Ralfy

Ralfy Privacy Policy - Complete Document

This document contains the full Privacy Policy content for Ralfy, based on actual data practices found in the codebase.

Last Updated: December 16, 2024

Page Header Content

  • Tag: "Last updated: December 16, 2024"
  • Title: "Privacy Policy"
  • Subtitle: "Welcome to Ralfy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website, application, and Chrome extension."

TL;DR Summary

The short version for busy people:

  • What we collect: Your LinkedIn profile info, comments you post, and usage data
  • What we share: Post content goes to OpenAI for AI comments (only if you use that feature). Payment info goes to Lemon Squeezy. We don't sell your data.
  • How long we keep it: Account data until you delete. Logs as long as needed for service operation.
  • Your rights: You can access, export, correct, or delete your data anytime. Email hey@ralfy.app.
  • Cookies: We use essential cookies only (auth, drafts). No advertising cookies.

Read on for the full details.

Section 1: Information We Collect

We collect information from the following sources:

Information you provide directly:

  • Account registration details
  • Onboarding preferences
  • Comments and content you create

Information collected automatically:

  • Device and browser information
  • Usage data and logs
  • IP address and location

Information from third parties:

  • LinkedIn profile data (with your permission)

1.1 LinkedIn Profile Information

When you connect your LinkedIn account, we collect and store:

  • Your LinkedIn public ID (username)
  • Full name and profile headline
  • Profile photo URL
  • Current company and job title
  • Bio/About section
  • Work history
  • Follower and connection counts

This information helps us personalize your experience and provide AI-assisted features.

1.2 Account Information

When you create an account, we collect:

  • Email address (via Supabase authentication)
  • Onboarding preferences (your role, goals, challenges)
  • AI settings preferences

1.3 LinkedIn Session Data

To access LinkedIn on your behalf, we store:

  • Your LinkedIn authentication cookie (li_at)
  • Session validity status
  • Last synchronization timestamp

This data is encrypted and used solely to fetch your LinkedIn feed and post comments on your behalf.

1.4 Usage Data

We automatically collect:

  • IP address and approximate geographic location
  • Browser type and User-Agent string
  • Pages visited and features used
  • API request logs (action type, success/failure, duration)
  • Error information for debugging purposes

1.5 Content You Create

We store content you create through our Service:

  • Comments you post to LinkedIn via Ralfy
  • Reply drafts (stored locally in your browser for 24 hours)
  • Custom feed configurations
  • Engagement history (posts you've interacted with)

1.6 AI Generation Data

When you use our AI comment features, we log:

  • The intent you selected (insight, curious, support)
  • Whether your profile context was included
  • Tokens consumed
  • Timestamp of generation

We do NOT store the AI-generated comments themselves unless you choose to post them.

1.7 Chrome Extension Data

Our Chrome extension collects:

  • Authentication tokens (stored locally, expires in 24 hours)
  • LinkedIn session status
  • Cached feed data (expires in 15 minutes)

The extension reads your LinkedIn authentication cookie solely to detect session expiration and notify you.

Section 2: How We Use Your Information

We use the collected information for the following business purposes:

Provide Core Services

  • Display your personalized LinkedIn feed
  • Generate AI-assisted comment suggestions
  • Track your engagement and reciprocity with connections
  • Route API requests through appropriate geographic proxies

Improve Our Service

  • Analyze usage patterns and feature adoption
  • Debug errors and improve performance
  • Develop new features based on user needs

Communicate With You

  • Send service-related notifications
  • Notify you when your LinkedIn session expires
  • Respond to support requests

Ensure Security

  • Detect and prevent fraud or abuse
  • Monitor for Terms of Service violations
  • Maintain system security and integrity

Section 3: Information Sharing and Third Parties

We do not sell your personal information. We have not sold personal information in the preceding 12 months and do not plan to sell personal information in the future.

3.1 OpenAI

When you generate AI comments, we send to OpenAI:

  • The LinkedIn post content you're commenting on
  • The post author's name and headline
  • Your profile context (headline, company, title, goals) - only if you've enabled this setting

We do NOT send: your email, IP address, or authentication tokens.

Important: OpenAI may retain data sent to their API for up to 30 days for abuse monitoring. See OpenAI's Privacy Policy for details.

3.2 Payment Processing (Lemon Squeezy)

When you subscribe to a paid plan, Lemon Squeezy (our merchant of record) collects:

  • Payment card information
  • Billing address
  • Transaction history

We do not store your full credit card number. We receive only transaction confirmations and subscription status. See Lemon Squeezy's Privacy Policy for details.

3.3 Infrastructure Services

We use the following services to operate Ralfy:

| Service | Data Shared | Purpose | Privacy Policy | |---------|-------------|---------|----------------| | Supabase | All database data | Database hosting (AWS US regions) | Link | | IPRoyal | LinkedIn API requests | Proxy routing | Link | | ipapi.co | IP address | Country detection | Link | | Sentry | User ID, errors | Error tracking | Link |

3.4 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect the rights, property, or safety of Ralfy, our users, or others.

Section 4: Data Storage and Security

4.1 Where We Store Data

Your data is stored in:

  • Supabase (PostgreSQL) - Cloud database hosted on AWS in United States regions
  • Your browser - Local storage for drafts and extension tokens
  • Chrome extension storage - Authentication tokens and cached data

4.2 Security Measures

We implement security measures including:

  • Encrypted data transmission (HTTPS/TLS)
  • Secure authentication via Supabase
  • Access controls and authentication for all API endpoints
  • Regular security reviews

4.3 Data Retention

We retain your data for the following periods:

| Data Type | Retention Period | |-----------|------------------| | Account data | Until you delete your account + 30 days | | LinkedIn profile data | Until you delete your account | | Comment history | Until you delete your account | | Reply drafts | 24 hours (browser storage) | | API logs | As long as necessary for service operation | | AI generation logs | As long as necessary for service operation | | Error logs (Sentry) | 30 days (per Sentry's policy) | | Extension tokens | 24 hours |

After account deletion, we may retain anonymized data for analytics purposes.

4.4 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users via email within 72 hours of discovery
  • Notify relevant supervisory authorities as required by law
  • Provide information about what data was affected and steps you can take

Section 5: Your Rights and Choices

5.1 Access and Export

You can access your data through your account settings. Contact us at hey@ralfy.app to request a full data export. We will respond to your request within 45 days.

5.2 Deletion

You can delete your account at any time through account settings or by contacting us. Upon deletion:

  • Your profile data will be permanently deleted within 30 days
  • Your LinkedIn session will be invalidated
  • Your custom feeds and settings will be removed
  • API and error logs will be anonymized

5.3 Correction

You can update your account information through your account settings. For LinkedIn profile data, update your LinkedIn profile and re-sync with Ralfy.

5.4 AI Profile Context

You can control whether your LinkedIn profile information is sent to OpenAI for comment generation. Toggle this setting in your account preferences at any time.

5.5 Withdraw Consent

You can withdraw consent for data processing at any time by:

  • Disabling specific features in account settings
  • Disconnecting your LinkedIn account
  • Deleting your account entirely

Withdrawing consent does not affect the lawfulness of processing before withdrawal.

5.6 Communication Preferences

You can unsubscribe from marketing emails at any time. Service-related notifications (like session expiration alerts) cannot be disabled while using the Service.

5.7 Verification

To protect your privacy, we may need to verify your identity before processing data requests. We will ask you to confirm your email address or provide additional information to match our records.

Section 6: Cookies and Tracking

6.1 Cookies We Use

| Cookie/Storage | Purpose | Duration | |----------------|---------|----------| | Supabase auth | Authentication | Session | | Extension tokens | API access | 24 hours | | Draft storage | Save comment drafts | 24 hours | | Cache data | Performance optimization | 15 minutes |

6.2 Third-Party Cookies

We do not use third-party advertising cookies. Our error tracking service (Sentry) may set cookies for session tracking.

6.3 Do Not Track

Some browsers have a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals because there is no industry standard for handling them. We do not track users across third-party websites.

6.4 Browser Controls

You can control cookies through your browser settings. Disabling cookies may affect your ability to use certain features.

Section 7: Automated Decision-Making

7.1 AI Comment Generation

Ralfy uses artificial intelligence to generate comment suggestions. This is considered automated processing. You should know:

  • AI suggestions are recommendations only - you decide whether to post them
  • You can review, edit, or reject any AI-generated content before posting
  • AI processing does not make decisions that have legal or significant effects on you
  • You can disable AI features at any time in your account settings

7.2 Your Right to Object

You have the right to object to automated processing. To opt out of AI features while still using Ralfy, disable AI comment generation in your account settings.

Section 8: LinkedIn Compliance

8.1 Your LinkedIn Data

Ralfy accesses your LinkedIn account with your permission. We:

  • Fetch your feed content to display in our interface
  • Post comments on your behalf when you approve them
  • Read your profile information for personalization

8.2 LinkedIn's Policies

You remain responsible for complying with LinkedIn's Terms of Service and Professional Community Policies. LinkedIn may modify or restrict third-party access at any time.

8.3 Not Affiliated

Ralfy is not affiliated with, endorsed by, or sponsored by LinkedIn Corporation. LinkedIn is a trademark of LinkedIn Corporation.

Section 9: Children's Privacy

Ralfy is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at hey@ralfy.app and we will delete such information.

Section 10: International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable laws, including:

  • Standard contractual clauses approved by relevant authorities
  • Data processing agreements with all service providers

Section 11: California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your Rights

  • Right to Know: You can request what personal information we collect, use, and disclose
  • Right to Delete: You can request deletion of your personal information
  • Right to Correct: You can request correction of inaccurate personal information
  • Right to Opt-Out: You can opt out of the sale or sharing of personal information
  • Right to Limit: You can limit the use of sensitive personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

We Do Not Sell Your Data

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, we do not offer an opt-out for sale of personal information.

Categories of Information

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email, IP address)
  • Professional information (job title, company, work history)
  • Internet activity (browsing history within our Service, interactions)
  • Geolocation data (approximate location from IP)
  • Inferences (engagement patterns, preferences)

How to Exercise Your Rights

To exercise your California privacy rights, contact us at:

  • Email: hey@ralfy.app

We will respond to your request within 45 days. If we need more time, we will notify you of the extension and the reason.

Section 12: European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Your Rights

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request we limit how we use your data
  • Portability: Request your data in a portable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time for consent-based processing
  • Complaint: Lodge a complaint with a supervisory authority

Legal Basis for Processing

We process your data based on:

  • Contract: Necessary to provide our Service to you
  • Legitimate Interests: Improving our Service, preventing fraud, ensuring security
  • Consent: Optional features like AI profile context inclusion

Data Controller

Ralfy acts as the data controller for your personal information.

Supervisory Authority

If you are in the EEA and believe we have violated your data protection rights, you have the right to lodge a complaint with your local data protection authority. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

How to Exercise Your Rights

Contact us at hey@ralfy.app. We will respond within 30 days (or 45 days for complex requests, with notice).

Section 13: Changes to This Policy

We may update this Privacy Policy from time to time. We review and update this policy at least once every 12 months.

We will notify you of material changes by:

  • Posting the updated policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for significant changes

Your continued use of the Service after changes constitutes acceptance of the updated policy.

Section 14: Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: hey@ralfy.app

For privacy-related requests (access, deletion, correction), please include "Privacy Request" in your email subject line. We will respond within 45 days.

Appendix: Complete Data Inventory

For transparency, here is a complete list of data we collect:

Database Tables & Fields

user_profiles

  • linkedin_public_id, linkedin_name, linkedin_headline, linkedin_avatar
  • linkedin_company, linkedin_current_title, linkedin_bio
  • work_history (JSON), follower_count, connection_count
  • browser_user_agent, detected_ip, proxy_country
  • ai_include_background, onboarding preferences
  • created_at, updated_at, deleted_at

linkedin_sessions

  • cookies (li_at token), is_valid, last_synced_at

posts

  • Post content, media, reactions, comments, shares
  • Author information, post URL

user_engagements

  • Comment text, reaction type, engagement source
  • Post reference, timestamps

linkedin_api_logs

  • Action type, status, error details
  • Duration, request metadata

ai_generation_logs

  • Intent, context flags, tokens used, model, timestamp

Chrome Web Store Compliance

Our use of information received from Chrome APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Chrome API data (cookies, storage, tabs) to provide and improve the Ralfy feed management and AI commenting features described in this policy
  • We do not sell or transfer this data to third parties for advertising, data brokering, or credit assessment purposes
  • We do not use this data for purposes unrelated to the extension's core functionality

Third-Party Data Sharing Summary

| Recipient | Data Shared | Purpose | Retention | |-----------|-------------|---------|-----------| | OpenAI | Post content, author info, user profile (optional) | AI comment generation | 30 days | | Lemon Squeezy | Payment info, billing address | Payment processing | Per their policy | | Supabase | All database data | Data storage | Until deletion | | IPRoyal | LinkedIn API requests | Proxy routing | No retention | | ipapi.co | IP address | Country detection | Per their policy | | Sentry | User ID, errors | Error tracking | 30 days |