Last updated: June 4, 2026
Organization profile: name, email, country, phone. User accounts: name, email, hashed password, role. Lead data: business card contact info (name, email, phone, company, title, website), service interest, notes, AI-generated email drafts. Payment records: transaction references, amounts, status. Usage logs: timestamps, actions within the system.
To provide and operate the ScanLoop service. To send transactional emails (lead follow-ups, account notifications). To process and verify payments. To generate AI email drafts via OpenAI's API. To comply with legal obligations. We do not sell your data to third parties.
Business card images are processed by a third-party AI service for text extraction. Lead contact data and follow-up email drafts are generated using AI. This processing is subject to our AI provider's data usage policies and Data Processing Agreement. We do not use your data to train AI models.
Data is stored on our servers in the United States. Passwords are hashed using bcrypt (industry standard). All connections are encrypted via TLS 1.3. SMTP credentials are encrypted at rest. In the event of a security breach, we will notify affected organizations within 72 hours.
Every API request in ScanLoop is scoped to your organization ID, which is embedded in your authenticated session. No other organization can access, query, or modify your leads, campaigns, templates, or settings. Organizations are fully isolated at the database query level.
If you connect a custom SMTP account, your credentials are stored encrypted and used exclusively to send emails on your behalf. Your SMTP server is never used to send emails for any other organization. We do not share, inspect, or relay your credentials to any third party.
Your lead contacts, email drafts, notes, and campaign data are used solely to operate the service for your account. We do not analyze, aggregate, or sell your lead data. We do not use your leads to market to them on your behalf or ours.
All user passwords are hashed with bcrypt before storage. Sessions are managed via secure, signed JWT tokens. Team members can only access your organization's data after being explicitly invited. Role-based access ensures only admins can manage settings and billing.
Lead data, organization data, and logs are retained for the duration of your subscription plus 90 days. You may request deletion at any time. Payment records may be retained for up to 7 years for legal/tax compliance.
Depending on your jurisdiction, you may have rights to: • Access your personal data • Correct inaccurate data • Delete your data ("right to be forgotten") • Export your data in a portable format • Object to certain processing Contact us at scanloop@backrun.us to exercise any of these rights.
We use session cookies for authentication only. No third-party advertising or tracking cookies are used.
We will notify organization administrators by email at least 14 days before material changes take effect.
Backrun Technologies LLC Email: scanloop@backrun.us