Privacy Policy
Last Updated: July 3, 2026
What the Flutter OÜ (“What the Flutter,” “we,” “us,” or “our”) operates the Linked API service. What the Flutter OÜ is an Estonian private limited company (registered address: Ahtri tn 12, Kesklinna linnaosa, Tallinn 15551, Harju maakond, Estonia). This Privacy Policy explains how we collect, use, share, and protect personal data in connection with Linked API. By using Linked API, you acknowledge that you have read and understood this Privacy Policy. We are committed to transparency and protecting your privacy in accordance with applicable laws including the GDPR and CCPA.
Information We Collect
We collect various types of information to provide and improve our service:
- Account Information: When you register for Linked API, we collect personal information such as your name, email address, company name, billing information, and account credentials. This information is necessary to create and maintain your user account and communicate with you.
- Connected LinkedIn account: If you choose to connect your LinkedIn account to Linked API, we maintain the session state of that connected account within the dedicated, isolated cloud-browser environment so that we can perform the actions you authorize. We do not request, collect, or store your LinkedIn password – any password you enter in a LinkedIn login form is provided directly to LinkedIn. That session state is used solely to perform the actions you authorize through the Service, and we do not sell it or use it for any independent purpose of our own.
- Usage Data: We automatically collect information about how you interact with Linked API. This includes server logs (e.g. IP address, browser type, device information, and timestamps of API requests), usage metrics (such as the number and frequency of API calls, workflow execution details), and cookies or similar tracking technologies on our website or dashboard. This data helps us monitor system performance, ensure security, prevent fraud, and improve our services.
- System Operational Data: We store various types of operational data necessary for the proper functioning of our service, including but not limited to: workflow configurations, task queues, execution histories, system preferences, feature settings, integration parameters, and error logs. This information is essential for maintaining continuity of service, providing technical support, enabling system functionality, and optimizing performance.
- Data You Retrieve From Third-Party Platforms (including LinkedIn): When you use the Service to retrieve or process personal data about other individuals from a third-party platform (for example, names, job titles, or other profile details of LinkedIn members), you act as the data controller for that data: you determine the purposes and means of the processing at the level that matters to those individuals, you select the individuals and the data involved, and you decide how the data is subsequently used. What the Flutter acts as a data processor for that data and processes it only on your documented instructions – namely the workflow configurations and commands you issue through the Service – and for no independent purpose of its own, except where processing is required by a law to which we are subject (in which case we will inform you of that requirement before processing, unless the law prohibits it). You represent and warrant that (a) you have a valid legal basis and all authorizations necessary for the collection and processing you instruct, (b) your instructions comply with applicable data-protection law, and (c) you will provide any required notices to, and honor the rights of, the individuals concerned. Our processing of that data on your behalf is governed by our Data Processing Addendum (DPA), which is incorporated into our Terms of Use by reference and, with respect to that data, prevails over any conflicting statement in this Policy. We do not sell that data, and we do not use it to build independent datasets or to profile the individuals it describes.
- Where We Act as an Independent Controller: Separately, and in our own right, What the Flutter is an independent controller for the personal data we process to operate, secure, support, bill, and improve the Service – including your account and contact data, authentication and connection metadata, usage and server logs, security and fraud-prevention data, and aggregated or de-identified analytics. We process that data for the purposes and on the legal bases described elsewhere in this Policy, in our own interest and not on your instructions.
How We Use Personal Data
We use the collected information for the following purposes:
- Providing the Service: We process your personal data to authenticate you, connect to LinkedIn on your behalf, execute your requested workflows/actions, and generally provide the Linked API functionality you subscribe to. For example, we use the session state of your connected account within the isolated cloud browser to carry out the actions you initiate (like sending connection requests or retrieving profile data); you sign in yourself, and we never receive or store your LinkedIn password.
- Service Administration and Communications: We use your contact information (email, name) to send service-related communications such as account confirmations, notifications of workflow results, important updates, security alerts, and administrative messages. We may also send you informational updates about new features or tips for using Linked API. You can opt out of non-essential communications (such as marketing emails) at any time.
- Improvement and Analytics: Usage Data is utilized to analyze trends, debug issues, and improve our platform’s performance and features. For instance, understanding how users utilize certain API endpoints can help us optimize execution speed or user experience. We may use privacy-conscious, third-party analytics tools that deploy cookies or similar technologies on our website to collect aggregated information about how visitors use the site. We use these tools under appropriate data-processing terms.
- Customer Support: If you contact us for support, we will use your contact information and any information you provide about your issue to help resolve your questions or troubleshoot problems. We may also review your recent API usage or error logs to diagnose technical issues.
- Security and Fraud Prevention: We may process personal data (like IP addresses or account activity) to monitor for suspicious or fraudulent activity, enforce our Terms of Use, and protect the integrity of our service. This includes using automated systems to detect misuse of Linked API (such as using it in ways that violate LinkedIn’s policies or our terms) and taking action to prevent harm, such as rate-limiting or suspending accounts involved in abuse.
- Compliance with Legal Obligations: If required by law or legal process, we may use and disclose personal data to respond to government requests, comply with court orders or regulations, or otherwise as required to meet our legal obligations. We also retain certain data as necessary to comply with accounting, taxation, and record-keeping requirements.
- Marketing: We may use your contact information to send newsletters, promotional materials, or inform you of new products and services from What the Flutter OÜ or our partners. You can unsubscribe from marketing emails at any time, and we do not send these without either your opt-in consent or a legitimate interest basis as allowed by law.
Our processing of your personal data is justified by one or more of the following legal bases, by purpose:
- Account, authentication, and providing the Service – performance of our contract with you (Art. 6(1)(b)).
- Billing, tax, and record-keeping – performance of contract and compliance with legal obligations (Art. 6(1)(b), (c)).
- Security, fraud and abuse prevention, and operational logging – our legitimate interests and, where applicable, legal obligations (Art. 6(1)(f), (c)).
- Service and support communications – performance of contract (Art. 6(1)(b)).
- Product improvement and analytics – our legitimate interests (Art. 6(1)(f)), and your consent for non-essential cookies where required.
- Marketing – your consent, or our legitimate interests where permitted by law (Art. 6(1)(a), (f)).
For the third-party personal data you retrieve through the Service, we act as your processor and you, as controller, are responsible for establishing and documenting the legal basis (see “Data You Retrieve From Third-Party Platforms” above and our Data Processing Addendum).
Cookies and Tracking Technologies
Linked API’s website and web dashboard use cookies and similar tracking technologies to provide and personalize the service:
- Essential Cookies: We use cookies necessary for our site to function, such as keeping you logged in to your account and maintaining session security. Without these, the service may not work properly.
- Analytics and Performance Cookies: With your consent where required, we use cookies or third-party tools to collect Usage Data about how visitors use our site (pages viewed, actions taken, time spent, etc.). This information is generally aggregated and helps us improve the usability and content of our website.
- No Sale of Data via Cookies: We do not allow third-party ad networks to collect your data for advertising purposes on our site, and we do not sell any personal information via cookies.
You can control or delete cookies through your browser settings. However, be aware that disabling certain cookies could affect the availability and functionality of Linked API’s online features.
How We Share Information
We value your privacy and do not sell your personal information to third parties. We only share your data in limited circumstances, as described below:
- With Service Providers: We may share data with trusted third-party service providers who perform functions on our behalf. For example, this includes cloud hosting providers (for our servers and databases), payment processors (to handle subscription billing securely – note that we do not receive or store full credit card numbers; payments are handled by compliant third-party processors), email delivery services (to send verification codes or notifications), and analytics tools. These providers are given access only to the information necessary to fulfill their tasks and are contractually obligated to protect your data and use it solely for providing services to us. They act under our instructions and are bound by data processing agreements as needed (ensuring GDPR compliance for EU user data).
- Within What the Flutter OÜ: Personal data may be shared among our team and controlled affiliates on a need-to-know basis, for purposes of development, customer support, or decision making related to the service. All our employees and contractors are subject to confidentiality obligations regarding personal data. We design our cloud browser environment to be programmatically isolated and to prevent routine human access to your authenticated LinkedIn session. Access to production systems is restricted to authorized personnel on a need‑to‑know basis, is logged and audited, and any exceptional access follows documented internal procedures and is used only where necessary for security, incident response, or support (where permitted).
- For Legal Reasons: We may disclose your information if required to do so by law or pursuant to a valid legal process (such as a subpoena, court order, or search warrant). We may also disclose data if we believe in good faith that it is necessary to investigate or prevent fraud, protect the safety of any person, or enforce our Terms of Use or other agreements. In case of a dispute or legal claim involving your use of Linked API, we may preserve and share relevant data as needed to resolve the issue.
- Business Transfers: If What the Flutter OÜ is involved in a merger, acquisition, sale of assets, bankruptcy, or reorganization, your information may be transferred to a successor or affiliate as part of that transaction. Should such a transfer occur, we will ensure the new entity honors the commitments we have made in this Privacy Policy or provide you notice and opportunity to opt-out of the transfer of your personal data.
- With Your Consent: In situations where you explicitly request or consent to a specific data sharing (for example, if you integrate Linked API with another third-party service and that integration needs to send certain data to the third party at your request), we will share your information only to the extent you have agreed.
Aside from the purposes described above, we will not share, rent, or trade your personal information with third parties for their own promotional purposes.
Data Security
We take security very seriously and implement a range of technical and organizational measures to safeguard your data:
- Encryption in transit: All network communication with Linked API – including API calls, dashboard interactions, and LinkedIn session handling – is encrypted via HTTPS/TLS. You enter your LinkedIn password directly in the cloud browser; we never receive or store it. Your LinkedIn session is held within the dedicated, isolated per-account cloud browser environment rather than in plaintext alongside your account records.
- Cloud Browser Isolation: Each LinkedIn account connected through Linked API runs in its own isolated cloud-based browser environment. This means your LinkedIn session (including cookies and any data loaded during automation workflows) is contained within that environment and is not accessible to other users. The environment is designed to prevent routine human access to your authenticated LinkedIn session; any exceptional access by authorized personnel follows documented internal procedures and occurs only where necessary for security, incident response, or support.
- Access Controls: Internally, we restrict access to production systems and databases to authorized personnel with a legitimate need, and our personnel do not access your data at will. Administrative access requires authentication and is logged and audited. Access to your data happens only where necessary in exceptional cases – such as troubleshooting a problem, responding to a security incident, or providing support you request – and in accordance with documented internal procedures.
- Monitoring and Patching: We regularly update our software and third-party libraries to address security vulnerabilities. Our systems are monitored for intrusions or anomalies. We also employ firewalls and other protective mechanisms to prevent unauthorized system access.
- Employee Training and Policies: Our team members are trained on data protection best practices and are required to adhere to confidentiality agreements. We maintain privacy and security policies to guide our handling of personal data.
Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. Therefore, while we strive to protect your personal data, we cannot guarantee absolute security. In the unlikely event of a data breach that affects your personal information, we will notify you and the appropriate authorities as required by law.
Data Retention
We retain personal data for as long as necessary to fulfill the purposes outlined in this policy or as required by law:
- Account information. We keep your account registration and profile details for as long as your account is active. If you delete your Linked API account or request deletion, we remove or anonymize your personal data from our active systems within 30 days, except where we must retain specific data for the legal reasons described below. Residual copies in backups are purged on our rolling backup cycle, not exceeding 30 days after deletion from active systems.
- Connected-account session data. Your LinkedIn session is held within the dedicated, isolated cloud browser only while the account is connected and your subscription is active. When you disconnect the account or close your account, the browser profile for that connected account is removed and the session is no longer usable; any related session artifacts held in our storage are automatically deleted within 14 days. We never store your LinkedIn password.
- Workflow results (may contain third-party data). We store the results of your workflows so that you can access your history and results, and we retain them for as long as your account is active. Because you are the controller for that data, you can retrieve your results through the Service at any time while your account is active, and deleting your Linked API account erases the stored results from our active systems; in any event they are deleted upon termination of your account, subject only to the backup-purge cycle above.
- Screenshots and page snapshots. Diagnostic artifacts such as screenshots and page snapshots are automatically deleted within 14 days of creation.
- Server, security, and operational logs. Application and workflow-operation logs are automatically deleted after 30 days, except records of skill installations, which we retain as product history. Aggregated or de-identified metrics may be kept for longer to analyze performance and reliability.
- Legal obligations and disputes. We may retain certain information where necessary to comply with legal obligations (for example, transaction records for accounting) or to resolve disputes or enforce our agreements, only for the period required by applicable law or the duration of the dispute, after which it is deleted.
After the applicable retention periods, we will securely erase or anonymize personal data. Where data is anonymized (so it can no longer be associated with an individual), we may retain it indefinitely for statistical purposes without further notice to you.
International Data Transfers
Our primary data processing occurs within the European Union. Where personal data is transferred outside the EEA (or, for UK data, outside the UK), we rely on the transfer mechanisms set out in Section 5 of our Data Processing Addendum – including the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, together with a transfer-impact assessment where required. As an Estonian company, What the Flutter is subject to GDPR and processes data in accordance with EU data protection standards.
Your Rights and Choices
General Rights: Depending on your location and applicable privacy laws, you have certain rights regarding your personal data. We honor all requests to the extent required by law and will extend these rights as a courtesy in other regions where feasible. These rights may include:
- Access and Portability: You have the right to request a copy of the personal data we hold about you and to obtain information about how we process it. We will provide this in a readily accessible format. For EU users, you may also request that we transfer your data to another controller where technically possible (data portability).
- Correction: If any of your personal information is inaccurate or incomplete, you have the right to ask us to correct or update it. You can also update most of your basic account information directly through your Linked API account settings.
- Deletion: You have the right to request deletion of your personal data. Upon verified request, we will delete the information we hold about you, except for data we are obligated to retain for legal or legitimate business purposes (as described in Data Retention above). If you request deletion, note that this may involve closing your account. Certain usage logs or aggregated data may not be completely erased but will no longer be attributable to you.
- Restriction of Processing: You can ask us to restrict processing of your data in certain circumstances – for example, if you contest the accuracy of the data or object to us processing it on the basis of our legitimate interests. We will mark the data as restricted and only process it for specific purposes (like with your consent or for legal claims) while the restriction is in place.
- Objection to Processing: If we are processing your data based on legitimate interests, you have the right to object to that processing. This includes the right to object at any time to processing of your personal data for direct marketing purposes. If you object, we will reconsider our justifications for processing your data and will cease the processing if your rights outweigh our interests.
- Withdraw Consent: Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it may take some time to fully implement.
- Right to Lodge a Complaint: If you believe that our processing of your personal data infringes applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. For users in the EU, you may contact the supervisory authority in your country of residence, or the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee.
To exercise any of these rights, please contact us at the contact information provided below. We will respond to your request within a reasonable timeframe and in accordance with applicable law (typically within 30 days for GDPR rights). We may need to verify your identity (for example, by requiring you to provide information or log in to your account) before executing certain requests, to ensure that we do not disclose or delete data incorrectly at the request of someone else.
California Privacy Rights (CCPA/CPRA): This section applies only if, and to the extent that, the California Consumer Privacy Act (as amended by the CPRA) applies to What the Flutter. Where it applies, and if you are a resident of California, U.S., you are entitled to the following rights:
- Right to Know: You may request information about the categories of personal information we have collected about you, the categories of sources of that information, the business or commercial purposes for collecting or sharing the information, the categories of third parties with whom we share personal information, and the specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete: You may request that we delete personal information we have collected from you (with certain exceptions – for example, we may retain data necessary to complete a transaction, detect security incidents, comply with legal obligations, etc.).
- Right to Correct: You may request that we correct inaccurate personal information that we maintain about you.
- Right to Opt-Out of Sale/Sharing: We do not sell personal information to third parties for monetary consideration. We also do not share personal information for cross-context behavioral advertising in a manner that would trigger opt-out rights under California law. Therefore, there is no need to opt out of the sale or sharing of your data from Linked API.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny you our services, provide a different level or quality of service, or charge a different price (unless the difference is reasonably related to the value of your data, as permitted by law) because you exercised your rights.
California users can exercise their privacy rights by contacting us as described below. If you have an authorized agent, that agent can make a request on your behalf, but we will require proof of the agent’s authorization and may still ask you to verify your identity directly with us.
Children’s Privacy
Linked API is not intended for use by minors under the age of 18. We do not knowingly collect personal information from children under 13 (or under 16 in the European Union, unless with parental consent, as required by applicable law). If you are under the minimum age in your jurisdiction, you may not use our service or provide any personal data to us. We ask that parents and guardians supervise their children’s online activities and consider using parental control tools.
In the event we discover that we have inadvertently collected personal information from a child under the applicable age without proper consent, we will take immediate steps to delete such information from our records. If you believe a minor may have provided us with personal data, please contact us so we can investigate and remove it.
Because the Service can retrieve third-party profile data, you must not configure workflows to intentionally target, collect, or process the personal data of minors, and you are responsible for excluding such data from your use of the Service.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this Policy, we will notify users by prominently posting a notice on our website or within the platform, and/or by sending an email to the address associated with your account. We will indicate at the top of the Policy the date of the latest revision.
We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. Continued use of Linked API after any changes to this Policy constitutes your acceptance of the updated terms, to the extent permitted by law.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us at:
What the Flutter OÜ (Attn: Privacy) Ahtri tn 12, Kesklinna linnaosa Tallinn 15551, Harju maakond, Estonia Email: support@linkedapi.io (please include “Privacy Inquiry” in the subject line)
Our Data Processing Addendum governs our role as a processor of personal data on your behalf and forms part of our Terms of Use. If your organization requires a countersigned copy, please contact us at support@linkedapi.io.
Thank you for trusting Linked API. We value your privacy and will continue working hard to keep your personal information secure.