This Privacy Policy applies to all employees, contractors, and vendors while doing business with
TrainLoop, Inc. and others who have access to personally identifiable information (PII), including
Personal Health Information (PHI), in connection with TrainLoop, Inc.'s operating activities.
TrainLoop, Inc. provides a proxy and trace collection layer for our customers. In this capacity, we
primarily act as a "Data Processor" or "Business Associate," processing information at the direction
of our customers. This policy describes how we collect, use, share, and protect information within
our platform infrastructure. We are committed to maintaining compliance with applicable privacy
laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and
SOC 2 requirements.
Types of Information We Collect
As a proxy and trace collection service, we may process the following types of information:
Customer-Directed Data (Traces and Proxy Traffic):
API request and response data passing through our proxy layer
Metadata associated with system traces and logs
Any PII or PHI included in the payloads directed through our service by our customers
Account and Administrative Information:
Customer contact names, business email addresses, and billing information
Account credentials and authentication logs
Communication preferences for administrative updates
Technical and Infrastructure Information:
IP addresses, device identifiers, and browser types
System performance metrics and security event logs
Usage analytics related to platform performance
We collect information through:
Proxy Services: Automated collection of data payloads and traces as they pass through our infrastructure.
Direct Input: Information provided by customers when setting up accounts or seeking support.
Automated Technologies: System logs and monitoring tools used to ensure service reliability and security.
Primary Uses
We use collected information for:
Service Delivery (Proxy and Tracing):
Providing the proxy and trace collection layer for customer applications
Facilitating data observability and debugging for our customers
Maintaining and optimizing platform performance and latency
HIPAA-Compliant Operations:
Processing PHI solely as authorized by Business Associate Agreements (BAAs)
Maintaining audit trails of data access and transmission for compliance monitoring
Ensuring the integrity and availability of health information in transit
Security and Maintenance:
Detecting and preventing fraudulent or unauthorized access
Monitoring system health and infrastructure security
Improving our proxy architecture and tracing capabilities
Authorized Disclosures
We share information only as necessary to provide our services or as required by law
Sub-processors:
Cloud infrastructure providers (e.g., AWS) used to host our proxy layer
Security and monitoring tool providers
All sub-processors handling PHI are required to sign BAAs
Legal and Regulatory:
Compliance with court orders, subpoenas, or regulatory audits
Reporting required under HIPAA breach notification rules
TrainLoop, Inc. does not:
Sell any customer data or trace information to third parties
Use customer-directed data for our own marketing or advertising
Access the content of traces except for automated processing or as requested for technical support
Technical Safeguards
Encryption:
In Transit: All data passing through our proxy is protected using TLS 1.3 or higher.
At Rest: Any stored traces or logs containing sensitive data are encrypted using AES-256.
Key Management: Secure management of encryption keys through dedicated hardware or cloud security modules.
Access Controls:
Multi-factor authentication (MFA) for all administrative access
Role-based access controls (RBAC) ensuring employees only access data necessary for their role
Strict logging of all internal access to customer environments
Retention Periods
Trace Data: Retained according to the specific configuration and agreement with each customer.
PHI: Retained for a minimum of 6 years as required by HIPAA, or as specified in the BAA.
System Logs: Retained for 1 year to support security audits and SOC 2 requirements.
Secure Disposal
Upon expiration of the retention period or customer request, data is securely deleted using industry-
standard cryptographic erasure or overwriting methods to ensure it cannot be recovered.
As we primarily process data on behalf of our customers, individuals seeking to exercise rights (Access, Correction, Deletion) regarding data processed by TrainLoop should first contact the customer (the "Data Controller") who directed their data through our service. We will assist our customers in responding to these requests as required by our agreements.
To contact our privacy office directly:
Email: privacy@trainloop.ai
Address: 1527 Stockton Street, 2nd floor, TrainLoop, San Francisco, CA 94133
Business Associate Responsibilities
TrainLoop, Inc. acts as a Business Associate for customers handling ePHI. We:
Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of ePHI.
Ensure any subcontractors that create, receive, maintain, or transmit ePHI on our behalf agree to the same restrictions.
Report any security incidents or breaches to the affected Covered Entity without unreasonable delay.
Privacy Office
Privacy Officer: Jackson Stokes (CEO)
Email: privacy@trainloop.ai
Address: 1527 Stockton Street, 2nd floor, TrainLoop, San Francisco, CA 94133
HIPAA Security Officer: Mason Pierce (CTO)
Email: privacy@trainloop.ai
