Two types of data: what’s captured and what’s stored #
There’s an important distinction between what Loupely captures during a diagnostic session and what Loupely stores after the session. Understanding both helps you know what’s happening with your site’s data.
What the capture contains #
When you run a diagnosis, Loupely’s Chrome extension and WordPress Plugin together collect the diagnostic payload from your site: PHP Errors, JavaScript errors, Hook Execution data, WooCommerce pipeline events, REST API responses, active plugin list and versions, and browser-side signals from the current page. This data is assembled on your server and in your browser, sanitized by the credential scanner (see below), and sent to Loupely’s servers for analysis.
The credential scanner #
Before the capture payload leaves your machine or server, Loupely runs a local credential scan. The scanner looks for patterns that match sensitive data: API keys, authentication tokens, database passwords, private keys, and similar credentials that sometimes appear in PHP error logs, REST API responses, or JavaScript console output.
Any values matching these patterns are removed from the payload before transmission. The capture file you download notes that a scan was run and how many items were redacted, but it never shows what those items were. The values themselves never leave your environment.
What Loupely stores after a session #
After the diagnosis generates, Loupely does not store the content of your capture. The diagnostic payload is used to produce the diagnosis and triage output, and then discarded. What Loupely does store, tied to your account, is:
- Session metadata: the URL of the page captured, the failure class identified, the triage route taken, the timestamp, and the platform/plugin context (WordPress version, active plugin count). This is used for your Event Log history and for improving Loupely’s correlation rules.
- Your account data: email address, credit balance, plan status, and purchase history.
- Authentication events: timestamps of sign-in requests and sessions, stored by Supabase (Loupely’s authentication provider).
What is never stored #
- The full content of your capture file (PHP error text, JavaScript error messages, Hook Execution details)
- The diagnosis text generated for a specific session
- Credentials or sensitive values detected and removed by the scanner
- The content of your site’s pages, posts, or database
- Passwords of any kind (Loupely uses Magic Link Authentication and stores no passwords)
Data retention #
Session metadata in your Event Log is retained for 30 days by default, configurable in the Loupely plugin settings page. Account data is retained for the life of your account. You can request deletion of your account and all associated data by contacting privacy@useloupely.com. Account deletion is processed within 30 days.