DRAFT — For attorney review
This template covers GLBA, CCPA/CPRA, and general privacy disclosures for a BHPH SaaS. Have a licensed privacy attorney review and finalize before publishing. Not legal advice.
Privacy Policy
Last updated: July 14, 2026 · Effective date: [To be set on publish]
1. Who we are
GoPayLoop ("we", "us", "our") provides a software platform used by Buy Here Pay Here ("BHPH") dealerships to manage loans, collect payments, and communicate with their customers. This policy explains how we collect and use personal information both when you visit our website and when a dealership uses our platform.
2. Roles: Controller vs. Processor / Service Provider
For customer information uploaded to the platform by a dealership (borrower name, contact info, loan terms, payment history), the dealership is the "data controller" or "business" and GoPayLoop acts as its "data processor" or "service provider" under GLBA, the CCPA/CPRA, and comparable state laws. Customers of a dealership should direct privacy requests to the dealership that originated their loan; we will assist that dealership in fulfilling the request.
3. Information we collect
- Dealership account info — business name, address, EIN if provided, owner name, email, phone, login credentials.
- Customer info uploaded by dealerships (GLBA NPI) — name, contact details, address, date of birth, driver's license or ID number, employment info, loan terms, payment history, and vehicle details.
- Payment data — handled by our PCI-DSS Level 1 payment processor (Stripe). We do not store full card numbers, CVV, or full bank account numbers; we retain only tokens and the last four digits for reconciliation.
- Communications — the content of SMS and email messages sent through the platform, along with delivery status.
- Usage & device data — pages visited, actions taken, IP address, browser type, and approximate location, used for security, product analytics, and fraud prevention.
- Uploaded documents — ID photos, insurance cards, and signed loan documents stored in access-controlled cloud storage.
4. How we use information
We use information to: (a) provide, operate, and improve the Service; (b) authenticate users and secure accounts; (c) process payments; (d) send transactional messages, receipts, and payment reminders that the dealership schedules; (e) detect and prevent fraud, abuse, and security incidents; (f) comply with legal obligations; and (g) communicate with dealerships about the Service. We do not sell personal information and we do not use customer NPI for our own marketing.
5. GLBA Notice — Non-Public Personal Information
Customer information uploaded by dealerships qualifies as "non-public personal information" (NPI) under the Gramm-Leach-Bliley Act. We maintain administrative, technical, and physical safeguards designed to protect NPI, including encryption in transit and at rest, row-level access controls, least-privilege internal access, audit logging, and vendor risk review. Customers may receive a separate GLBA privacy notice directly from their dealership.
6. Sharing
We share information only as needed to provide the Service, with vendors bound by written data-processing terms:
- Payment processors (Stripe, Inc.) to charge cards and disburse funds.
- Communication providers (Twilio, Inc. for SMS; our email provider) to deliver receipts, reminders, and notifications on the dealership's behalf.
- Cloud infrastructure (Lovable Cloud / Supabase / hosting providers) for storage, compute, and databases.
- Analytics & error monitoring for product operation and security. These providers see limited technical metadata, not customer NPI content.
- Legal authorities when required by valid legal process, or to protect rights, safety, or property.
- Successors in a merger, acquisition, or sale of assets, subject to this policy.
7. SMS & Email Communications (TCPA / CAN-SPAM)
Dealerships use the Service to send account-servicing SMS and email to their customers. Message content is transmitted on the dealership's behalf. Customers may opt out of SMS by replying STOP (or END, CANCEL, QUIT, UNSUBSCRIBE); the platform records opt-outs and blocks further messages. Message and data rates may apply. See our Terms Section 6 for details.
8. Cookies & Similar Technologies
We use strictly necessary cookies for authentication and session management, and limited analytics cookies to understand product usage and improve reliability. We do not use third-party advertising cookies. You can control cookies in your browser settings.
9. Security
We use industry-standard safeguards including TLS 1.2+ in transit, AES-256 encryption at rest, database row-level security scoped by dealership, hardware-secured secret storage, audit logging, and periodic access reviews. No system is 100% secure; we will promptly notify affected users and the responsible dealership of any confirmed security incident as required by applicable state breach-notification laws.
10. Data retention
Active account data is retained while the dealership's subscription is active. After cancellation, data is retained for thirty (30) days to allow export, then permanently deleted, except where longer retention is required by law (e.g., financial recordkeeping, tax, and lending records). Payment reminder logs and audit logs are retained for the minimum period required by applicable law.
11. Your rights
Depending on your jurisdiction (including under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and similar U.S. state laws), you may have the right to: (a) know what personal information we hold about you; (b) access or receive a copy; (c) correct inaccuracies; (d) delete certain information; (e) opt out of "sale" or "sharing" (we do not sell or share as defined in these laws); and (f) not be discriminated against for exercising these rights. Contact privacy@gopayloop.app. Customers of a dealership should first contact the dealership; we assist the dealership in responding.
12. International users
The Service is operated in the United States and is intended for U.S. dealerships and their customers. If you access the Service from outside the United States, you consent to the transfer of your information to the United States.
13. Children
The Service is not directed to children under 18. We do not knowingly collect data from minors.
14. Changes
We may update this policy. Material changes will be notified by email or an in-app banner at least thirty (30) days before taking effect.
15. Contact
Privacy questions: privacy@gopayloop.app.