Privacy Policy

InLinked is a tool that turns a brief and a copy of your LinkedIn connections export into a ranked warm-intro plan. We store the information you give us so we can produce that output for you. We do not sell your data, we do not use it for advertising, and we never send messages on your behalf — every piece of outreach is copy-to-clipboard only.

The only third parties that receive your data are the ones we need to operate the product: LinkedIn (for sign-in), Anthropic (for AI processing), Neon (for database storage), Vercel (for hosting), and Jina AI (only when we cannot read a website you ask us to scan with our own fetcher).

InLinked ("we", "us", "our") is operated by Harry Dewhirst, based in Singapore. For any privacy question — including a request to access, correct, export, or delete your data — email harry@dewhirst.net.

• Account data (from LinkedIn sign-in). When you sign in we receive your LinkedIn unique identifier, name, email address, and profile picture from the "Sign In with LinkedIn using OpenID Connect" product. We do not request, and LinkedIn does not give us, access to your connections, posts, messages, or any other LinkedIn content.
• Project content you provide. The brief or goal you type, any files you upload (PDF / DOCX / PPTX / XLSX / CSV / TXT), and any company website URL you ask us to read. We extract and store the text from those files; we do not retain the original binaries beyond the processing request.
• Connections data you upload. When you upload your Connections.csv exported from LinkedIn we read the rows it contains (first name, last name, company, position, profile URL, email address if present, and the date you connected) and store them against your project.
• Generated content. The target lists, matches, and outreach drafts produced by the AI from your inputs. These are stored against your project so you can return to them.
• Technical data. Standard server logs from our hosting provider (IP address, request paths, user-agent, timing), and the small set of cookies described in section 7.

• To identify you and scope your projects to your account.
• To produce the target list, the connection-to-target matching, and the outreach drafts you came to the product for.
• To diagnose errors, prevent abuse, and operate the service (e.g. rate limiting, basic security logging).

We do not use your data to train AI models, build advertising profiles, or send you marketing. We do not sell your data.

We share the minimum data needed for these vendors to perform their function. Each one has its own privacy policy linked below.

• LinkedIn — handles sign-in. They receive that you authenticated against our app. They do not receive your project content, files, or uploaded CSV. privacy policy
• Anthropic (Claude API) — performs the AI generation. When you ask us to build a target list or draft outreach, we send the relevant context to Anthropic: your brief, the extracted text from your uploaded files and scraped websites, and connection metadata (names, titles, companies — not emails). Per Anthropic's commercial terms, data sent through the API is not used to train their models. privacy policy
• Neon (Postgres) — our database provider. Stores everything described in section 2 at rest in an encrypted, EU/US-region Postgres database. privacy policy
• Vercel — our hosting provider. Handles HTTP traffic and server-side execution. Standard request logs are retained per their default policy. privacy policy
• Jina AI Reader (r.jina.ai) — a fallback website-text extractor. We only call it when our own fetcher cannot read a site you have asked us to scan, and we only send the URL of that public website. policies

We do not transfer your data to any other third party. We may disclose it if compelled by law, but in that case we will tell you unless legally prevented from doing so.

• Send messages, connection requests, or any other action on your LinkedIn account on your behalf.
• Use your data to train AI models.
• Sell your data, or share it with advertisers or data brokers.
• Contact people in your connections list. They are not InLinked users and we do not message them.

Project content, connection uploads, generated targets, and drafts are kept until you delete them or delete your account. You can delete individual projects from the dashboard at any time. To delete your entire account and all associated data, email harry@dewhirst.net — we will action the request within 30 days. Server logs are retained by our hosting provider per their default policy (typically 30 days).

We use exactly two cookies, both strictly necessary — no analytics, advertising, or tracking cookies:

• inlinked_session — an HMAC-signed cookie that keeps you logged in. Valid for 30 days. HTTP-only, SameSite=Lax.
• inlinked_oauth_state — a short-lived (10 minutes) cookie used to prevent CSRF attacks during the LinkedIn sign-in flow. Discarded immediately afterwards.

Whichever country you are in, you can ask us to do any of the following with your personal data and we will action your request within a reasonable time:

• Access the personal data we hold about you.
• Request correction of data that is inaccurate.
• Request deletion of your data.
• Request a portable export of your data.
• Withdraw consent at any time where consent is the legal basis for our processing.

If you are in Singapore, the Personal Data Protection Act 2012 (PDPA) gives you the right to access and correct the personal data we hold about you, and to withdraw consent for our continued use of it. You can complain to the Personal Data Protection Commission (PDPC) if you believe we have not handled your data properly.

If you are in the UK or EEA, the UK GDPR / EU GDPR additionally give you the right to object to or restrict certain processing, and the right to complain to a supervisory authority (in the UK, the ICO). Our legal basis for processing your account and project data is performance of a contract (operating the product you have signed up to) and legitimate interests in keeping the service running and secure. Where you have given consent, the basis is consent, which you can withdraw at any time.

To exercise any of these rights, email harry@dewhirst.net.

All traffic is served over HTTPS. Session cookies are HTTP-only, HMAC-signed, and SameSite=Lax. Database connections use TLS. We follow standard security practices, but no online service is completely secure; if you believe your account has been compromised, contact us immediately.

We are based in Singapore. Our hosting (Vercel) and database (Neon) providers operate globally, so your data may be processed in the United States, the European Union, or other countries depending on their infrastructure. Where the law requires it (for example PDPA Section 26 for transfers out of Singapore, or UK/EU GDPR Chapter V for transfers out of the UK/EEA), we rely on the appropriate safeguards — Standard Contractual Clauses or equivalent contractual protections — published by those vendors.

InLinked is not intended for, and we do not knowingly collect data from, anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

When we materially change this policy we will update the "Last updated" date at the top and, where the change affects how we use existing data, notify signed-in users by email or in-product banner before the change takes effect.

Privacy questions, data-subject requests, or account deletions: harry@dewhirst.net.