Privacy

Your data, your control

We built Links to help you publish with confidence, not to trade your data. This policy explains what we collect, why we collect it, how we protect it, and the choices you have.

Scope & who we are

This policy applies to the Links web application and related services.

NeuroLoft LLC (“we”, “us”, “our”) provides Links, a tool that turns curated articles or your TXT/PDF files into LinkedIn-ready posts and publishes them to your connected LinkedIn account at your direction.

Last updated: November 3, 2025

Information we collect

Only what’s needed to run the service you expect.

Account & authentication

  • Links account: email, password hash (bcrypt), basic profile metadata.
  • Sessions: HTTP-only cookies to keep you signed in (Secure; SameSite=None).

LinkedIn connection

  • Access, refresh, and ID tokens stored encrypted at rest; decrypted only to publish at your request.
  • LinkedIn member identifiers needed to publish (e.g., member URN or equivalent).

Content you provide

  • TXT/PDF files or text you upload for drafting.
  • URLs to create link preview cards.
  • Draft text and publish actions you perform.

Service operations

  • Basic request and error logs (timestamps, paths, status codes) for reliability and security.
  • Limited device/network data (browser user agent, IP address) for fraud prevention and abuse control.

What we do not collect

  • No sale of personal data; no third-party advertising cookies.
  • No reading of your private LinkedIn messages or connections.
  • No continuous ingestion of your LinkedIn content unless you explicitly trigger actions.

How we use your information

Operate the app, secure it, and improve it—never to sell your data.

  • Provide core features: sign-in, drafting, link previews, and publishing to LinkedIn at your request.
  • Maintain security: session management, fraud and abuse prevention, and rate-limit enforcement.
  • Improve performance: troubleshooting, error monitoring, and usage patterns in aggregate.
  • Communicate: service updates, security notices, and account-related messages.

No manual access & no LinkedIn credentials

You stay in control of your account and actions.

  • No manual posting on your behalf: We do not log into your LinkedIn account or manually publish content for you. All posts are initiated by you within the app and executed programmatically through LinkedIn’s APIs.
  • No access to your LinkedIn password: We never see or store your LinkedIn login credentials. Connection to LinkedIn is handled via OAuth; we receive tokens from LinkedIn to perform the specific actions you authorize.
  • Just-in-time token use: Encrypted tokens are decrypted only when needed to complete a publish action you initiated.
  • Revocation at any time: You can disconnect your LinkedIn account in the app or via LinkedIn’s own security settings; tokens will cease to function.

Your choices & legal bases

Controls you have; bases we may rely on where applicable (e.g., EEA/UK).

Your choices

  • Access or update: edit your email and connected account from Account.
  • Disconnect LinkedIn: revoke from Account; tokens are invalidated.
  • Delete content: remove drafts you created; published posts live on LinkedIn under their policies.
  • Close account: contact us to request deletion of your Links account and stored tokens.

Legal bases (EEA/UK)

  • Contract: to provide the service you requested (auth, drafting, publishing).
  • Legitimate interests: security, service integrity, troubleshooting, and product improvement.
  • Consent: where required for optional features (e.g., marketing communications).

Sharing & disclosures

We don’t sell personal data. We share only to run the service or comply with the law.

  • Service providers: cloud hosting, databases, logging, and monitoring vendors under data-processing terms.
  • Legal: if required to comply with valid legal processes or protect the rights, safety, and security of users.
  • Business transfers: if we undergo a merger, acquisition, or asset sale, data may transfer with customary safeguards.

Retention

Keep only what’s necessary, for only as long as necessary.

  • Account data: retained while your account is active.
  • LinkedIn tokens: rotated and refreshed per LinkedIn requirements; removed when you disconnect.
  • Drafts & uploads: retained until you delete them or per app settings (future auto-save/restore features may add options).
  • Logs: held for a limited time for security and reliability, then deleted or aggregated.

Security

Defense-in-depth measures for data at rest and in transit.

  • Encryption: tokens at rest are encrypted; all transport uses TLS.
  • Authentication: email + password login with bcrypt-hashed passwords; HTTP-only cookies for sessions.
  • Least privilege: only required LinkedIn scopes; tokens decrypted just-in-time to publish.
  • Operational controls: monitoring, rate limits, and access controls for production systems.

International transfers

Data may be processed in the United States and other locations where our providers operate.

Where required, we use appropriate safeguards for cross-border transfers (such as standard contractual clauses) and vendor due diligence.

Children

Links is not directed to children under 13 (or under 16 in certain regions).

We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us to request deletion.

Changes to this policy

We’ll update this page and revise the date when our practices change.

We may update this policy to reflect new features, vendors, or legal requirements. Material changes will be communicated through the app or by email when appropriate.

Contact

Questions or requests? We’re here to help.

Email: info@neuroloft.com

For data access or deletion requests, please include the email associated with your Links account.