Privacy Policy

Effective date: March 25, 2026

Publio ("we", "our", "us") provides a service that allows users to publish content to LinkedIn through AI assistants such as Claude and ChatGPT. This Privacy Policy explains how we collect, use, and protect your information.

1. Information We Collect

When you use Publio, we collect:

• Account information - Your email address when you sign up.
• LinkedIn connection data - When you connect your LinkedIn account via OAuth, we receive your LinkedIn name, email, and a unique identifier (person URN). We also receive an access token that allows us to post on your behalf.
• Post metadata - We log the length of posts and timestamps for service metrics. We do not store the full text of your posts.
• Payment information - If you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer ID and subscription status. We never see or store your credit card number.
• API usage - We log API key usage timestamps for rate limiting and security.

2. How We Use Your Information

• To publish LinkedIn posts on your behalf when you explicitly request it.
• To display your LinkedIn connection status on your dashboard.
• To manage your subscription and billing.
• To monitor service health and prevent abuse.

3. Legal Basis for Processing

We process your personal information on the following legal bases:

• Contractual necessity. Processing your account information, LinkedIn connection, and API usage is necessary to provide the service you signed up for.
• Legitimate interest. We process service health metrics and usage logs to maintain security, prevent abuse, and improve the service. These interests are balanced against your privacy rights.
• Consent. When you connect your LinkedIn account via OAuth, you explicitly consent to Publio accessing your LinkedIn profile and posting on your behalf. You may withdraw this consent at any time by disconnecting your LinkedIn account from the dashboard.

4. LinkedIn Access

We request the following LinkedIn permissions:

• openid, profile, email - To identify your LinkedIn account.
• w_member_social - To create posts on your LinkedIn feed when you request it.

We will never post to your LinkedIn account without your explicit instruction. Every publish action requires you to confirm (or disable dry-run mode) in your AI assistant.

5. Data Security

Your LinkedIn access token is encrypted at rest using AES-256-GCM encryption. The encryption key is stored separately from the encrypted data using additional database-level security. API keys are stored as one-way hashes (SHA-256) and cannot be recovered. All data is transmitted over HTTPS. Sensitive data is stored in isolated database schemas that are not accessible to client applications.

6. Data Retention

• LinkedIn tokens expire after 60 days. Expired tokens are deleted.
• If you delete your account, all associated data (LinkedIn connection, API keys, subscription, post logs) is permanently removed.
• You can disconnect your LinkedIn account at any time from the dashboard, which immediately deletes your stored token.

7. Third-Party Services

We use the following third-party services to provide Publio. Your data may be processed by these services in accordance with their respective privacy policies and data processing agreements:

• Supabase (database and authentication) - Privacy Policy | Data Processing Agreement
• Stripe (payment processing) - Privacy Policy | Data Processing Agreement
• LinkedIn (social publishing) - Privacy Policy

8. International Data Transfers

Your data may be processed and stored in countries outside your country of residence. Our third-party service providers (Supabase, Stripe) operate infrastructure in multiple regions, including the United States and the European Union. These transfers are governed by the data processing agreements of each provider, which include appropriate safeguards such as Standard Contractual Clauses where required by applicable law.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• View your connected LinkedIn account and subscription status on the dashboard.
• Disconnect your LinkedIn account at any time, which immediately deletes your stored access token.
• Revoke your API keys at any time.
• Delete your account and all associated data.
• Request a copy of your personal data by contacting us.
• Request correction of inaccurate personal data.
• Object to or request restriction of processing in certain circumstances.
• Lodge a complaint with your local data protection authority if you believe your rights have been violated.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

10. Cookies

We use essential cookies only for authentication (session management). We do not use tracking cookies or third-party analytics.

11. Data Protection Contact

For questions or requests related to data protection and privacy, including GDPR inquiries, contact our data protection team at: [email protected]

If you are located in the European Economic Area and believe that your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local supervisory authority.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or dashboard notification.

13. Contact

For general privacy-related questions, contact us at: [email protected]