Privacy policy

1. Introduction

Welcome to Thoth. We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at thoth.in.

This Privacy Policy applies to all users of our service and complies with the General Data Protection Regulation (GDPR) and Belgian data protection law.

2. Data controller

The data controller responsible for your personal data is:

3. Information we collect

3.1 Information you provide directly

When you create an account or use our service, we collect the following information:

• Email address
• Name
• Profile picture

3.2 Information from LinkedIn

When and how we collect LinkedIn data

We collect LinkedIn data only when you explicitly choose to connect your LinkedIn account through our service. This is a one-time data collection that occurs at the moment you authorize the connection. We do not automatically sync or refresh your LinkedIn data in the background. Any updates to your LinkedIn data require you to actively reconnect your LinkedIn account.

The connection process uses LinkedIn's OAuth 2.0 authorization flow, where you are redirected to LinkedIn's website to grant permission. LinkedIn data is accessed via the LinkedIn Member Data Portability API using the OpenID Connect userinfo endpoint.

What LinkedIn data we collect

With your explicit consent, we collect the following information from your LinkedIn profile:

• Profile picture URL - Used to display your LinkedIn profile picture in your Thoth profile
• LinkedIn profile URL - Your public LinkedIn profile link (e.g., linkedin.com/in/yourname)
• Followers count - Number of LinkedIn followers (if available on your profile)
• Email address - For account verification and communication
• Name - Your first and last name from LinkedIn
• Unique LinkedIn identifier - A secure identifier to link your LinkedIn profile to your Thoth account

Technical details: OAuth scope requested: openid profile email member_data_portability

How we use LinkedIn data

We use your LinkedIn data for the following purposes:

• Profile enhancement: Display your LinkedIn profile picture, follower count, and profile link within your Thoth account (visible only to you and your company members)
• Creator showcase (optional): If you explicitly opt in via the "Show on landing page" setting, we may display your LinkedIn profile picture, name, and follower count on our public landing page to showcase Thoth users. This is entirely optional and can be toggled on/off at any time in your profile settings.
• Account verification: Verify your identity using your LinkedIn email address

Important: We have read-only access to your LinkedIn data. We never post content to LinkedIn on your behalf. Thoth is a content generation tool that helps you draft LinkedIn posts, but you remain in full control of what gets published to your LinkedIn profile.

Consent and control

Your LinkedIn data is processed based on your explicit consent. We track two separate consents:

• OAuth authorization: When you click "Connect LinkedIn" and authorize Thoth on LinkedIn's website
• In-app consent toggle: Available in your Privacy Settings at /settings/privacy, which can be granted or revoked independently

Both consents are recorded with timestamps and logged with your IP address and browser information for security and compliance purposes. You can withdraw consent at any time through the methods described below.

How to disconnect LinkedIn

You can disconnect your LinkedIn account and delete all associated data at any time:

• Method 1: Go to your Profile page and click the "Disconnect LinkedIn" button
• Method 2: Go to Privacy Settings (/settings/privacy) and toggle off "LinkedIn Data Access"
• Method 3: Contact us at info@thoth.in to request LinkedIn data removal

When you disconnect LinkedIn, all LinkedIn data (profile picture, followers count, profile URL, name, email) is immediately removed from your account within 24 hours. Consent audit logs (which record that you granted/revoked consent but contain no personal LinkedIn data) are retained for 7 years for legal compliance purposes.

Data storage and security

Your LinkedIn data is stored in our secure PostgreSQL database hosted by Supabase (EU instance) with the same security measures as all other user data:

• Encrypted at rest and in transit (TLS/SSL)
• Access restricted to authorized personnel only
• Regular security audits and monitoring
• EU data residency (no LinkedIn data stored outside Europe)

3.3 Automatically collected information

When you access our service, we automatically collect certain technical information necessary to provide and improve our service:

• Log data (IP address, browser type, operating system)
• Device information
• Usage data (pages visited, features used, time spent)
• Essential cookies for authentication and session management
• Audit logs for privacy-sensitive actions (LinkedIn connection/disconnection, consent changes, data exports, account deletion requests) including IP address and browser information for security and compliance purposes

4. How we use your information

We use your personal data for the following purposes:

• To provide and maintain our service: Creating and managing your account, authenticating users, and delivering core service functionality
• Profile enrichment: Using LinkedIn data to enhance your profile within our service
• Public creator showcase (optional): With your explicit opt-in consent via the "Show on landing page" setting, we may display your LinkedIn profile picture, name, and follower count on our public landing page to showcase Thoth creators. This is entirely optional and can be disabled at any time in your profile settings.
• To communicate with you: Sending service-related notifications, responding to your inquiries, and providing customer support
• To improve our service: Analyzing usage patterns, identifying technical issues, and developing new features
• To ensure security: Detecting and preventing fraud, abuse, and security incidents
• To comply with legal obligations: Meeting our legal and regulatory requirements

5. Legal basis for processing

Under GDPR, we process your personal data based on the following legal grounds:

• Consent: For collecting and processing LinkedIn data, you provide explicit consent through LinkedIn's OAuth authorization flow AND a separate in-app consent toggle. Both consents must be granted for LinkedIn data collection. Consent includes timestamp tracking and can be withdrawn at any time via Privacy Settings (/settings/privacy) or by disconnecting your LinkedIn account from your Profile page.
• Contract performance: Processing necessary to provide our service under our Terms of Service
• Legitimate interests: For service improvement, security, and fraud prevention, where such processing does not override your rights

6. Data sharing and disclosure

6.1 Third-party service providers

We share your personal data with trusted third-party service providers who assist us in operating our service. These providers are contractually obligated to protect your data and use it only for the purposes we specify:

• Supabase: Database and backend infrastructure services
• LinkedIn: OAuth authentication and Member Data Portability API for profile data enrichment (read-only access, no posting capabilities)
• Google Cloud Platform (GCP): Cloud hosting and application deployment
• Lemon Squeezy: Payment processing services
• OpenAI and Anthropic: AI model providers used to generate content based on your inputs
• Upstash (Redis): Rate limiting to protect the service from abuse
• Canny: Product feedback and roadmap platform
• Resend: Transactional emails (e.g. invitations)

Some of these providers may process data outside the European Economic Area (EEA). Where applicable, we rely on appropriate safeguards (such as standard contractual clauses) to protect your personal data.

6.2 We do not sell your data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

6.3 Legal requirements

We may disclose your personal data if required by law, court order, or governmental authority, or to protect our rights, property, or safety.

7. International data transfers

We primarily process and store data within the European Economic Area (EEA). Some third-party service providers may process limited data outside the EEA. Where that happens, we ensure appropriate safeguards are in place.

8. Data retention

We retain your personal data for as long as your account remains active. This includes:

• Account information (email, name, profile picture)
• LinkedIn data (followers count, profile picture)

LinkedIn-specific retention: LinkedIn data (profile picture, followers count, profile URL, name, email) is retained while your account is active AND your LinkedIn account is connected. When you disconnect LinkedIn (via Profile page or Privacy Settings), all LinkedIn data is deleted within 24 hours. Consent audit logs (which record consent decisions but contain no personal LinkedIn data) are retained for 7 years for legal compliance purposes.

When you delete your entire Thoth account, we will delete or anonymize all your personal data (including any LinkedIn data) within 30 days, except where we are required to retain certain information for legal or regulatory purposes (such as financial records for tax compliance).

9. Data security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Secure authentication mechanisms
• Regular security assessments and updates
• Restricted access to personal data on a need-to-know basis
• Regular data backups with secure storage

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

10. Your rights under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you
• Right to rectification: You can request correction of inaccurate or incomplete personal data
• Right to erasure: You can request deletion of your personal data ("right to be forgotten")
• Right to restriction: You can request that we restrict processing of your personal data
• Right to data portability: You can request your personal data in a structured, machine-readable format
• Right to object: You can object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, you can withdraw your consent at any time. For example, to withdraw consent for LinkedIn data collection: (1) Disconnect LinkedIn from your Profile page, (2) Toggle off LinkedIn consent in Privacy Settings (/settings/privacy), or (3) Contact us at info@thoth.in. Withdrawal takes effect within 24 hours.

To exercise any of these rights, please contact us at info@thoth.in. We will respond to your request within one month of receipt.

11. Cookies and tracking technologies

We use essential cookies and similar technologies to:

• Authenticate users and manage sessions
• Remember your preferences and settings
• Ensure the security and proper functioning of our service

These cookies are strictly necessary for the operation of our service. Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies. However, this may prevent you from using certain features of our service.

12. Children's privacy

Our service is generally intended for users aged 16 and over. However, if a user under 16 years of age registers for our service, we process their personal data in accordance with GDPR's heightened protections for children.

If you are a parent or guardian and believe your child under 16 has provided us with personal data without your consent, please contact us at info@thoth.in, and we will take appropriate action.

13. Automated decision-making and profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

14. Changes to this privacy policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes, we will notify you by:

• Posting the updated Privacy Policy on our website with a new "Last updated" date
• Sending you an email notification if the changes significantly affect your rights

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.