Privacy Policy

Placeholder content. Final Privacy Policy to be drafted by PM (UK GDPR + ICO compliant template + legal review). The LinkedIn-specific section is current and load-bearing for app-review compliance.

1. Data we collect

• Account data: name, email, password hash.
• Usage data: pages visited, features used, error logs.
• Content you create: posts, drafts, lead notes, intelligence saves.
• Connection data: from LinkedIn / X / etc., as you authorise.

2. How we use it

To provide the service, send transactional emails, improve product quality, and (with your separate consent) send marketing or partner-recommendation emails.

3. Marketing emails

We only send marketing emails if you opt in at signup or in Settings → Privacy. You can withdraw at any time — the unsubscribe link in every email also withdraws your consent.

4. Product updates

Periodic emails about new features and tips. Opt-in at signup; managed in Settings → Privacy.

5. Partner recommendations

We may recommend complementary tools from trusted partners. Opt-in only; no data is shared with partners without your separate consent.

6. Your rights (UK GDPR)

• Access — request a copy of your data via Settings → Data export.
• Rectification — edit your profile in Settings.
• Erasure — request account deletion. Subject to legal retention rules (audit trail rows survive with PII scrubbed).
• Withdraw consent — for any optional opt-in, anytime.
• Complain — to the UK ICO at ico.org.uk.

7. Data retention

Account data: retained while your account is active. Audit + consent trails: retained indefinitely with PII scrubbed on account deletion (legal non-repudiation requirement).

8. Subprocessors

Anthropic (AI inference), Resend (transactional email), Stripe (billing), Cloudflare R2 (media storage), Railway (hosting), Sentry (error tracking), Better Stack (uptime monitoring + logs). Each has its own privacy commitments. We do not sell or share your data with any party beyond these named sub-processors.

9. LinkedIn data we process

When you connect your LinkedIn account to Maktura, we receive specific data via LinkedIn's OAuth flow under scopes you explicitly authorise. This section describes exactly what we collect, how we store it, how long we keep it, and how to remove it.

What we collect from LinkedIn

• OAuth tokens— an access token (used to call LinkedIn's API on your behalf) and a refresh token (used to renew the access token when it expires).
• Profile fields— your name, primary email, headline, profile picture, and LinkedIn member URN. Used to render “You are connected as” UI and to attribute posts you publish.
• Posts and engagement — when you authorise the w_member_social scope and use Maktura to publish or sync, we read posts you author and engagement on those posts (comments, reactions, shares) so the intelligence + analytics surfaces have data to work with.

How we store it

All LinkedIn data is held in our managed Postgres database (Cloud-hosted, encrypted at rest by the provider). OAuth access and refresh tokens are additionally encrypted at the application layer using AES-256 with a per-deployment key, so a database export without the key is not enough to call LinkedIn on your behalf.

Retention

• While your account is active: tokens + profile + synced post data are kept as long as the LinkedIn integration is connected.
• When you disconnect LinkedIn (Settings → Integrations → LinkedIn → Disconnect): your access + refresh tokens are deleted immediately. Profile fields and previously-synced posts/engagement remain until you delete your Maktura account.
• When you delete your Maktura account (Settings → Data export → Delete account): all LinkedIn-derived data is purged within 30 days, except audit-trail rows where the PII is scrubbed but the row itself survives for legal non-repudiation.

Sharing

We do not sell or share LinkedIn data with any third party other than the named sub-processors above (each strictly limited to the function they perform — e.g. Sentry receives error context, never tokens or post bodies). LinkedIn data is never used for marketing or sold to advertisers.

Your rights for LinkedIn data

• Export — included in the standard data export (Settings → Data export).
• Delete — disconnect at Settings → Integrations or delete your account for full erasure.
• Withdraw consent— anytime via LinkedIn's own “Manage authorised apps” settings, which immediately invalidates our access token even if you don't open Maktura.

10. Changes

We bump the version above when material changes happen; existing users re-accept.

11. Contact

Questions: privacy@maktura.com. Data controller: Maktura Ltd, England + Wales.