Legacy Loop

Legal

Privacy Policy

Last updated: March 31, 2026

What we collect

When you create a Legacy Loop page, we collect your email address, family name, and the registry links you add. If you use our group gift (Chip In) feature, we collect contributor names and pledge amounts.

We also collect basic analytics: page views, link clicks, and device type. No cookies are used for tracking. We use server-side sessions for authentication only.

How we use it

  • To create and display your registry page
  • To send verification emails and password reset links
  • To show you click analytics on your dashboard
  • To process group gift pledges

We don't sell your data. We don't run ads. We don't share your information with third parties except as needed to operate the service (email delivery via Resend, payment processing via Stripe, image hosting via Cloudinary).

AI assistant access

Legacy Loop is available as an MCP server for AI assistants (ChatGPT, Claude, etc.). When you use Legacy Loop through an AI assistant, the assistant sends your inputs (family name, email, links) to our API to create or manage your registry. The AI assistant's own privacy policy governs how it handles your conversation.

Our MCP tools collect only the minimum data needed to complete each action. We don't store conversation history or broad contextual data from AI interactions.

Third-party services

  • Resend — transactional email (verification codes, password resets)
  • Stripe — payment processing for Loop+ subscriptions
  • Cloudinary — profile photo hosting
  • Railway — application and database hosting

Each provider processes data under their own privacy policies. We don't share more data with them than necessary to provide the service.

Affiliate links

When you add an Amazon registry link, we may append our Amazon Associates affiliate tag. This doesn't change what you pay or what your family sees. It helps us keep the free tier free.

Data retention

Your registry page and account data are stored as long as your account is active. Unverified pages are automatically deleted after 1 hour. Password reset tokens expire after 1 hour. Write tokens (for AI-assisted edits) expire after 24 hours.

To delete your account and all associated data, email [email protected].

Security

Passwords are hashed with bcrypt. Verification codes and write tokens are stored as SHA-256 hashes. All traffic is encrypted via HTTPS. Sessions are HTTP-only, secure cookies.

Changes

If we make material changes to this policy, we'll update the date at the top. For significant changes, we'll notify users by email.

Contact

Questions? Email [email protected].