lead brief, and tailored outreach copy) | Stated interest category only. We do not send your name, email address, or other identifiers to this model. | United States |
| Google LLC — Google Sheets | Storage of our pre-launch waitlist (lead list), including the derived interest score | Name, email address, stated interest, sign-up source and date, and a derived interest score | United States |
| Google LLC — Google Workspace (Gmail) | Sending your waitlist confirmation email and internal lead notifications to our team | Name, email address, stated interest, and cohort | United States |
| xAI Corp. (Grok) | AI — text routing/assistant features | Item/listing text and queries | United States |
| Perplexity AI, Inc. | AI — research/search features | Item/listing text and queries | United States |
| ElevenLabs Inc. | Text-to-speech (voice) features | Text submitted for narration | United States |
| EasyPost | Parcel shipping rates and label generation | Shipping/pickup addresses, parcel details | United States |
| Shippo | Shipping rates (secondary) | Shipping addresses, parcel details | United States |
| FedEx | Carrier / freight (LTL) services | Shipping/freight details | United States |
| Apify | Marketplace price/comparable-item research (public listing data) | Item keywords and search queries (no account PII) | United States |
| eBay Inc. | Connected marketplace integration | Listing and message data you authorize | United States |
| Twilio Inc. | SMS / text notifications | Phone number and message content (only with consent) | United States |
| Twilio SendGrid | Transactional and account email | Name, email address, message metadata | United States |
| Meta Platforms, Inc. | Facebook, Instagram, and Messenger integration | Connected-account data per the permissions you grant | United States |
| n8n (self-hosted) | Workflow automation, including our waitlist lead pipeline | Name, email address, stated interest, and a derived interest score (waitlist), plus other operational data configured in our workflows | Self-hosted on DigitalOcean (United States) |
Cloudinary (Cloudinary, Inc.) provides image storage and delivery for the photos and documents you upload (United States).
Error-monitoring and analytics tools (e.g., Sentry, PostHog, Google Analytics) are not wired today and would be disclosed here if enabled.
11. Data Retention
When you request deletion or delete your account, we perform an immediate hard delete of your personal data (account, items, listings, messages, and payment references) across our active systems. Encrypted backups are purged within 30 days, and security logs are retained up to 90 days, except where longer retention is required for legal compliance, fraud prevention, or dispute resolution.
12. Your Rights and Data Deletion
Depending on where you live, you may have rights to access, correct, delete, or port your personal information, or to object to or restrict certain processing. To exercise these rights, contact us at privacy@legacy-loop.com. You may also delete your account and data in the Service, or use https://app.legacy-loop.com/data-deletion. You can also view and download a record of the agreements and consents you have given, including your AI-training choice, in your account settings; this consent record is being rolled out and will be fully available there. We honor Meta’s data-deletion callback.
13. Government and Legal Requests
We disclose information to government authorities or in response to legal process only when we believe in good faith that we are legally required to do so, or where necessary to protect rights, property, or safety. Our practice is to:
- Require valid legal process (subpoena, court order, or warrant) appropriate to the data requested;
- Disclose only the narrowest set of data responsive to the request;
- Notify the affected user before disclosure where legally permitted; and
- Object to or challenge requests that are overbroad, improper, or legally deficient.
As of the Effective Date of this Policy, Legacy-Loop has not received or complied with any government request for user data.
14. Children’s Privacy
The Service is not directed to individuals under 18, and we do not knowingly collect their personal information. If you believe a child has provided us information, contact privacy@legacy-loop.com so we can delete it.
15. Your U.S. State Privacy Rights
Depending on your state, you may have the right to: access the personal information we hold about you and how we process it; correct inaccuracies; delete it; obtain a copy (portability); and not be discriminated against for exercising these rights. Where we rely on consent, you may withdraw it. These rights apply to residents of states with comprehensive privacy laws (including California/CCPA-CPRA, Colorado, Connecticut, Virginia, Texas, and others) and may be limited by applicable law. We do not sell your personal information.
Categories of personal information we collect
| Category (as defined by state law) | Collected |
|---|---|
| A. Identifiers (name, email, IP address, account ID) | YES |
| B. California Customer Records (name, contact, financial info) | YES |
| C. Protected classification characteristics (age, gender, race) | NO |
| D. Commercial information (listings, purchase/sale history) | YES |
| E. Biometric information | NO |
| F. Internet or other network activity (usage of our Service) | YES |
| G. Geolocation data (approximate; meetup location with consent) | YES |
| H. Audio/visual or similar information (item photos you upload) | YES |
| I. Professional or employment information | NO |
| J. Education information | NO |
| K. Inferences (interests and buyer-seller matches) | YES |
| L. Sensitive personal information | NO |
How to exercise your rights
Contact us at privacy@legacy-loop.com or use https://app.legacy-loop.com/data-deletion. We will verify your request and respond within the time required by applicable law (generally 30–45 days). You may use an authorized agent where the law allows. If we decline a request, you may appeal by emailing privacy@legacy-loop.com with “Appeal” in the subject line.
Do-Not-Track (DNT)
Most browsers offer a Do-Not-Track setting, but no finalized industry standard exists for it. We do not currently respond to DNT signals. If a standard is adopted that we are required to follow, we will update this Policy.
16. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will provide notice through the Service or by email and update the effective date above.
17. Contact
Legacy-Loop Tech LLC
Mailing address: P.O. Box 1485, Waterville, ME 04903
Privacy contact: privacy@legacy-loop.com · Support: support@legacy-loop.com
Data deletion: https://app.legacy-loop.com/data-deletion · Privacy: https://app.legacy-loop.com/privacy · legacy-loop.com
© 2026 Legacy-Loop Tech LLC. Effective June 24, 2026. Last updated June 30, 2026.