Linbox ("we", "us", "our") is a web application that helps you organize your LinkedIn inbox. We take your privacy seriously. This policy explains exactly what data we collect, how we use it, and what we don't do. We believe you should always know what's happening with your data, so we've written this in plain language.

1. What We Collect

Account Information

When you create a Linbox account, we store the following on our servers:

Email address (used for account identification and billing)
Name (first name, last name, if provided)
Stripe customer ID (to manage your subscription)
Subscription status and billing period (active, trial, canceled, etc.)
Account creation date and last login timestamp

Conversation Metadata

To power features like labels, reminders, and split inbox, we sync the following metadata from your LinkedIn conversations to our servers. This is metadata only, not the content of your messages:

Conversation identifiers (LinkedIn thread URNs)
Last activity timestamps and read/unread status
Message previews (the first ~200 characters of the last message in each conversation)
Participant identifiers (LinkedIn profile URNs of people in the conversation)
Conversation category (focused, other, InMail, sponsored)
Your labels, notes, archive/star/pin status, and reminder settings (these are created by you in Linbox)
Contact names, headlines, and profile picture URLs (synced from LinkedIn for display purposes)

Data Stored Locally Only (Your Browser)

The following data is cached in your browser's IndexedDB and is never sent to our servers:

Full message content and message history
Detailed participant profile information (headline, location, profile photo)
Conversation thread cache
Authentication tokens (JWT stored in localStorage)

Usage and Analytics Data

We collect anonymized usage data to improve Linbox:

Feature usage events (e.g., labels applied, reminders set, keyboard shortcuts used)
Page views within the Linbox app
IP address and user agent (stored in audit logs for security purposes)
Aggregated daily metrics (total active users, feature adoption rates)

2. What We Don't Collect

We want to be clear about what we never do:

We never store your LinkedIn password or credentials
We never store the full content of your LinkedIn messages on our servers
We never access or store your LinkedIn connections list on our servers
We never sell, share, or trade your personal data with third parties for advertising
We never use third-party tracking services (no Google Analytics, no Mixpanel, no Segment, no ad pixels)
We never scrape LinkedIn data or automate actions on your behalf
We never modify your LinkedIn profile, send messages as you, or take any action on LinkedIn without your explicit initiation

3. How We Use Your Data

Provide the Linbox service: labels, reminders, split inbox, keyboard shortcuts, and conversation sync
Process payments and manage your subscription via Stripe
Send transactional emails related to your account (billing, password reset)
Improve the product based on aggregated, anonymized usage patterns
Detect and prevent abuse, fraud, or unauthorized access
Respond to support requests

4. LinkedIn Integration

Linbox works by syncing with your LinkedIn messaging through a lightweight Chrome extension. Here's how this works:

The extension reads your existing LinkedIn session cookies (li_at and JSESSIONID) to authenticate API requests. These cookies are never stored or sent to our servers.
All LinkedIn API calls are made directly from your browser, using your existing session. We act as if you are browsing LinkedIn yourself.
We access the same LinkedIn Voyager APIs that LinkedIn's own web interface uses. We do not use any unauthorized or undocumented access methods.
We do not inject code into LinkedIn's pages, modify LinkedIn's DOM, or alter LinkedIn's behavior in any way.
We do not automate any LinkedIn actions. Every action (sending a message, accepting an invite) is explicitly initiated by you through the Linbox interface.
LinkedIn works exactly the same with or without Linbox installed.

5. Chrome Extension

The Linbox Chrome extension serves as an invisible bridge between your LinkedIn session and the Linbox web app. It runs in the background and does not modify any web page.

Permissions requested and why:

storage: To store a device-specific secret key used for authentication. No personal data is stored in extension storage.
cookies: To read LinkedIn's session cookies (li_at, JSESSIONID) for API authentication. These cookies are read-only and never sent to our servers.
declarativeNetRequest: To modify HTTP request headers when communicating with LinkedIn's API, ensuring requests are properly formatted.
offscreen: To perform background processing when needed, without affecting your browsing experience.

Host permissions:

https://www.linkedin.com/*: To make API requests to LinkedIn's messaging endpoints using your existing session.
https://app.uselinbox.com/*: To communicate between the extension and the Linbox web app via a secure content script bridge.

6. Third-Party Services

We use the following third-party services to operate Linbox:

Supabase (database and authentication): Hosts our database and handles user authentication. Your account data and conversation metadata are stored on Supabase's infrastructure. Supabase is SOC 2 Type II compliant.
Stripe (payment processing): Handles all payment processing. We never see or store your full credit card number, CVV, or billing address. Stripe is PCI DSS Level 1 compliant.
Vercel (hosting): Hosts the Linbox website. Standard web server logs may be collected by Vercel.
LinkedIn (data source): We access LinkedIn's messaging APIs using your existing session. See section 4 for details.

7. Data Storage and Security

We take reasonable measures to protect your data:

All data in transit is encrypted via TLS/HTTPS
Database access is restricted through Row Level Security (RLS) policies. You can only access your own data.
Authentication tokens expire and are automatically refreshed
The extension generates a unique device secret for authentication. Your LinkedIn password is never stored or transmitted.
We do not store sensitive payment information. All payment data is handled by Stripe.
Participant data (names, photos) is cached locally in your browser only and is never sent to our servers

8. Data Retention

Account data: Retained for as long as your account is active. Deleted when you delete your account.
Conversation metadata: Retained for as long as your account is active. You can delete individual conversation data (labels, notes, reminders) at any time.
Local browser data (IndexedDB): Controlled by you. Cleared when you clear browser data, uninstall the extension, or sign out.
Audit logs (IP, user agent): Retained for up to 180 days for security purposes.
Usage analytics: Retained in aggregated, anonymized form. Individual event data is retained for up to 12 months.
Stripe billing data: Retained as required by applicable tax and accounting regulations.

9. Your Rights

You have the following rights regarding your data:

Access: You can request a copy of all data we hold about you.
Correction: You can update your account information at any time.
Deletion: You can delete your account from your account settings. This permanently removes all your data from our servers, including conversation metadata, labels, notes, and reminders.
Portability: You can request your data in a machine-readable format.
Objection: You can object to specific data processing activities.
Local data control: You can clear all locally cached data by clearing your browser data or uninstalling the extension.

10. Cookies

Linbox itself does not set any cookies. We store authentication tokens in your browser's localStorage (not cookies). The Chrome extension reads LinkedIn's existing session cookies (li_at, JSESSIONID) for authentication purposes only. These cookies are set by LinkedIn, not by Linbox, and we never modify, store, or transmit them to our servers.

11. Children's Privacy

Linbox is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you through the Linbox app or by email. The "last updated" date at the top of this page indicates when the policy was last revised. Continued use of Linbox after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this privacy policy, want to exercise your data rights, or have concerns about how we handle your data, please contact us at contato@dendelabs.com.

Privacy Policy