# Introly Privacy Policy

**Last Updated: March 13, 2026**

## 1. Introduction

Introly ("we," "our," or "us") operates the web application at app.introly.ai. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service.

We take your privacy extremely seriously. Our core principle is simple: **your data is yours, and we will never sell it.**

This policy applies to all users worldwide and is designed to comply with the **EU General Data Protection Regulation (GDPR)**, the **California Consumer Privacy Act (CCPA)**, the **California Privacy Rights Act (CPRA)**, and other applicable data protection laws.

## 2. Data Controller

The data controller responsible for your personal data is:

**Introly**
Email: hello@introly.ai

If you have questions about how your data is processed, contact us at the email above.

## 3. What Data We Collect

### 3.1 Account Data
When you sign up, we collect:
- **Email address** (via Google OAuth)
- **Name** (from your Google profile)
- **LinkedIn profile URL** (provided by you)

### 3.2 LinkedIn Connections Data
When you use our core service, we process:
- Names and LinkedIn profile URLs of your connections
- Company names associated with your connections
- Publicly available LinkedIn profile data (headline, current position, skills, location)

This data is used exclusively to identify job opportunities within your professional network.

### 3.3 LinkedIn Full Data Export (Optional)
You may optionally upload your LinkedIn data export. This may include:

| Data Category | Examples | Sensitivity |
|---------------|----------|-------------|
| **Identity** | Name, email addresses, phone numbers, birth date, address | Very High |
| **Communications** | Private messages, invitation history | Very High |
| **Career** | Positions, education, skills, certifications, endorsements | High |
| **Job Search** | Applications, saved jobs, job seeker preferences | High |
| **Financial** | Premium receipts, billing information | High |
| **Activity** | Company follows, events, learning history, ad targeting | Medium |
| **Other** | Rich media, causes, volunteering, recommendations | Medium |

**Important:** This data is stored securely, used exclusively to generate personalized job reports, and is **never sold, shared with third parties, or used for any other purpose.**

### 3.4 Payment Data
Payment processing is handled entirely by **Stripe**. We never store your credit card numbers, bank account details, or other financial payment credentials on our servers. Stripe's privacy policy applies to payment data: https://stripe.com/privacy

### 3.5 Usage Data
We collect minimal technical data for service operation:
- Authentication tokens (for maintaining your session)
- Report request history (to track your usage)

We do **not** use analytics trackers, advertising pixels, or third-party tracking scripts.

## 4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your data based on the following legal grounds:

| Data | Legal Basis | Explanation |
|------|-------------|-------------|
| **Account data** | Contract performance (Art. 6(1)(b)) | Necessary to provide the service you signed up for |
| **LinkedIn connections** | Contract performance (Art. 6(1)(b)) | Core functionality of the service you subscribed to |
| **LinkedIn data export** | Explicit consent (Art. 6(1)(a)) | You actively choose to upload this data and must check a consent box before import |
| **Payment data** | Contract performance (Art. 6(1)(b)) | Necessary to process your subscription payments |
| **Usage data** | Legitimate interest (Art. 6(1)(f)) | Necessary for service operation, security, and abuse prevention |

You may withdraw consent for LinkedIn data export processing at any time by deleting your imported data (see Section 7.2).

## 5. How We Use Your Data

We use your data for **one purpose only**: generating personalized job opportunity reports based on your LinkedIn network.

Specifically, we use your data to:
- Identify companies where your connections work
- Search for open job positions at those companies that match your preferences
- Present relevant job opportunities in your dashboard
- Generate deeper insights when LinkedIn export data is provided

**We do NOT:**
- Sell your personal information (as defined by CCPA/CPRA)
- Share your data with advertisers
- Use your data for marketing purposes beyond service-related communications
- Use your data to train machine learning models
- Mine your data for aggregate analytics sold to others
- Contact your LinkedIn connections on your behalf
- Make automated decisions that produce legal or similarly significant effects on you

### 5.1 Automated Decision-Making and Profiling
Introly does **not** use automated decision-making or profiling that produces legal effects or similarly significantly affects you (GDPR Art. 22). Job matching is informational only — we surface opportunities but make no decisions on your behalf.

## 6. Data Storage and Security

### 6.1 Infrastructure
- **Database:** Supabase (PostgreSQL), hosted in secure cloud infrastructure
- **Application:** Vercel, with HTTPS encryption for all connections
- **Payments:** Stripe (PCI DSS Level 1 compliant)

### 6.2 Access Controls
- **Row Level Security (RLS):** Every database table enforces row-level security. Your data can only be accessed by your authenticated session. No other user can see, modify, or delete your data.
- **Authentication:** We use Supabase Auth with Google OAuth. Passwords are never stored by Introly.
- **Admin Access:** Admin access uses server-side verified credentials stored in protected metadata that cannot be modified by end users.
- **API Security:** All API endpoints require authentication, enforce rate limiting, and validate input with strict schemas.

### 6.3 Data Encryption
- All data in transit is encrypted via TLS/HTTPS
- Database connections use SSL
- Authentication tokens use secure, HTTP-only cookies

### 6.4 Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within **72 hours** of becoming aware of the breach (GDPR Art. 33)
- Notify affected users **without undue delay** if the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34)
- Document all breaches, including their effects and remedial actions taken

## 7. Your Rights

### 7.1 Access Your Data (GDPR Art. 15 / CCPA Right to Know)
All your data is visible in your Introly dashboard. You also have the right to request a complete copy of all personal data we hold about you. Contact hello@introly.ai.

### 7.2 Delete Your LinkedIn Export Data (GDPR Art. 17 / CCPA Right to Delete)
You can permanently delete all imported LinkedIn data at any time:
- Go to **Profile** > **LinkedIn Data Import** section
- Click **"Delete all my imported LinkedIn data"**
- Confirm the deletion

This immediately and permanently removes all LinkedIn export data from all 30 data tables associated with your account.

### 7.3 Delete Your Account (GDPR Art. 17 / CCPA Right to Delete)
To delete your entire account and all associated data, contact us at hello@introly.ai. We will:
- Delete all your personal data from our database
- Cancel any active subscriptions
- Remove all LinkedIn connections, job results, and export data
- Complete the deletion within **30 days**

### 7.4 Rectification (GDPR Art. 16)
You have the right to correct inaccurate personal data. You can update your profile information directly in the dashboard, or contact us for corrections to other data.

### 7.5 Restriction of Processing (GDPR Art. 18)
You have the right to request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data, or if you object to processing).

### 7.6 Data Portability (GDPR Art. 20 / CCPA Right to Know)
Your LinkedIn data originated from LinkedIn's data export. You retain the original export and can re-import it at any time. You may also request a machine-readable export of your account data by contacting hello@introly.ai.

### 7.7 Right to Object (GDPR Art. 21)
You have the right to object to processing based on legitimate interest. If you object, we will stop processing your data unless we demonstrate compelling legitimate grounds.

### 7.8 Withdraw Consent (GDPR Art. 7(3))
Where processing is based on consent (LinkedIn data export), you may withdraw consent at any time by deleting your imported data. Withdrawal does not affect the lawfulness of processing before withdrawal.

### 7.9 Lodge a Complaint (GDPR Art. 77)
You have the right to lodge a complaint with a data protection supervisory authority in your country of residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

### 7.10 Non-Discrimination (CCPA/CPRA)
We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, quality of service, or any other penalty for exercising your rights.

## 8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

### 8.1 Categories of Personal Information Collected

| Category (per CCPA) | Examples | Collected? |
|----------------------|----------|------------|
| **A. Identifiers** | Name, email, LinkedIn URL | Yes |
| **B. Personal information (Cal. Civ. Code 1798.80(e))** | Name, address, phone number | Yes (via LinkedIn export only) |
| **C. Protected classification characteristics** | Age, gender (from LinkedIn ad targeting data) | Yes (via LinkedIn export only) |
| **D. Commercial information** | Purchase history, subscription records | Yes |
| **E. Biometric information** | Fingerprints, face geometry | No |
| **F. Internet/network activity** | Browsing history, search history | No |
| **G. Geolocation data** | Precise GPS location | No |
| **H. Sensory data** | Audio, visual, thermal | No |
| **I. Professional/employment** | Job history, company, title | Yes |
| **J. Non-public education** | Degree, school name | Yes (via LinkedIn export only) |
| **K. Inferences** | Profiles reflecting preferences | No |
| **L. Sensitive personal information** | SSN, financial accounts, precise geolocation, biometric, health, sex life, union membership | No |

### 8.2 Sale and Sharing of Personal Information
**We do not sell your personal information.** We have not sold personal information in the preceding 12 months.

**We do not share your personal information** for cross-context behavioral advertising purposes.

### 8.3 Your CCPA/CPRA Rights
- **Right to Know:** Request disclosure of the categories and specific pieces of personal information we have collected about you.
- **Right to Delete:** Request deletion of personal information we have collected from you.
- **Right to Correct:** Request correction of inaccurate personal information.
- **Right to Opt-Out of Sale/Sharing:** Not applicable — we do not sell or share personal information.
- **Right to Limit Use of Sensitive Personal Information:** We do not use sensitive personal information for purposes beyond what is necessary to provide the service.
- **Right to Non-Discrimination:** We will not deny goods or services, charge different prices, or provide a different quality of service because you exercised your rights.

### 8.4 How to Exercise Your Rights
To exercise any of these rights, contact us at:
- **Email:** hello@introly.ai (subject: "CCPA Privacy Request")

We will verify your identity before processing your request. We will respond within **45 days** of receiving a verifiable request, as required by the CCPA. If we need additional time, we will notify you of the extension and the reason.

### 8.5 Authorized Agents
You may designate an authorized agent to submit a request on your behalf. The agent must provide written authorization and we may verify your identity directly.

### 8.6 Financial Incentives
We do not offer financial incentives or price differences in exchange for the collection, retention, or sale of personal information.

## 9. Data Retention

- **Account data:** Retained while your account is active. Deleted upon account deletion.
- **LinkedIn connections data:** Retained while your account is active. Updated with each report.
- **LinkedIn export data:** Retained until you delete it (you can do this at any time from your Profile page) or until your account is deleted.
- **Job search results:** Retained for your reference. Older results are periodically refreshed.
- **Payment records:** Retained as required by tax and financial regulations (typically 7 years).

## 10. Third-Party Services (Sub-Processors)

We use the following third-party services to operate Introly. We maintain Data Processing Agreements (DPAs) with our sub-processors where required by law:

| Service | Purpose | Data Shared | DPA |
|---------|---------|-------------|-----|
| **Supabase** | Database and authentication | Account data, all stored data | Yes |
| **Vercel** | Application hosting | Request data (IP, user agent) | Yes |
| **Stripe** | Payment processing | Email, payment method (handled by Stripe) | Yes |
| **Google OAuth** | Authentication | Email, name (from Google) | Yes |
| **Apify** | LinkedIn data enrichment | LinkedIn profile URLs (public data only) | Yes |
| **Inngest** | Background job processing | Internal job IDs and metadata | Yes |

We do **not** use: Google Analytics, Facebook Pixel, Mixpanel, Hotjar, or any advertising/tracking services.

## 11. Cookies

We use only **essential cookies** required for authentication and session management. We do not use:
- Advertising cookies
- Analytics cookies
- Third-party tracking cookies

No cookie consent banner is required because we use only strictly necessary cookies exempt under ePrivacy Directive Article 5(3).

## 12. Children's Privacy

Introly is not intended for use by individuals under the age of 16 (or 13 in the United States). We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

## 13. International Data Transfers

Your data may be processed in the United States and European Union through our infrastructure providers (Supabase, Vercel). For transfers outside the EEA, we rely on:
- **Standard Contractual Clauses (SCCs)** approved by the European Commission
- **EU-U.S. Data Privacy Framework** certifications where applicable
- Sub-processor compliance with applicable data protection laws

## 14. Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. Since we do not track users across third-party websites and do not use advertising or analytics trackers, our service effectively honors DNT signals by default.

## 15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through a notice in the application. The "Last Updated" date at the top indicates when the policy was last revised. Continued use of the service after changes constitutes acceptance of the updated policy.

## 16. Contact Us

For any privacy-related questions, concerns, or data requests:

- **Email:** hello@introly.ai
- **Data Deletion Requests:** hello@introly.ai (subject: "Data Deletion Request")
- **CCPA Requests:** hello@introly.ai (subject: "CCPA Privacy Request")
- **GDPR Requests:** hello@introly.ai (subject: "GDPR Data Request")

We aim to respond to all privacy inquiries within **5 business days** and will fulfill verifiable data requests within **30 days** (GDPR) or **45 days** (CCPA).

---

**Summary:** We collect only what we need to find jobs in your network. Your data is yours. We never sell it. You can delete it anytime. That's it.