REFUND POLICY

Loupely LLC

Effective Date: April 1, 2026  |  Last Updated: May 29, 2026

This Refund Policy applies to all purchases made through Loupely LLC at useloupely.com. It supplements the refund terms in the Loupely Terms of Service.

1. Credits

Credits are non-refundable once purchased. This applies to both the $12 / 10-credit pack and the $20 / 20-credit pack. Credits never expire and are shared across Loupely and Loupely Lens, so unused credits retain their full value indefinitely.

If a diagnosis fails to generate due to a technical error on Loupely’s side, the credit is not consumed and no charge occurs. If you believe a credit was consumed due to an error on Loupely’s part rather than a completed diagnosis, contact us at support@useloupely.com and we will investigate.

2. Annual Plans

2.1 Eligibility window

Annual plans are eligible for a full refund if both of the following conditions are met: the refund request is made within 14 days of the original purchase date, and fewer than 5 diagnoses have been run under the plan. Both conditions must be satisfied.

2.2 After the eligibility window

After 14 days, or after 5 or more diagnoses have been run, annual plans are non-refundable for the remainder of the plan year. Annual plans are not prorated on cancellation.

2.3 Renewals

Automatic renewal refund requests made within 7 days of the renewal date, where the plan has not been used in the renewal period, will be evaluated on a case-by-case basis. Contact us at support@useloupely.com as soon as possible if you did not intend to renew.

3. How to Request a Refund

Email support@useloupely.com with the subject line “Refund Request” and include: the email address on your Loupely account, the plan or credit pack you purchased, the approximate date of purchase, and the reason for your request. We will respond within 3 business days. Approved refunds are processed through Stripe and appear on your original payment method within 5 to 10 business days, depending on your card issuer.

4. Service Interruptions

If a substantial and extended interruption of the Services prevents you from using a plan or subscription you have paid for, we will consider a pro-rata credit or refund for the affected period at our discretion. “Substantial and extended” means an outage affecting core diagnostic functionality lasting more than 48 consecutive hours. Brief interruptions, scheduled maintenance, and degraded performance that does not prevent diagnoses from completing do not qualify.

5. Contact

Loupely LLC

Scranton, Pennsylvania

support@useloupely.com

useloupely.com

VULNERABILITY DISCLOSURE POLICY

Loupely LLC

Effective Date: April 1, 2026  |  Last Updated: May 29, 2026

Loupely LLC takes the security of its products seriously. This Vulnerability Disclosure Policy describes how to report a security vulnerability you have discovered in the Loupely Chrome extension, the Loupely WordPress plugin, or any other component of the Loupely infrastructure, and what you can expect from us when you do.

This policy is published at useloupely.com/security and is linked from the Loupely Chrome extension listing in the Chrome Web Store.

1. What to Report

We want to hear about security vulnerabilities that could affect the confidentiality, integrity, or availability of Loupely’s systems or user data. Examples include:

  • authentication or authorization flaws that could allow unauthorized access to user accounts or diagnostic data;
  • injection vulnerabilities (SQL injection, cross-site scripting, cross-site request forgery) in the Loupely web application or API;
  • vulnerabilities in the Chrome extension code that could be exploited to access data beyond the extension’s intended scope;
  • vulnerabilities in the WordPress plugin that could be exploited to compromise a site using it;
  • insecure transmission or storage of user data;
  • credential scanner bypass, meaning a method by which sensitive credentials could be transmitted despite the scanning layer.

2. What Not to Report

Please do not report through this channel: issues that require physical access to a user’s device; findings from automated scanners run without prior coordination; social engineering attacks targeting Loupely staff; denial-of-service vulnerabilities requiring high-volume traffic; or issues in third-party services we use (Supabase, Stripe, Anthropic, Google, Resend) — report those directly to the relevant vendor.

3. How to Report

Send your report to security@useloupely.com with the subject line “Security Vulnerability Report.” Include: a description of the vulnerability and the component it affects; the steps required to reproduce it; the potential impact if exploited; and any supporting evidence. You may encrypt your report using our PGP public key; contact us to request the key.

4. What to Expect From Us

Acknowledgment: within 3 business days.

Assessment: initial evaluation within 10 business days of acknowledgment.

Resolution: we will work to resolve confirmed vulnerabilities as promptly as the severity warrants and notify you when a fix is deployed.

Coordination: we ask for 90 days from acknowledgment before public disclosure. If you believe a vulnerability poses an immediate and serious risk, contact us to discuss an accelerated timeline.

5. Our Commitments to You

If you report a vulnerability in good faith and in accordance with this policy: we will not pursue legal action against you for the responsible disclosure; we will treat your report confidentially; we will keep you informed through to resolution; and we will credit you by name in release notes for the fix if you wish.

6. Scope of This Policy

This policy covers: the Loupely Chrome extension; the Loupely WordPress plugin; and the Loupely web application at useloupely.com and loupely.co and all associated backend API and infrastructure.

7. Contact

Loupely LLC

Scranton, Pennsylvania

security@useloupely.com

useloupely.com/security