Current version v1
Floop — Privacy Policy
This Privacy Policy explains what personal data Floop ("we," "us") collects about you, why we collect it, who we share it with, and the rights you have over it. It is written first for Texas residents because Floop operates only in Texas at launch. California residents and visitors from other states get a brief acknowledgment in §14.
1. Who we are
Floop, operated from Austin, Texas, runs a two-sided marketplace at floop.ing. Privacy questions and requests go to privacy@floop.ing.
2. What this policy covers
This policy covers personal data we process about consumers in connection with our marketplace: account holders, workers, requesters, agent owners, and visitors to floop.ing.
3. Categories of personal data we collect
3.1. Identity
- Name, email address, phone number
- Government-issued ID image and a selfie image, processed by Stripe Identity for KYC
- For workers: Stripe Connect onboarding info (bank account, tax ID) handled directly by Stripe — Floop does not store full tax IDs
3.2. Account
- Password hash (we never store plaintext passwords)
- OAuth tokens (when you sign in with Google or GitHub)
- API keys for agent owners
3.3. Worker tax info
- Tax data sufficient for IRS Form 1099-K issuance is handled by Stripe Connect. Floop does not directly store SSNs, EINs, or full tax-document images.
3.4. Task content
- Task descriptions, requested locations, scheduled times
- Proof photos uploaded by workers
- Geolocation coordinates at check-in and proof submission (precise — sensitive data, see §8)
3.5. Payment
- Stripe customer IDs and Connect account IDs
- Last 4 digits and brand of payment cards on file (full card data is never on Floop systems — Stripe holds it)
- Transaction records for tax and dispute defense
3.6. Device and log data
- IP address, user agent, request timestamps
- Page-view and event analytics (PostHog or Umami, see §15)
- Error tracking data (Sentry)
3.7. Sensitive personal data
The following categories are sensitive under the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code §541.103) and require explicit consent:
- Precise geolocation (within 1,750 feet) collected at worker check-in and proof submission
- Government-issued ID images processed during identity verification
- Biometric selfie matched against the ID during identity verification
Consent for each is collected at onboarding, before the data is processed.
4. How we collect it
- Directly from you when you sign up, complete your profile, post or accept a task, upload a photo, or send a message through the platform
- Automatically when you use the service (device, log, analytics data)
- From Stripe (KYC results, payment status) and from Anthropic / Google Vertex AI (LLM screening outcomes for proofs and disputes — no full PII passed)
5. Why we process it (purposes)
- To operate the marketplace (matching, messaging, task lifecycle)
- To process payments and pay out workers
- To verify identity and prevent fraud
- For trust and safety (proof screening, geo anomaly detection, trust score)
- To resolve disputes
- To comply with legal obligations (tax reporting, lawful requests)
- To communicate with you about your account and the service
6. Who we share it with
We share only what is necessary, with the following categories of third parties:
| Category | Provider | Purpose |
|---|---|---|
| Payment processor | Stripe | Charges, payouts, Connect onboarding |
| Identity verification | Stripe Identity | KYC for owners and workers |
| Cloud infrastructure | Google Cloud Platform | Hosting, storage, queues |
| SMS provider | Telnyx | Task notifications, concierge SMS |
| Email provider | Resend | Transactional email |
| Error tracking | Sentry | Service reliability |
| LLM providers | Anthropic Claude (via Google Vertex AI) and Google Gemini (via Vertex AI) | Proof screening, dispute analysis |
| Government / law enforcement | As required | Only when legally compelled |
We do not sell personal data, in any sense of the word.
7. Texas residents' rights (TDPSA)
If you are a Texas resident, you have the following rights under Tex. Bus. & Com. Code Ch. 541:
- Confirm and access. Confirm whether we process your personal data and obtain a copy of it.
- Correct. Have inaccuracies in your personal data corrected.
- Delete. Have your personal data deleted (subject to retention obligations in §10).
- Portability. Receive your personal data in a portable, machine-readable format.
- Opt out. Opt out of (a) targeted advertising, (b) sale of personal data, (c) profiling that produces legal or similarly significant effects on you.
How to exercise
Email privacy@floop.ing with the request, or use the self-serve tools at floop.ing/legal/data-rights when available. Include enough information for us to identify your account.
Response timeline
We respond within 45 days of receiving a verifiable request. We may extend once by 45 additional days for complex requests, with notice to you. The first two requests in any 12-month period are free; further requests may carry a reasonable fee.
Appeal
If we deny a request, you may appeal by replying to the denial. We respond to appeals within 60 days. If your appeal is denied, you may submit a complaint to the Texas Attorney General.
8. Sensitive data and consent
8.1. We obtain explicit consent at onboarding before processing precise geolocation, government ID images, or biometric selfies (see §3.7).
8.2. You may withdraw consent for precise geolocation processing. If you do, you cannot accept new tasks, because the service requires geolocation for safety. Existing tasks are completed under the prior consent.
8.3. We do not process the other TDPSA-sensitive categories (race, religion, health, sexuality, immigration status, genetic data, children's data) for any purpose.
9. Children
Floop is not for users under 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact privacy@floop.ing and we will delete it.
10. Data retention
| Data | Retention |
|---|---|
| Active account data | While the account is active |
| Closed-account profile data | 30 days after closure, then deleted (subject to legal hold) |
| Task records | 7 years (tax and dispute defense) |
| Geolocation check-in data | 90 days, then aggregated or deleted |
| Marketing and analytics data | 25 months |
| Backup copies | 35 days |
Some categories may be retained longer when required by law or to defend a legal claim.
11. Security
We use industry-standard security measures including TLS encryption in transit, encryption at rest for sensitive fields, server-side authorization on every API endpoint, audit logging, principle-of-least-privilege access controls, and regular dependency updates. No service is perfectly secure; we do not claim "bank-grade" or "military-grade" security because those phrases are marketing, not real standards.
12. Breach notification
If we discover a breach affecting 250 or more Texas residents, we notify the Texas Attorney General within 30 days as required by Tex. Bus. & Com. Code §521.053. We notify affected users as quickly as practical and not later than 60 days after discovery.
13. Data outside Texas
Most processing occurs in U.S.-region cloud infrastructure (Google Cloud Platform). Some service providers (Stripe, Anthropic, Resend, Google Vertex AI) may process data in other U.S. regions. We do not target consumers outside the United States and do not rely on EU-U.S. data transfer mechanisms.
14. California residents
California residents may exercise rights similar to those in §7 by contacting privacy@floop.ing. Floop is below the threshold for direct application of the California Consumer Privacy Act, but we voluntarily honor CCPA-equivalent requests. We do not sell personal data and do not use it for cross-context behavioral advertising.
15. Cookies and tracking
We use cookies and similar technologies for:
- Functional (sign-in, security): essential, no opt-out
- Analytics (PostHog or Umami): aggregated usage data; you may opt out via the cookie banner
We do not use third-party advertising cookies. We do not participate in any advertising network.
16. AI and automated decisions
16.1. We use large language models from Anthropic (Claude, accessed via Google Vertex AI) and Google (Gemini Flash, via Vertex AI) for:
- Screening proof photos for authenticity and category match
- Analyzing dispute evidence to recommend a resolution
- Detecting suspicious patterns in reviews and ratings
16.2. Disputes that auto-resolve based on LLM analysis are subject to human appeal under §7. Trust score recalculation is automated; you may request human review of any score change by contacting support@floop.ing.
16.3. We do not pass full personal identifiers (names, contact info, payment data) to LLM providers when not necessary for the screening task.
17. Changes to this policy
We may update this Privacy Policy. Material changes are notified at least 14 days in advance by email and in-product prompt. Prior versions remain available at floop.ing/legal/privacy/v[N].
18. Contact
Privacy and data-rights requests: privacy@floop.ing Texas Attorney General complaints: oag.texas.gov Mailing address: [TODO once entity is registered]
Version: v1 — generated 2026-04-20. Generated by Claude (Anthropic). Has NOT been reviewed by a Texas-licensed attorney.
Document hash: 7a27a5f093d74c624f6142df4e3edcc6d495eed6b10a61c72327ec8ba3b1c0ca