Privacy Policy

1. Introduction

Linmine ("we," "us," or "our") operates the AI Content Studio for LinkedIn accessible at linmine.com and its subdomains (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

1.1 Our Commitment to Your Privacy

We firmly assert that we do not sell, trade, or otherwise transfer your personal data to third parties for commercial or marketing purposes. Your information remains confidential and is used solely to enhance your experience with Linmine Services. We do not use your data for ad monetization.

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, password (stored as a secure hash), bio, and timezone
• Content: Posts you create, custom writing styles, and other content you submit to the Service
• Voice recordings: Audio you submit for voice-to-text transcription (processed by our transcription provider and not stored after processing)
• Uploaded files: Documents and images you upload for content generation
• Waitlist information: Name, email, LinkedIn URL, role, and responses you provide when joining our waitlist
• Communications: Messages you send to us via email or support channels

In compliance with the EU AI Act 2026, we ensure full transparency in AI interactions. We do not use your 'Style DNA' or content to train global AI models. Your unique voice remains your exclusive intellectual property.

2.2 Information from Third-Party Services

• LinkedIn: When you connect your LinkedIn account, we receive your LinkedIn user ID, name, email, profile picture URL, locale, and public profile URL. If you authorize publishing, we also access your LinkedIn posting capabilities. We access LinkedIn using the scopes: openid, profile, email, and w_member_social (for publishing).
• Google: If you sign in with Google, we receive your Google user ID, name, email, and profile picture.
• Stripe: Our payment processor handles your payment information directly. We receive your Stripe customer ID, subscription status, and payment history, but we never receive or store your full credit card number.

2.3 Information Collected Automatically

• Usage data: Pages visited, features used, actions taken (e.g., post creation, AI enhancements)
• Device information: Device type, browser, operating system, and user agent
• Network information: IP address, approximate geographic location (country, city) derived from your IP address

3. How We Use Your Information

We use your information to:

• Provide the Service: Create and manage your account, process subscriptions, generate AI content, schedule and publish LinkedIn posts, and deliver analytics
• Process payments: Handle subscription billing, Credit purchases, and refunds through Stripe
• Send transactional emails: Email verification, password resets, security notifications, payment confirmations, and publishing status updates
• Ensure security and prevent abuse: Detect unauthorized access, enforce rate limits, prevent fraud, and protect against account compromise
• Improve the Service: Analyze usage patterns to improve features, fix bugs, and optimize performance (using only aggregated, non-identifiable data)
• Communicate with you (with consent): Send marketing emails and product announcements only if you have opted in

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or other jurisdictions that require a legal basis for processing personal data, we rely on the following:

• Contract performance: To provide the Service you signed up for, process payments, and manage your account
• Consent: For marketing emails, optional analytics tracking, LinkedIn data synchronization, and third-party data sharing (you can withdraw consent at any time)
• Legitimate interests: To improve the Service, ensure security, prevent fraud, and enforce our terms, where these interests are not overridden by your rights
• Legal obligation: To comply with tax, accounting, and other legal requirements (e.g., retaining billing records)

5. AI Content Processing

When you use our AI features (content enhancement, virality analysis, profile audit, avatar generation), your Content is sent to third-party AI providers for processing. Important details:

• We do not train AI models on your data. Your Content is sent to AI providers solely to process your specific request and generate a response. We do not use your Content to train, fine-tune, or improve any AI models.
• Content sanitization: Before sending your Content to AI providers, we apply security sanitization to protect against prompt injection and other abuse vectors.
• Third-party AI providers: We currently use Google Gemini for AI processing. Your Content sent to these providers is subject to their respective privacy policies and data handling practices.
• Voice transcription: Audio submitted for transcription is processed by Deepgram and is not retained after the transcription is complete.

6. LinkedIn and Social Media Data

When you connect your LinkedIn account, we collect and process:

• Your LinkedIn profile information (name, email, profile picture, public profile URL)
• LinkedIn post content and engagement metrics (likes, comments, reposts) for analytics
• Follower and connection statistics for profile analytics

Your LinkedIn access token is encrypted using industry-standard encryption (Fernet) before storage. We use your LinkedIn data solely to provide the Service and do not share it with third parties for their own purposes.

LinkedIn analytics history is retained for up to 365 days to provide trend analysis. You can disconnect your LinkedIn account at any time through your account settings.

7. Third-Party Service Providers

We share your information with the following categories of service providers, solely as necessary to operate the Service:

• Payment processing (Stripe): Receives your email and payment information to process transactions. Stripe is PCI DSS compliant. See Stripe's Privacy Policy.
• AI content generation (Google Gemini): Receives your Content for AI processing. See Google's Privacy Policy.
• Voice transcription (Deepgram): Receives audio files for transcription. See Deepgram's Privacy Policy.
• Email delivery (Resend): Receives your email address to deliver transactional and notification emails. See Resend's Privacy Policy.
• File storage (Cloudflare R2): Stores uploaded files and generated avatars. See Cloudflare's Privacy Policy.
• LinkedIn API: Used with your authorization to access profile data and publish content. See LinkedIn's Privacy Policy.

We do not sell, rent, or trade your personal information to any third party for their own marketing purposes.

8. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy:

• Account data: Retained while your account is active. Deleted upon account deletion request.
• Content (posts, styles): Retained while your account is active. Deleted upon account deletion request.
• LinkedIn analytics history: Retained for up to 365 days to provide trend analysis.
• Activity logs: Retained for 90 days, then automatically deleted.
• Billing and payment records: Retained for 7 years as required by tax and accounting laws.
• Security audit logs: Retained as necessary for security and fraud prevention purposes.

When you delete your account, we delete your personal data from our active systems. Some information may be retained in encrypted backups for a limited period, after which it is permanently deleted. An anonymized record of account deletion is retained for audit purposes.

9. Your Rights

9.1 Rights Under GDPR (EEA, UK, and Switzerland Residents)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate personal data
• Erasure: Request deletion of your personal data (subject to legal retention obligations)
• Data portability: Receive your data in a structured, machine-readable format
• Restriction: Request that we limit the processing of your data
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw previously given consent at any time
• Complaint: Lodge a complaint with your local data protection authority

9.2 Rights Under Canadian Privacy Law (PIPEDA)

If you are located in Canada, you have the right to:

• Access your personal information held by us
• Request correction of inaccurate information
• Withdraw consent for data processing
• File a complaint with the Office of the Privacy Commissioner of Canada

9.3 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

• Know: Request what personal information we collect, use, and disclose
• Delete: Request deletion of your personal information
• Opt-out of sale: We do not sell your personal information
• Non-discrimination: We will not discriminate against you for exercising your rights

9.4 How to Exercise Your Rights

You can exercise most of these rights directly through the Service:

• Data export: Use the data export feature in your account settings to download a copy of your data
• Account deletion: Use the account deletion feature in your settings, which requires email confirmation
• Consent management: Manage your consent preferences (marketing emails, analytics tracking, LinkedIn data sync, AI content generation, third-party sharing) in your account settings

For any requests you cannot complete through the Service, contact us at [email protected]. We will respond within 30 days.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including Canada and the United States, where our servers and third-party service providers are located. These countries may have data protection laws that differ from those of your jurisdiction.

When we transfer personal data outside of the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including:

• Transfers to countries recognized as providing adequate protection (Canada has an adequacy decision from the European Commission)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Other legally recognized transfer mechanisms as applicable

11. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Passwords stored using secure one-way hashing (never in plain text)
• OAuth tokens and 2FA secrets encrypted at rest using industry-standard encryption
• Authentication via HttpOnly, Secure cookies (tokens are never stored in browser localStorage)
• HTTPS enforced for all connections
• Rate limiting on all API endpoints to prevent abuse
• Account lockout protection after repeated failed login attempts
• Optional two-factor authentication (TOTP) with backup codes
• Security headers (CSP, HSTS, X-Frame-Options) on all responses
• Input sanitization and parameterized queries to prevent injection attacks

While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please report it to [email protected].

11.1 Security Incident Response

Despite our security measures, no system is completely secure. In the event of a data breach that affects your personal information:

Our Response:

1. Immediate Investigation: We will investigate the incident within 24 hours of discovery
2. Containment: We will take immediate steps to contain the breach and prevent further unauthorized access
3. Regulatory Notification: If required by law, we will notify relevant data protection authorities without undue delay and within 72 hours where feasible
4. User Notification: We will notify affected users via email within 72 hours if the breach poses a high risk to your rights and freedoms
5. Remediation: We will implement measures to prevent similar incidents

What We Will Tell You:

• Nature of the breach and types of data affected
• Approximate number of affected users
• Likely consequences of the breach
• Measures we have taken to address the breach
• Recommended actions you should take (e.g., password reset, monitor accounts)

Ongoing Monitoring:

Following a security incident, we will monitor for unauthorized access for at least 90 days and provide you with updates as needed.

How to Report Security Concerns:

If you discover a security vulnerability or suspect unauthorized access to your account, immediately contact: [email protected]

We appreciate responsible disclosure and will not take legal action against security researchers who report vulnerabilities in good faith.

12. Children's Privacy

The Service is not intended for anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the Service at least 15 days before the changes take effect.

We encourage you to review this policy periodically. The "Last updated" date at the top indicates the most recent revision.

14. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

• Privacy inquiries: [email protected]
• Security reports: [email protected]
• General inquiries: [email protected]