Linked APILinked API

Data Processing Addendum

Last Updated: July 3, 2026

This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, the Terms of Use between you (“Controller”) and What the Flutter OÜ (“Processor,” “What the Flutter,” “we,” or “us”). It applies where, and to the extent that, the Processor processes personal data on the Controller’s behalf in providing Linked API (the “Service”). It reflects the parties’ obligations under Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and, where applicable, the equivalent UK GDPR. Where this DPA conflicts with the Terms of Use or the Privacy Policy with respect to the processing of Controller Personal Data, this DPA prevails.

This DPA applies automatically to every Controller that uses the Service to process personal data through it; no signature is required for it to take effect. If your organization requires a countersigned copy for its records, contact us at support@linkedapi.io.

1. Roles of the Parties

For personal data that the Controller retrieves, collects, sends, or otherwise processes through the Service (“Controller Personal Data”), the Controller acts as the controller and What the Flutter acts as the processor. To the extent What the Flutter processes Controller Personal Data, the Controller determines the purposes and the essential means of that processing, and What the Flutter processes it only as described in this DPA.

Allocation of decisions. In particular, the Controller determines the business purpose; the target accounts and profiles; the workflows and actions to run; the message, comment, and content to send; the categories of third-party data requested; the recipients and any onward use; the lawful basis and any required notices to data subjects; and the configurable retention, export, and deletion instructions. The parties intend that What the Flutter determines the implementation means necessary to provide, secure, monitor, and maintain the Service – including the cloud-browser infrastructure, per-account session isolation, proxy and network routing, workflow scheduling, security controls, operational logging, and reliability measures – and applies them only to provide the Service or for the independent-controller purposes stated in the Privacy Policy. If a supervisory authority or court determines that any processing is subject to joint-controller obligations, the parties will cooperate in good faith to put in place any arrangement required by Article 26 GDPR, without prejudice to their respective positions.

What the Flutter is an independent controller – for its own purposes and outside the scope of this DPA – for the data it processes to operate, secure, and administer the Service, including Linked API account and authentication data, security and abuse-prevention data, service and operational logs, billing data, and product analytics, as described in the Privacy Policy.

2. Subject-Matter, Nature, and Purpose of Processing

The Processor processes Controller Personal Data solely to execute the browser-automation workflows that the Controller configures and initiates through the Service – that is, to retrieve, store, deliver, or act upon Controller Personal Data on the Controller’s behalf, and to provide related Service functionality. The Processor does not process Controller Personal Data for its own purposes.

Duration. The Processor processes Controller Personal Data for the term of the Controller’s subscription and for the retention periods described in the Privacy Policy. In any event, the Processor deletes or returns Controller Personal Data on the Controller’s instruction at any time, and upon termination of the Service, in accordance with Section 4(g).

3. Types of Personal Data and Categories of Data Subjects

Types of personal data. Depending on the workflows the Controller configures, this may include:

  • Identifiers and professional-profile data of third parties made available to the Controller’s connected account through the Service (for example names, headlines, job titles, employers, education, skills, and public post or company data);
  • Message, comment, and connection-note content, and other User Content the Controller provides for the Service to send or process;
  • The authentication and session state of the connected account, held within the dedicated cloud browser and used solely to perform the Controller’s authorized actions;
  • Workflow configurations, commands, and returned results; and
  • Workflow and operation metadata and logs, to the extent they contain Controller Personal Data.

For clarity, workflow and operation logs are Controller Personal Data only to the extent they contain data processed solely to execute or evidence the Controller’s workflows. Logs and metadata that What the Flutter processes for its own security, abuse-prevention, reliability, legal, billing, analytics, or service-administration purposes are independent-controller data, outside the scope of this DPA.

Categories of data subjects. The individuals whom the Controller targets, or whose profiles the Controller’s workflows access, through the Service (for example, members of the connected third-party platform), and the holder of the connected account.

Special categories. The Controller must not intentionally configure workflows to collect or infer special categories of personal data (Article 9 GDPR) through the Service, and will notify What the Flutter if it becomes aware that such data has been included.

4. Processor Obligations (GDPR Article 28(3)(a)–(h))

The Processor shall:

(a) Documented instructions. Process Controller Personal Data only on the Controller’s documented instructions – comprising the workflow configurations and commands the Controller issues through the Service, together with any written instructions sent to support@linkedapi.io – including with regard to transfers, unless required to do otherwise by EU or Member-State law, in which case the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such notice.

(b) Confidentiality. Ensure that persons authorized to process Controller Personal Data are bound by an appropriate obligation of confidentiality.

(c) Security. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include: encryption of data in transit; a dedicated, isolated cloud-browser session per connected account; access controls and authentication for production systems; and access and operation logging. The Controller’s connected-account password is entered by the Controller directly in the cloud browser and is not stored by What the Flutter. A fuller description is in the “Data Security” section of the Privacy Policy.

(d) Sub-processors. Engage sub-processors only under a written contract imposing data-protection obligations equivalent to those in this DPA. The sub-processors we currently use are identified in Annex III (Section 9 summarizes the categories). Where an entry in Annex III is described by function rather than named, or where a Controller requires the completed SCC or UK Addendum annexes, we provide the specific entity, location, and transfer mechanism on request. What the Flutter will give the Controller at least 30 days’ prior notice – by email or by updating the list it makes available to Controllers – of the addition or replacement of a sub-processor, except where a shorter period is needed to address a security or availability risk, and the Controller may object on reasonable data-protection grounds within that period.

(e) Data-subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests to exercise the rights of data subjects under Chapter III GDPR.

(f) Assistance and breach notification. Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data-protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor; and notify the Controller without undue delay after becoming aware of a personal-data breach affecting Controller Personal Data.

(g) Deletion or return. At the Controller’s choice, delete or return all Controller Personal Data to the Controller after the end of the provision of the Service, and delete existing copies, unless EU, Member-State, UK, or other applicable law requires storage of the personal data.

(h) Audit. Make available to the Controller the information necessary to demonstrate compliance with the obligations in this Section and Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. In the first instance, audits are satisfied by up-to-date documentation, certifications, and responses to reasonable questionnaires. If those are insufficient to demonstrate compliance, the Controller, or an independent auditor it appoints, may conduct a reasonable inspection under appropriate security and confidentiality controls. Any on-site inspection is limited to once per year (absent a documented security incident affecting the Controller) and conducted during business hours on reasonable prior notice; no audit may expose other customers’ data or compromise production security, and direct access to production systems is not required unless strictly necessary and supervised. The Controller bears the reasonable costs of an audit it requests, unless the audit identifies material non-compliance or follows a personal-data breach caused by What the Flutter.

5. International Transfers

Where a restricted transfer of Controller Personal Data outside the European Economic Area (“EEA”) requires Standard Contractual Clauses (“SCCs”), the parties incorporate by reference the applicable module(s) of the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), as appropriate to the actual transfer:

  • Module Two (controller to processor), where a restricted controller-to-processor transfer to the Processor actually occurs;
  • Module Three (processor to processor) for transfers to sub-processors; and
  • Module Four (processor to controller) for the return or delivery of Controller Personal Data to a Controller located outside the EEA.

For restricted transfers subject to the UK GDPR, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs (with the tables completed by reference to the Annexes below). The Annexes to this DPA – Annex I (transfer details), Annex II (technical and organizational measures), and Annex III (sub-processors) – together with the Privacy Policy, supply the annex information required for the applicable module(s) and the UK Addendum, including the parties and their roles, the description of the transfer, the categories of personal data and data subjects, the technical and organizational measures, and the sub-processors. Before relying on the SCCs for a transfer to a country without an adequacy decision, What the Flutter documents a transfer-impact assessment covering the specific transfer, the relevant destination-country law and practice, the likelihood and nature of public-authority access, and any supplementary measures applied, and provides a reasonable summary to the Controller on request.

6. Controller Obligations

The Controller represents and warrants that: (a) it has a valid lawful basis and all authorizations, notices, and consents necessary for the processing it instructs through the Service; (b) its instructions to the Processor are lawful; and (c) it will provide any notices required to, and honor the rights of, the data subjects whose Controller Personal Data it processes through the Service. The Controller is solely responsible for determining that its use of the Service complies with applicable data-protection law and with the terms of any third-party platform it directs the Service to access.

7. General

This DPA takes effect on the date the Controller first uses the Service to process Controller Personal Data and remains in force for as long as the Processor processes Controller Personal Data on the Controller’s behalf. It is governed by the law of, and subject to the dispute-resolution provisions in, the Terms of Use. All other terms of the Terms of Use and Privacy Policy remain in full force and effect.

8. Contact

Questions about this DPA, or requests for a countersigned copy or the current list of sub-processors, should be sent to:

What the Flutter OÜ Ahtri tn 12, Kesklinna linnaosa Tallinn 15551, Harju maakond, Estonia Email: support@linkedapi.io

9. Sub-processors

What the Flutter engages the following categories of sub-processors to provide the Service; the current sub-processors are set out in Annex III.

  • Cloud hosting and infrastructure – hosting of the application, databases, and browser infrastructure.
  • Cloud browser runtime – the dedicated, isolated per-account browser environment in which the Controller’s workflows run and in which the connected account’s session is held.
  • Workflow orchestration – scheduling and execution of workflow tasks.
  • Object storage – storage of workflow artifacts such as screenshots and page snapshots that may contain Controller Personal Data.
  • Network proxying – per-account network routing for the connected account.
  • Live browser streaming – streaming of a browser session to the Controller during connect-account and access-browser flows.

What the Flutter also uses the following service providers, which act as processors for What the Flutter (an independent controller under this DPA and the Privacy Policy) with respect to the Controller’s own account and billing data, rather than as sub-processors of Controller Personal Data as defined in this DPA: payment processing (subscription billing); and product analytics and transactional email relating to the Controller’s account.


Annex I – Details of Processing (SCC Annex I / UK Addendum)

Parties. For Module Two transfers, the data exporter is the Controller and the data importer is What the Flutter OÜ. For Module Three transfers, the data exporter is What the Flutter OÜ and the data importer is the relevant sub-processor named in Annex III. For Module Four transfers, the data exporter is What the Flutter OÜ and the data importer is the Controller. Contact details are those stated in this DPA and the Controller’s account.

Categories of data subjects. The individuals whom the Controller targets, or whose profiles the Controller’s workflows access, through the Service (for example, members of the connected third-party platform), and the holder of the connected account.

Categories of personal data. As set out in Section 3: identifiers and professional-profile data of third parties; message, comment, connection-note, and other User Content; the connected account’s authentication and session state; workflow configurations, commands, and results; and workflow and operation metadata and logs to the extent they contain Controller Personal Data.

Sensitive data. None is intended or permitted. The Controller must not configure workflows to collect or infer special-category data (Section 3).

Frequency of the transfer. Continuous, for the duration of the Controller’s subscription.

Nature and purpose. Execution of the Controller’s configured browser-automation workflows and provision of the Service, as described in Section 2.

Retention. For the periods described in the Privacy Policy; Controller Personal Data is deleted or returned on the Controller’s instruction and upon termination, per Section 4(g).

Competent supervisory authority. For Module Two transfers, the competent supervisory authority is the one determined under Clause 13 of the SCCs for the relevant Controller/exporter. For Module Three and Module Four transfers, where What the Flutter is the exporter, it is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Annex II – Technical and Organizational Measures (SCC Annex II)

What the Flutter applies the following measures. This Annex states only measures that are actually implemented; it does not assert measures that are not in place.

  • Encryption in transit. All network communication with the Service (API, dashboard, and cloud-browser session handling) is encrypted using HTTPS/TLS.
  • Per-account isolation. Each connected account runs in a dedicated, isolated cloud-browser environment; the connected account’s session is held within that environment.
  • Credentials. The Controller’s connected-account password is entered by the Controller directly in the cloud browser and is never received or stored by What the Flutter.
  • Access control. Access to production systems and databases is restricted to authorized personnel on a need-to-know basis, requires authentication, and is logged and audited; personnel do not access data at will, and any exceptional access follows documented internal procedures used only for security, incident response, or support.
  • Logging. Access and operational activity are logged.
  • Deletion and minimization. Diagnostic artifacts stored in object storage (the Screenshots, HtmlFiles, and SessionArtifacts directories) are deleted within 14 days; application and operation logs within 30 days; residual backup copies within 30 days of deletion from active systems; Controller Personal Data is deleted or returned on instruction and upon termination.
  • Sub-processor controls. Sub-processors are engaged only under written contracts imposing equivalent data-protection obligations.
  • Incident response. Personal-data breaches affecting Controller Personal Data are notified to the Controller without undue delay.

Annex III – Sub-processors

Sub-processors that may process Controller Personal Data:

Sub-processor (by function)PurposeLocation / transfer
Cloud hosting and infrastructureApplication, database, and browser-infrastructure hostingEuropean Economic Area
Cloud-browser runtimeDedicated per-account cloud browser holding the connected sessionProvided to Controllers on request
Object storageStorage of workflow artifacts (screenshots, page snapshots)Provided to Controllers on request
Workflow orchestrationScheduling and execution of workflow tasksOutside the EEA, under SCCs
Network proxyingPer-account network routingProvided to Controllers on request
Live browser streamingStreaming of a browser session during connect and access flowsOutside the EEA, under SCCs

Service providers processing What the Flutter’s own (independent-controller) account and billing data, not Controller Personal Data: payment processing (subscription billing); product analytics (EU-hosted); and transactional email.

We identify each of the above sub-processors – including its legal entity name, processing location, and transfer mechanism – to Controllers on request, and we notify Controllers of changes as described in Section 4(d).

We keep this Annex current. Where an entry above is described by function, or where you require the completed SCC or UK Addendum annexes, contact support@linkedapi.io for the specific entity, location, and transfer mechanism.