# Privacy Policy - LinkedIn Contacts CRM **Last updated: 2026-06-05** This Privacy Policy explains how LinkedTag / LinkedIn Contacts CRM ("the App") and the companion Chrome extension ("the Extension") handle information. By using the App or Extension, you also agree to the [Terms of Service](TERMS.md). If you use the App to process personal data on behalf of yourself or an organization, the [Data Processing Agreement](DPA.md) also applies. This is a small personal CRM project. It is not affiliated with, endorsed by, or sponsored by LinkedIn. ## Who Operates the App The controller or processor for the hosted App is Pan. You can contact the operator regarding privacy concerns at pan@cantonman.com. ## Information You Provide or Import The App stores the contact data you create, edit, import, or save through the Extension, including: - name, first name, and last name; - headline, company, position, and location; - email address; - LinkedIn profile URL; - connected-on date from LinkedIn CSV imports; - groups, tags, notes, and next follow-up date; - created and updated timestamps. You can import this information from a LinkedIn connections CSV, paste LinkedIn URLs in bulk, create contacts manually, or save profile details from the Extension. ## Account and Authentication Data The App uses Supabase Auth with Google OAuth. When you sign in, Supabase and Google process authentication information such as your email address, name, profile avatar, OAuth identifiers, session tokens, and related sign-in metadata. The App uses your authenticated Supabase user ID to keep your contacts separate from other users' contacts. ## Extension Data Collection When you are on a LinkedIn profile page and click **Add current profile**, the Extension reads data from the active tab: | Data | Source | Purpose | | ---- | ------ | ------- | | Full name | LinkedIn profile page DOM or tab title | Pre-fill the contact name | | Headline / title | LinkedIn profile page DOM | Pre-fill the contact headline | | Profile URL | Active tab URL | Identify the contact and avoid duplicates | The Extension acts only after you click the add action. It does not continuously scrape LinkedIn in the background. ## Extension Local Storage The current Extension does not store contact records locally and does not currently store settings in `chrome.storage.sync`. Contact records are stored by the App in Supabase after you save or import them. ## Profile Images LinkedTag does not collect, upload, store, or display LinkedIn profile photos. Contact avatars use initials generated from saved names. ## Analytics The web App includes Vercel Analytics through `@vercel/analytics`. Analytics is loaded only if you choose **Accept analytics** in the cookie banner. Vercel may collect usage and technical analytics for the hosted web application, such as page views, referrer, browser, device, and approximate location information, depending on Vercel's current analytics behavior and your hosting configuration. Your analytics choice is stored in browser `localStorage` under `linkedtag.analyticsConsent`. To withdraw or reset consent, clear this browser storage entry or contact the operator for help. The Extension does not include a separate analytics SDK. ## How Data Is Used Data is used to: - authenticate users; - provide the CRM interface; - store, search, filter, update, delete, import, and export contacts; - sync contacts across devices for the signed-in user; - operate, debug, secure, and improve the hosted App. We do not sell your contact data. ## Legal Bases for Processing Where GDPR, UK GDPR, or similar laws apply, the operator's legal bases may include: - performance of a contract or taking steps requested by you, for authentication and providing CRM features; - legitimate interests, for operating, debugging, securing, and improving the App, balanced against user privacy rights; - consent, for optional analytics where consent is required; - legal obligations, if the operator must retain or disclose information to comply with law. When you use the App to store information about other people, you are responsible for identifying and documenting your own lawful basis for that processing. ## Sub-processors and Third Parties The current implementation uses: - **Supabase** for authentication, database storage, and row-level security. - **Google** for OAuth sign-in. - **Vercel** for hosting and analytics when deployed on Vercel. - **LinkedIn** as the source site when you use LinkedIn imports or the Extension. These providers may process personal data according to their own terms and privacy policies. ## Security The App uses Supabase row-level security policies so authenticated users can read, insert, update, and delete only their own contact rows. Data is transmitted over HTTPS when the App is hosted correctly. Supabase and the hosting provider provide infrastructure-level security controls. No system is perfectly secure. You are responsible for protecting your Google account, browser profile, devices, and CRM URL. ## Retention and Deletion Contact rows remain stored until you delete them in the App, delete your account if account deletion is supported by the operator, or request deletion from the operator. CSV exports are generated locally in your browser and downloaded to your device. You are responsible for securing exported files. ## Privacy Rights Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to processing of your personal data. You may also have the right to withdraw consent where processing is based on consent and to complain to your local data protection authority. The App lets signed-in users view, edit, export, delete contacts, and request account deletion through the interface when the operator has configured the account deletion endpoint. For other requests, contact the operator. For California residents, if the operator is subject to the CCPA/CPRA, you may have rights to know, access, correct, delete, opt out of sale or sharing, limit use of sensitive personal information, and not be discriminated against for exercising privacy rights. The App does not sell contact data or use it for cross-context behavioral advertising. The App is not designed to process sensitive personal information. Do not intentionally add sensitive personal information, such as health, biometric, government ID, financial, precise geolocation, criminal, religious, political, union, or similar sensitive data. ## International Transfers Supabase, Google, Vercel, LinkedIn, and other providers may process data in countries other than your own. If GDPR, UK GDPR, Swiss FADP, or similar transfer rules apply, the operator and user are responsible for confirming that appropriate transfer safeguards, such as adequacy decisions, standard contractual clauses, or provider data processing terms, are in place. ## Your Responsibilities as Data Controller When you import, save, or edit information about other people, you decide what data to collect and why. You are responsible for having a lawful basis to process that data, providing any required notices, handling privacy requests, and complying with laws such as GDPR, UK GDPR, CCPA/CPRA, and similar rules that may apply to you. You are also responsible for complying with LinkedIn's terms and any laws that apply to collecting, copying, storing, exporting, or reusing information from LinkedIn or other third-party services. ## Chrome Web Store Limited Use Disclosure The Extension uses personal or sensitive user data only to provide or improve its single user-facing purpose: helping you add the LinkedIn profile you are viewing to your CRM. The use of information received from Chrome extension APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements. The Extension does not use or transfer extension-collected user data for personalized advertising, retargeting, creditworthiness, lending, data brokerage, or sale. Human access to stored CRM data is limited to circumstances such as user-requested support, security, legal compliance, or aggregated and anonymized internal operations, where permitted by applicable law. ## Children's Privacy The App is intended for professional contact management and is not directed to children. ## Changes This policy may be updated as the implementation changes. The "Last updated" date shows when this document was last revised. ## Contact For questions about this policy, please contact pan@cantonman.com.