Privacy Policy

This Privacy Policy applies to all users of the Linkra application and services, including our website at linkra.io, our mobile applications, and any related products or features (collectively, the "Service"). It applies regardless of where you are located in the world.

Linkra is a messaging aggregation platform. We act as a conduit that retrieves your messages from third-party social media platforms you have explicitly authorized and displays them to you inside the Linkra interface. We are the "data processor" acting on your behalf; you remain the "data controller" of your own personal communications.

This policy is designed to satisfy the requirements of the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Meta Platform Terms and Developer Policies (including Instagram Graph API and WhatsApp Business API policies), and other applicable data protection laws globally.

We only access your social media accounts using official OAuth 2.0 authorization flows provided by each platform. This means:

We never ask for your passwords. When you connect a platform such as Instagram or Facebook, you are redirected to that platform's own login screen. You authenticate directly with them. Linkra receives a secure access token — never your username or password.

We request only minimum necessary permissions. For each platform, we request only the specific API scopes required to retrieve and display your direct messages. We do not request permissions to post content, follow users, access your feed, view your contacts, or perform any action beyond reading and sending messages within the Linkra interface.

You can revoke access at any time. You may disconnect any platform from Linkra at any time, both from within Linkra's settings and directly from that platform's authorized applications settings. Upon disconnection, Linkra immediately stops accessing that platform and we delete all cached message data from that platform within 72 hours.

Instagram & Facebook / Meta: Linkra uses the Instagram Graph API and the Messenger Platform API under Meta's Platform Terms. We comply fully with Meta's Platform Policy, including restrictions on data use, data portability, and user consent requirements. Our use of Meta APIs has been reviewed and approved through Meta's App Review process.

WhatsApp: Linkra integrates with the WhatsApp Business API (Cloud API) provided by Meta. Access is governed by WhatsApp's Business and Commerce Policies and Meta's Platform Terms. We do not access WhatsApp personal account data outside of what is explicitly authorized through the official API.

We collect only what is strictly necessary to operate the Service:

Account Information: When you create a Linkra account, we collect your name, email address, and a hashed password (we never store plain-text passwords). If you sign up using Google or Apple Sign-In, we receive your name, email address, and profile picture token from those providers under their respective OAuth flows.

Platform OAuth Tokens: To maintain your connected social media integrations, we store encrypted OAuth access tokens and refresh tokens for each platform you authorize. These tokens allow Linkra to retrieve your messages on your behalf. They are encrypted at rest using AES-256 and are never transmitted to third parties.

Device & Technical Information: We collect your IP address, browser type and version, device type, operating system, time zone, and referring URL. This is used for security monitoring, fraud prevention, and service diagnostics only.

App Usage Data: We collect anonymized, aggregated information about how you interact with Linkra — which features you use, pages visited, and session duration — to improve the product. We do not build individual behavioral profiles for advertising purposes.

Support Communications: If you contact Linkra support by email or chat, we retain the content of those communications to resolve your request and improve service quality.

Payment Information: Payments are processed by Stripe. We store only your plan tier and the last 4 digits of your payment card. We never store full card numbers, CVVs, or raw payment details on our servers.

This section specifically addresses how Linkra handles your private messages, which are the most sensitive data type we process.

What message data we access: When you connect a social platform, Linkra retrieves your direct message conversations from that platform via its official API. This includes message text, timestamps, sender/recipient information, and where permitted by the platform API, media attachments such as images and files.

How message data is stored: Messages are cached on Linkra's servers temporarily to power your unified inbox experience. Message content is encrypted in transit (TLS 1.3) and at rest (AES-256). We do not permanently archive your message history beyond what is necessary for the Service to function — see Section 11 for retention details.

Message data is yours alone: Your message content is private. Linkra employees do not read your messages except under extremely limited circumstances — specifically, when responding to a verified legal request, or when you explicitly share a message with us as part of a support ticket. All such access is logged and audited.

No training on message data: We do not use your private message content to train machine learning models, to build advertising profiles, or for any purpose other than displaying those messages to you inside the Linkra interface.

AI Smart Replies (Pro feature): If you use Linkra's AI-assisted reply suggestions, the content of the relevant message thread is processed to generate suggestions. This processing occurs in-session only and is not stored after the suggestion is generated or dismissed. You can disable Smart Replies at any time in your account settings.

No access to your contacts or social graph: We do not access your social media followers, friend lists, contact books, or social graph data. We access only your direct message threads.

We use the information we collect for the following purposes, and only these purposes:

Service Delivery: To operate the Linkra platform — specifically, to authenticate your account, maintain your connected platform integrations, fetch and display your messages, and enable you to reply to messages across connected platforms.

Product Improvement: To understand aggregate usage patterns, diagnose technical issues, and prioritize improvements. We use anonymized, aggregate data for this purpose — never individual message content.

Security & Fraud Prevention: To detect and prevent unauthorized account access, abuse of the platform, spam, and violations of our Terms of Service. This includes analyzing login patterns and flagging suspicious activity.

Communications: To send you transactional communications including email verification, password resets, connected platform notifications, and billing receipts. With your explicit opt-in, we may send product updates and feature announcements. You may unsubscribe from non-transactional emails at any time.

Legal Compliance: To comply with applicable laws, court orders, and regulatory requirements, and to enforce our Terms of Service.

We believe you deserve absolute clarity about what we will never do with your data. These are unconditional commitments, not subject to exceptions or future policy changes without your explicit consent:

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

Contract Performance (Art. 6(1)(b) GDPR): The primary basis for our processing is to deliver the Linkra Service you have contracted for — including connecting your social accounts, aggregating your messages, and enabling you to reply. Without this processing, we cannot provide the core Service.

Explicit Consent (Art. 6(1)(a) GDPR): For the access and processing of your private message data obtained via social platform APIs, we rely on your explicit, informed consent granted at the point of connecting each platform. You may withdraw this consent at any time by disconnecting a platform within Linkra's settings.

Legitimate Interests (Art. 6(1)(f) GDPR): We process certain technical and usage data based on our legitimate interest in operating a secure, reliable platform — including security monitoring, fraud detection, and product diagnostics. We balance these interests carefully against your rights and freedoms, and this processing does not include your message content.

Legal Obligation (Art. 6(1)(c) GDPR): We may process personal data to comply with applicable legal requirements, including verified law enforcement requests and statutory obligations.

Special Categories: To the extent your private messages may contain special category data (e.g., health information, political opinions), we process this data solely on the basis of your explicit consent (Art. 9(2)(a) GDPR) for the purpose of delivering the unified inbox service. We do not analyze, categorize, or otherwise process special category data for any secondary purpose.

We do not sell your data. We do not share your message content with third parties. The following describes the limited circumstances in which we share any data at all:

Infrastructure Sub-processors: We use the following trusted sub-processors to operate the Service. Each is bound by a Data Processing Agreement (DPA) and is prohibited from using your data for any purpose beyond providing infrastructure services to Linkra:

Legal Requirements: We may disclose personal data if required by law, court order, or governmental authority. We will notify affected users of such requests unless legally prohibited from doing so. We will always challenge requests we believe to be overbroad or unlawful.

Business Transfers: In the event of a merger, acquisition, or asset sale, user data may be transferred. We will notify you via email at least 30 days before any such transfer, and you will have the right to delete your account and data before the transfer occurs.

With Your Explicit Consent: We may share data with third parties only if you explicitly consent to such sharing for a specific stated purpose. Such consent is always separately obtained and revocable.

Linkra's core functionality depends on official APIs provided by third-party social media platforms. Our use of these APIs is strictly governed by each platform's developer and privacy policies. This section explains our compliance posture for each:

Meta (Instagram, Facebook Messenger, WhatsApp): We comply fully with Meta's Platform Terms, Meta's Developer Policies, and the Instagram Platform Policy. Specifically: (a) we use Instagram and Messenger data only to provide the messaging aggregation experience users have authorized; (b) we do not use Meta platform data for advertising targeting, data brokering, or any purpose that violates Meta's Prohibited Data Uses; (c) we do not transfer Meta platform data to any analytics provider or data aggregator; (d) we store Meta platform data only for as long as necessary to deliver the Service, and delete it promptly upon user disconnection; (e) our app has completed Meta's App Review process for all required permissions including instagram_manage_messages, pages_messaging, and whatsapp_business_messaging.

Telegram: We access Telegram via the official Telegram Bot API and MTProto protocol under Telegram's Terms of Service. We only access message data from conversations where you are a participant and have authorized access.

X (Twitter): We use the X API v2 under X's Developer Agreement and Policy. We access only Direct Message endpoints with user-level OAuth 2.0 PKCE authorization. We comply with X's restricted-use policies for DM data.

LinkedIn: We use the LinkedIn API under LinkedIn's API Terms of Use. We access only the Messaging API scope with explicit user authorization via OAuth 2.0.

API Data Minimization: For every platform, we request only the minimum API permissions necessary to deliver the unified inbox experience. We do not request permissions to post on your behalf, read your timeline or feed, access your followers or connections, or perform any action outside of reading and sending direct messages.

You have meaningful rights over your personal data. We are committed to honoring all of them promptly, without discrimination, and free of charge:

Right of Access: You may request a full export of all personal data Linkra holds about you, including your account data, connected platform tokens (metadata only, not raw tokens), and any cached message data.

Right to Correction: You may correct inaccurate personal data directly in your Linkra account settings. For data we cannot correct on your behalf, we will instruct you on how to do so.

Right to Deletion ("Right to Be Forgotten"): You may request deletion of your Linkra account and all associated data — including cached messages, account information, and OAuth tokens. We will complete this within 30 days. Deleting your Linkra account does not delete messages on the source platform; those must be deleted directly on Instagram, WhatsApp, etc.

Right to Disconnect a Platform: You may disconnect any connected social media platform at any time from Linkra's settings. Upon disconnection, we immediately revoke your OAuth token for that platform and delete all cached message data from that platform within 72 hours.

Right to Data Portability: You may request an export of your personal data in a machine-readable format (JSON or CSV).

Right to Object / Restrict Processing: You may object to processing of your data based on legitimate interests, or request that we restrict processing while a dispute is resolved.

Right to Withdraw Consent: Where processing is based on your consent (including access to social platform message data), you may withdraw consent at any time by disconnecting the relevant platform. Withdrawal does not affect prior lawful processing.

CCPA Rights: California residents have the right to know what personal information we collect and how it is used, the right to delete personal information, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising CCPA rights.

Right to Lodge a Complaint: If you believe we have violated your privacy rights, you may file a complaint with your local data protection authority. For EU residents, this is your national DPA (e.g., ICO for the UK, CNIL for France). We encourage you to contact us first so we can resolve the matter directly.

To exercise any of these rights, email us at privacy@linkra.io or use the Data & Privacy section in your account settings. We will respond within 30 days (or as required by applicable law).

We retain data only for as long as necessary. Here is exactly how long we keep each data type:

Upon account deletion, all personal data is permanently deleted or irreversibly anonymized within 30 days, except where longer retention is required by law (e.g., billing records).

Linkra uses a minimal set of cookies and local storage to operate the Service. We do not use advertising cookies, cross-site tracking, or behavioral profiling technologies.

Strictly Necessary Cookies: These are required for the Service to function and include your session authentication token, CSRF protection tokens, and user interface preferences (e.g., theme, language). You cannot opt out of these while using Linkra.

Analytics: We use a privacy-first, self-hosted analytics tool to measure aggregate usage — page views, feature usage rates, and session counts. This tool does not use cookies, does not collect personal identifiers, and does not share data with third parties. No individual user profiles are built.

What we do NOT use: We do not use Google Analytics, Meta Pixel, or any other third-party advertising or behavioral tracking technology. We do not participate in behavioral advertising networks.

Managing Cookies: You may delete or manage cookies at any time through your browser settings. Note that disabling session cookies will prevent you from staying logged into Linkra.

Linkra is not directed at and may not be used by children. The minimum age to use Linkra is 13 years old globally, and 16 years old for users in the European Economic Area, the United Kingdom, and other jurisdictions that set a higher digital consent age.

We do not knowingly collect personal information from children below the applicable minimum age. Because Linkra connects to social media platforms that themselves require minimum age compliance (Instagram and Facebook require users to be at least 13), we rely on those platforms' age verification in addition to our own.

If we become aware that a user is below the applicable minimum age, we will immediately suspend the account and delete all associated data. If you are a parent or guardian and believe your child has created a Linkra account without consent, please contact us immediately at privacy@linkra.io.

Protecting your data — especially your private messages — is our highest technical priority. We implement the following controls:

Encryption in Transit: All data transmitted between your device and Linkra servers uses TLS 1.3. All communication with social platform APIs uses TLS with certificate pinning where supported.

Encryption at Rest: Message data and OAuth tokens are encrypted at rest using AES-256. Passwords are hashed using bcrypt with a minimum cost factor of 12. Encryption keys are managed using a hardware security module (HSM) and rotated on a regular schedule.

Access Controls: Access to production systems is restricted to a small number of authorized Linkra engineers via multi-factor authentication and SSH key-based access. All access is logged and subject to audit. No engineer may access user message data without a formally logged and authorized reason.

Infrastructure: Linkra runs on SOC 2 Type II certified infrastructure. We conduct regular penetration testing and vulnerability assessments. We participate in a responsible disclosure program — security researchers may report vulnerabilities to security@linkra.io.

Incident Response: In the event of a data breach that affects your personal data, we will notify you and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Linkra is operated from the United States. If you access the Service from the EEA, UK, Switzerland, or any other jurisdiction with data transfer restrictions, your personal data will be transferred to and processed in the United States.

We ensure lawful transfer of personal data using the following mechanisms:

Standard Contractual Clauses (SCCs): We have executed the European Commission's Standard Contractual Clauses (2021 SCCs) with all sub-processors who handle EEA personal data, including infrastructure providers.

UK International Data Transfer Agreements (IDTAs): For transfers involving UK personal data, we have entered into the ICO's International Data Transfer Agreements (IDTAs) with relevant sub-processors.

Adequacy Decisions: Where the European Commission has issued an adequacy decision for the destination country, we rely on it as an additional safeguard.

By using the Linkra Service, you acknowledge the transfer of your data to the United States under the legal safeguards described above.

We may update this Privacy Policy to reflect changes in our product, applicable law, or platform API requirements. For material changes — especially changes that affect how we handle your message data or social media access — we will:

— Send an email to your registered address at least 30 days before changes take effect.

— Display a prominent in-app notice upon your next login.

— Update the "Last Updated" date at the top of this page.

— For changes that require new consent (e.g., new data uses), we will obtain your explicit consent before the change applies to your data.

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. If you do not accept material changes, you may delete your account and all associated data at any time.

An archive of previous versions of this policy is available upon request by emailing privacy@linkra.io.

If you have any questions, concerns, or data rights requests regarding this Privacy Policy or Linkra's data practices, please contact our Privacy Team:

For data subject rights requests (access, deletion, portability), please include your full name, the email address on your Linkra account, the platform(s) in question, and a description of your request. We may ask for identity verification before fulfilling any rights request to protect your account security.

EU Representative: For the purposes of GDPR, our EU representative for data protection matters may be contacted at eu-rep@linkra.io.