Privacy Policy

Last updated: June 29, 2026

1. Who we are

Lynko AI (“we,” “our,” or “us”) is a career management platform that helps students manage professional contacts, send personalized outreach emails, and track responses. Lynko AI is operated by Lynko AI LLC, a California limited liability company. The service is available to users in the United States only.

Questions or requests related to this Privacy Policy: privacy@lynkoai.com

2. Scope of this policy

This policy applies to all personal information collected when you use Lynko AI, including information you provide directly, information collected automatically, and information obtained from third-party sources. This policy does not apply to third-party websites or services linked from our platform.

This service is not intended for users outside the United States. We do not knowingly collect data from users in the European Union, United Kingdom, or other jurisdictions with separate privacy regimes. If you are accessing from outside the US, please do not use the service.

Minimum age: Lynko AI is not intended for anyone under the age of 18. If we learn that we have collected personal information from a user under 18, we will delete it promptly.

3. Information we collect

3a. Information you provide directly

  • Account registration data: first name, last name, email address, school or university name, major, graduation year, and target role or industry.
  • Profile and background information: a written summary of your academic background, internship experience, skills, and career goals used to personalize your outreach emails.
  • Resume and document text: text you paste or upload from your resume or career documents. Resumes commonly contain sensitive personal information including but not limited to: home address, phone number, personal email address, GPA, work authorization status, languages spoken, and links to personal websites or portfolios. We store this text solely to help generate personalized outreach. We strongly recommend removing your home address and phone number from any resume text you upload, as this information is not needed for email personalization.
  • Contact data you enter: names, email addresses, LinkedIn profile URLs, job titles, company names, and notes you add about people in your network. This is data about third parties that you enter manually. See Section 6 for how we handle third-party contact data.
  • Outreach content: email templates, sequence steps, snippets, and draft emails you create or edit in the platform.
  • Payment information: if you subscribe to a paid plan, payment is processed by Stripe, a PCI-compliant third-party payment processor. We do not store your credit card number, billing address, or full payment details on our servers. We receive only a payment confirmation and a Stripe customer ID.

3b. Information collected automatically

  • Log and usage data: IP address, browser type and version, operating system, referring URL, pages visited within the app, timestamps of actions, and feature usage (e.g., number of AI generations requested, emails sent, contacts added). This data is collected automatically when you access the service.
  • Cookies and local storage: we use the following types of cookies and browser storage:
    • Session cookies: maintain your authentication state while you are logged in. These expire when you close your browser or log out.
    • Preference storage: browser localStorage stores UI preferences such as which outreach step was last expanded. No personal data is stored in localStorage.
    We do not use third-party advertising cookies, tracking pixels, or cross-site tracking. You can clear cookies and localStorage via your browser settings, but doing so will log you out and reset preferences.
  • Error monitoring and session replay data (Sentry): we use Sentry to capture application errors, performance issues, and session replays. When an error occurs in the application, Sentry automatically records the error details, a stack trace, your browser and device type, your user ID (linked to your Lynko AI account), and a video-like replay of your recent interactions in the app (mouse movements, clicks, page navigation, and UI state). We also record approximately 5% of normal sessions for performance monitoring purposes. Sensitive fields such as passwords and email body content are automatically masked in replays and are not captured. Session replay data is stored by Sentry for up to 90 days. We use this data solely to identify, reproduce, and fix bugs and to improve application stability. We do not share this data with any third party except Sentry as described in Section 8.
  • Device identifiers: browser and device information used to detect and prevent unauthorized access to accounts. We do not build advertising profiles from this data.

3c. Information from third-party sources

  • Apollo.io contact enrichment:when you add a contact by LinkedIn URL, we query Apollo.io's database to retrieve that person's publicly available professional information, including job title, company, career history, and professional email address. Only the LinkedIn URL is sent to Apollo; your account data is not shared. Apollo's privacy policy governs how they collect and maintain this data: apollo.io/privacy-policy.
  • Gmail OAuth data: when you connect Gmail, Google provides us with an OAuth refresh token allowing us to send emails and read reply threads on your behalf. The specific OAuth scopes we request are: send email on your behalf, read and write to specific email threads initiated through Lynko AI, and read your Gmail email address. We also request Google Calendar access to create follow-up reminder events. We do not request access to your full inbox, contacts, or any other Google data. See Section 7.
  • Outlook OAuth data: when you connect a Microsoft Outlook or Microsoft 365 account, Microsoft provides us with an OAuth refresh token allowing us to send emails, read and write specific reply threads, and create calendar events on your behalf via Microsoft Graph. The specific permissions (scopes) we request are: send mail, read and write mail, read your Microsoft account email address, and read and write calendar events. We do not request access to your full inbox, contacts, files, or any other Microsoft data. Your Outlook OAuth token is encrypted at rest and is never exposed in logs or API responses. See Section 7.
  • Google Calendar data: when you authorize Google Calendar access, we create all-day reminder events in your primary Google Calendar when you set follow-up dates on contacts in the app. We do not read, scan, or store any of your existing calendar events. We only write events we create through Lynko AI.
  • Outlook Calendar data: when you connect Outlook and authorize calendar access, we create all-day reminder events in your Outlook Calendar when you set follow-up dates on contacts. We do not read, scan, or store any of your existing Outlook calendar events.

4. How we use your information

  • To create and maintain your account and authenticate your identity.
  • To generate AI-personalized outreach emails using your background summary, contact profile, and email template. Your context is sent to our AI providers (see Section 8).
  • To send outreach emails from your connected Gmail or Outlook account to contacts you explicitly select.
  • To detect replies within threads initiated through Lynko AI and notify you in the app.
  • To draft reply suggestions based on the incoming message and your profile.
  • To create calendar reminder events in Google Calendar or Outlook Calendar when you set follow-up dates.
  • To enforce fair-use limits on AI features and prevent abuse.
  • To communicate with you about your account, product updates, and policy changes.
  • To improve the platform through aggregate, anonymized usage analytics.
  • To monitor application stability, diagnose errors, and fix bugs using Sentry error reports and session replays.
  • To comply with applicable law, respond to legal process, and protect against fraud or security threats.
  • To process payments and manage your subscription through Stripe.

We do not sell your personal information. We do not use your data to serve advertisements. We do not use your data, your contacts' data, or the content of your emails to train any AI or machine learning model.

5. Legal basis for processing

We process your personal information under the following legal bases:

  • Contract: processing necessary to provide the service you signed up for (account creation, email sending, sequence management).
  • Legitimate interests: security monitoring, fraud prevention, error monitoring via Sentry, aggregate analytics to improve the product, and enforcing our Terms of Service.
  • Consent: connecting Gmail, Outlook, Google Calendar, and Outlook Calendar, which you may revoke at any time from within the app or directly from your Google or Microsoft account settings.
  • Legal obligation: complying with applicable law, responding to valid legal process.

6. Third-party contact data

When you add contacts to your CRM, you are storing information about other people (“third-party contact data”). You represent that you have a legitimate professional reason to store and contact each person you add. You may not add contacts without a genuine professional connection or intent, and you may not use Lynko AI to store or target individuals in a harassing or non-professional manner.

Third-party contact data is stored solely to power your outreach workflow. We do not use it for any purpose beyond delivering the service to you. We do not share individual contact records with other users or sell this data.

Contact suppression and opt-out: if a professional who has received an outreach email sent through our platform requests that they no longer be contacted through Lynko AI, we will honor that request within 10 business days (consistent with CAN-SPAM requirements), mark the contact record accordingly, and instruct the account holder to send no further outreach to that individual through our platform. If you are a professional who has received an email sent via Lynko AI and wish to be removed, email privacy@lynkoai.com with the subject line “Remove me.” Please include the email address to which the message was sent. We will process your request and confirm removal.

Account deletion and contact data: when a user deletes their Lynko AI account, all third-party contact data stored in that account (names, email addresses, career profiles, enrichment data) is also permanently deleted within 30 days. Third-party contacts are not retained after the associated user account is closed.

You are responsible for ensuring your outreach to contacts complies with applicable law, including the CAN-SPAM Act, which requires a physical mailing address on commercial emails. Lynko AI includes our business address in transactional emails sent through our platform on your behalf.

7. Connected email accounts — Gmail and Outlook

7a. Gmail and Google API data

Lynko AI's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

  • We access Gmail solely to send outreach emails you initiate through Lynko AI and to read replies within those specific threads.
  • We do not read, scan, store, or process any Gmail messages outside of threads created through Lynko AI.
  • We do not use Gmail data to serve advertisements, build user profiles, or for any purpose unrelated to the core Lynko AI outreach features.
  • We do not share Gmail data with third parties except as strictly necessary to operate the service (e.g., your encrypted OAuth token stored in our database).
  • We do not allow humans to read your Gmail data unless you explicitly grant permission for troubleshooting, or we are required by law.
  • Your Gmail OAuth token is encrypted at rest using industry-standard encryption and is never exposed in logs, API responses, or to other users.
  • We do not transfer Gmail data to third-party AI services. Only the content you explicitly generate (your background summary and the email you are drafting) is sent to AI providers.
  • You may revoke Gmail and Calendar access at any time via myaccount.google.com/permissions or from your Lynko AI profile settings. Revocation does not delete your Lynko AI account or data.

7b. Outlook and Microsoft Graph API data

  • We access Outlook solely to send outreach emails you initiate through Lynko AI, to read and thread replies within those specific conversations, and to create calendar reminder events when you set follow-up dates.
  • We do not read, scan, store, or process any Outlook messages, folders, files, contacts, or data outside of conversations created through Lynko AI.
  • We do not use Outlook or Microsoft Graph data to serve advertisements, build user profiles, or for any purpose unrelated to the core Lynko AI outreach and calendar features.
  • We do not share Outlook data with third parties except as strictly necessary to operate the service (e.g., your encrypted OAuth token stored in our database).
  • We do not allow humans to read your Outlook data unless you explicitly grant permission for troubleshooting, or we are required by law.
  • Your Outlook OAuth token is encrypted at rest using industry-standard encryption and is never exposed in logs, API responses, or to other users.
  • We do not transfer Outlook or Microsoft Graph data to third-party AI services. Only the content you explicitly generate is sent to AI providers.
  • You may revoke Outlook access at any time via account.microsoft.com/privacy/app-access or from your Lynko AI profile settings. Revocation does not delete your Lynko AI account or data.

8. Third-party service providers

We share data with the following providers only as necessary to operate the platform:

  • Supabase (database, authentication, and storage):your account data, profile, contacts, templates, outreach history, and OAuth tokens are stored in Supabase's managed PostgreSQL infrastructure, hosted on AWS us-east-1. Supabase is SOC 2 Type II certified. Row-level security ensures each user can only access their own records.
  • OpenAI (GPT-4o):we use OpenAI's GPT-4o model to generate email personalizations. When you request a personalized email, we send OpenAI: your background summary or snippet text, the contact's professional profile (name, title, company, career history from Apollo), and the current email draft or template. We do not send your home address, phone number, payment information, raw resume text, or Gmail or Outlook message content to OpenAI. OpenAI's API data usage policy: openai.com/policies/api-data-usage-policies.
  • Anthropic (Claude):we may use Claude models for specific AI tasks such as drafting reply suggestions. The same data handling rules apply as with OpenAI above. We do not send Gmail or Outlook content, payment information, or sensitive personal data to Anthropic. Anthropic's privacy policy: anthropic.com/privacy.
  • Apollo.io (contact enrichment):when you import a contact via LinkedIn URL, we query Apollo to retrieve that person's publicly available professional data. Only the LinkedIn URL is sent to Apollo; your account data is not shared. Apollo's privacy policy: apollo.io/privacy-policy.
  • Vercel (hosting and serverless compute):our web application and API routes are deployed on Vercel's infrastructure. Request logs including IP addresses and user-agent strings are retained by Vercel for up to 30 days per their data retention policy. Vercel does not have access to your account data or stored content.
  • Stripe (payment processing):subscription billing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We share your email address with Stripe for billing purposes. We do not store payment card data on our servers. Stripe's privacy policy: stripe.com/privacy.
  • Resend (fallback email delivery):if you have not connected Gmail or Outlook, outreach emails are sent via Resend from a Lynko AI domain address. Resend receives the recipient email address, subject, and email body. Resend's privacy policy: resend.com/legal/privacy-policy.
  • Google (Gmail API, Google Calendar API, OAuth):see Section 7a for full details on how Google data is handled. Google's privacy policy: policies.google.com/privacy.
  • Microsoft (Outlook API, Microsoft Graph, Outlook Calendar API, OAuth):see Section 7b for full details on how Microsoft data is handled. Microsoft's privacy policy: privacy.microsoft.com/en-us/privacystatement.
  • Sentry (error monitoring and session replay):we use Sentry to capture application errors, performance traces, and session replays for the purpose of identifying and fixing bugs. Sentry receives: error details and stack traces, your Lynko AI user ID (used to associate errors with your account), browser and device metadata, and session replay recordings (video-like recordings of your in-app interactions, with sensitive text fields masked). We capture a replay on every application error and for approximately 5% of normal sessions. Sentry stores this data on servers in the United States. We do not use Sentry data for advertising, profiling, or any purpose other than application stability and bug resolution. Sentry's privacy policy: sentry.io/privacy.
  • Pinecone (vector database):we use Pinecone to store vector embeddings that power AI-assisted features. Embeddings may be generated from your background summary, resume text snippets, and contact profile data you have entered. These embeddings are stored as numerical vectors and are not readable as plain text; however, they are derived from personal data and are treated accordingly. Pinecone does not have access to your raw account data or email content. Pinecone's privacy policy: pinecone.io/privacy.

We do not sell, rent, or share your personal information with any other third parties for their own marketing or commercial purposes. We do not use your data for cross-context behavioral advertising.

Data processing agreements: we have signed or are in the process of signing data processing agreements (DPAs) with our key service providers, including Supabase, OpenAI, Anthropic, and Sentry, ensuring they process your data only under our documented instructions and in compliance with applicable law.

9. Data retention

We retain your personal data for as long as your account is active. Specific retention periods:

  • Account and profile data: retained until you delete your account.
  • Contact data and email history: retained until you delete the contact or your account.
  • Resume and background text: retained until you remove it in settings or delete your account.
  • Gmail OAuth token: retained until you revoke Gmail access or delete your account. Revoked tokens are deleted within 48 hours of revocation.
  • Outlook OAuth token: retained until you revoke Outlook access or delete your account. Revoked tokens are deleted within 48 hours of revocation.
  • Sentry error and session replay data: retained by Sentry for up to 90 days from the date of collection.
  • Stripe billing data: retained as required by financial recordkeeping obligations (typically 7 years), even after account deletion. Only transaction records are kept; no payment card data is stored by us.
  • Server and application logs: retained for up to 90 days for security monitoring and abuse prevention.
  • Vercel request logs: retained by Vercel for up to 30 days (outside our control).

Upon account deletion, all personal data under our control is permanently removed within 30 days. This includes all third-party contact data stored in your account: names, email addresses, LinkedIn profiles, Apollo-enriched career data, and any notes or outreach history associated with those contacts. Database backups containing your data are purged within 90 days. Some anonymized, aggregate usage statistics may be retained indefinitely as they contain no personal information.

10. Security

  • All data is transmitted over HTTPS/TLS 1.2 or higher. We do not support unencrypted HTTP connections.
  • Gmail and Outlook OAuth tokens are encrypted at rest using AES-256 encryption. Other sensitive fields are encrypted where applicable.
  • Access to your data is enforced by row-level security (RLS) policies in our Supabase database. Each user can only access records associated with their own account.
  • Access to production systems and databases is restricted to authorized personnel only, requires multi-factor authentication, and all access is logged.
  • We do not log or expose API keys, OAuth tokens, or passwords in application logs or error reports. Sentry is configured to mask sensitive field values in session replays.
  • We conduct periodic security reviews of our infrastructure, dependencies, and access controls.
  • Payment data is handled exclusively by Stripe, which is PCI DSS Level 1 certified.

Data breach notification: in the event of a security breach that affects your personal information, we will notify you via the email address associated with your account within 72 hours of becoming aware of the breach, to the extent required by applicable law. We will describe the nature of the breach, the data affected, steps we are taking, and actions you can take to protect yourself.

No system is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@lynkoai.com.

11. Business transfers

If Lynko AI is involved in a merger, acquisition, asset sale, or bankruptcy proceeding, your personal information may be transferred as a business asset. In such cases, we will provide notice via email and/or a prominent notice on our website before your personal information is transferred and becomes subject to a different privacy policy. We will require any acquiring party to honor the material terms of this Privacy Policy or provide you with a meaningful opportunity to delete your data before the transfer takes effect.

12. Children's privacy

Lynko AI is designed for college students and professionals aged 18 and older. We do not knowingly collect personal information from anyone under the age of 18. If you are under 18, please do not use this service. If we learn that we have collected personal information from a user under 18, we will delete that information promptly. Parents or guardians who believe a minor has provided us with personal information may contact us at privacy@lynkoai.com.

13. Your privacy rights

Regardless of your state of residence, you have the following rights:

  • Right to access: request a copy of the personal information we hold about you.
  • Right to correction: request that inaccurate or incomplete data be corrected.
  • Right to deletion: request deletion of your account and all associated personal data.
  • Right to data portability: request an export of your contact data, outreach history, and profile information in a machine-readable format (JSON or CSV).
  • Right to restrict processing: request that we limit how we use your data while a dispute is resolved.
  • Right to opt out of marketing: you may unsubscribe from non-transactional emails at any time via the unsubscribe link in any email or by contacting us.
  • Right to revoke connected account access: you may disconnect Gmail or Outlook from within your Lynko AI profile settings, or directly from Google or Microsoft account management pages, at any time.

California residents (CCPA/CPRA):

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have additional rights:

  • We do not sell your personal information to third parties.
  • We do not share your personal information for cross-context behavioral advertising.
  • You have the right to know the categories of personal information we collect and the purposes for which it is used. Categories we collect include: identifiers (name, email, IP address, user ID), professional information (resume text, career goals), internet or electronic network activity (usage logs, cookies, Sentry error and replay data), and inferences drawn to personalize your experience. All purposes are described in Section 4.
  • You may submit a “Do Not Sell or Share My Personal Information” request even though we do not engage in such practices.
  • You have the right to limit our use of sensitive personal information (such as your SSN, financial data, or health data). We do not collect or process sensitive personal information as defined by CPRA beyond what you voluntarily provide in your resume text.
  • California residents may exercise all CCPA/CPRA rights free of charge. We will respond within 45 days. We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@lynkoai.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

14. Do Not Track

Some browsers include a “Do Not Track” (DNT) setting. Because there is no industry-standard interpretation of DNT signals, our site does not currently respond to DNT signals. However, we do not engage in cross-site tracking, behavioral advertising, or third-party data sharing for advertising purposes, regardless of your DNT setting.

15. Third-party links

Our platform may contain links to third-party websites, including LinkedIn, Google, Microsoft, and employer websites. This Privacy Policy does not apply to those sites. We are not responsible for the privacy practices of any third-party site and encourage you to review their privacy policies before providing any personal information.

16. Changes to this policy

We may update this Privacy Policy as the product evolves or as legal requirements change. We will notify you of material changes via email to your registered address and via an in-app notice at least 14 days before changes take effect. Non-material changes (such as clarifications or corrections) may be made without advance notice. Your continued use of Lynko AI after changes take effect constitutes your acceptance of the updated policy. The date at the top of this page reflects when the policy was last revised. Prior versions of this policy are available upon request.

17. Contact

Privacy questions, data requests, or concerns: privacy@lynkoai.com

General support: support@lynkoai.com

Lynko AI LLC — Windsor, CA