Privacy

TrafficLoopback is a small SaaS operated by Sean Conroy / Inventive HQ out of San Diego, California. We collect the minimum needed to make the product work: your email + account info if you sign up, and anonymous interaction data (impressions, clicks) on the ad slots customers run on their own sites. We don't sell data. We don't share data with advertisers or third parties beyond the providers we use to operate (Cloudflare for hosting, Google for AI, pushmail.dev for transactional email).

• Customers — people who sign up to TrafficLoopback to run ads on their owned properties.
• Waitlist signups — people who give us their email before we've opened access.
• Visitors to customer sites — people who see ads served by the TrafficLoopback widget.

• Name, email, profile picture (via Google OAuth)
• Tenant configuration: registered sites, ad creatives, fact-bank entries
• Generated content history (Gemini prompts and outputs) for audit + improvement
• API/dashboard usage logs

• Email address
• Optional: self-reported monthly ad spend, owned-traffic description
• Source page (which CTA captured the signup)
• Referrer URL + user agent (basic marketing analytics)

When the TrafficLoopback widget renders an ad on a customer's site, we log: the page URL, the slot ID, an inferred device type (mobile / tablet / desktop), and country (from Cloudflare's edge headers). When a visitor clicks the ad, we generate an attribution UUID and set a first-party cookie + URL query param on the destination so we can credit the click to the ad if the visitor signs up.

We do not collect: IP addresses, precise location, persistent device fingerprints, browsing history outside the customer's site, or anything that would identify the visitor personally. The attribution ID is a random UUID — it doesn't identify the visitor across sessions.

• All app data lives in Cloudflare D1 (SQLite at the edge).
• AI-generated images live in Cloudflare R2.
• AI calls route through Cloudflare AI Gateway → Google AI Studio (Gemini).
• Transactional email goes through pushmail.dev.
• Auth handled by Google OAuth; we receive your name, email, and avatar from Google.

Only the providers above, and only as needed to operate the service. We do not sell data. We do not share with advertisers (we're not an ad network in the AdSense sense — ads on customer sites are the customer's own creatives or other customers' opted-in inventory).

• Account data: while your account is active, plus 30 days after deletion to allow recovery.
• Impression / click logs: 24 months, then rolled up into aggregate stats and the raw rows deleted.
• Waitlist signups: until you ask us to remove you (email sean@inventivehq.com).

You can request a copy of your data, correction, or deletion at any time by emailing sean@inventivehq.com. We respond within 30 days. If you're in the EU, UK, or California, you have additional rights under GDPR / UK GDPR / CCPA — we honor all of them.

We may update this policy as the product evolves. Material changes get an email to customers and a note on the changelog. See full revision history in the GitHub commits for this site.

sean@inventivehq.com