Privacy Policy

Last updated: April 12, 2026

1. What we collect

When you sign in with LinkedIn, we receive your first name, last name, email address, profile photo URL, and LinkedIn member ID. If you connect a GitHub account, we additionally receive your GitHub username, user ID, avatar URL, and bio.

When you write an endorsement, we store the message text, skill tags, and the identities of both the endorser and the recipient. Endorsements are non-anonymous by design.

We log aggregate usage data (token counts, endpoint, timestamps) for cost monitoring and rate limiting. We do not log the content of your chat messages with the endorsement assistant.

We use LinkedIn exclusively as a means of identity verification — to confirm you are a real professional and to populate your display name, email, and profile photo. We do not import your LinkedIn connections, activity, or work history. We do not share, sell, or use LinkedIn data for advertising, recruiting, or building a competing professional network.

2. How we use it

  • Authenticate you and maintain your session.
  • Display your public profile and endorsements to other users.
  • Run endorsements through an AI validation agent before publishing.
  • Enforce rate limits and prevent abuse.
  • Respond to support requests.

3. What we share

Your public profile (name, username, bio, linked accounts, accepted endorsements) is visible to anyone who visits your profile URL or queries the MCP validation endpoint. We do not sell your data or share it with third-party advertisers.

Endorsement messages are sent to Anthropic's API for AI-assisted drafting. Anthropic's data usage policy applies to that processing. We do not send your data to any other third-party AI provider.

4. Data retention

Your account and endorsement data are retained as long as your account exists. You may request deletion of your account and all associated data by contacting us. Declined endorsements are retained in the database but are never displayed publicly.

5. Cookies

We use a session cookie (set by Auth.js) to keep you signed in and a theme preference cookie stored in localStorage. We do not use tracking cookies or third-party analytics.

6. Your rights

You can request access to, correction of, or deletion of your personal data at any time by contacting us. If you are in the EU/EEA, you have additional rights under the GDPR including the right to data portability and the right to lodge a complaint with a supervisory authority.

7. Security

All traffic is served over HTTPS (enforced by the .app TLD). Passwords are never stored — authentication is handled entirely via OAuth. Database credentials and API keys are stored in environment variables, never in source code.

8. Changes

We may update this policy from time to time. Material changes will be noted on this page with an updated “Last updated” date.

9. Contact

Questions about this policy? Reach out at [email protected].