Legal · Privacy

Privacy Policy

How Team-Reach collects, uses, and protects personal data - including data accessed via the LinkedIn Community Management API.

Effective:April 7, 2026
Last updated:April 12, 2026

The important bits

  • We only process personal data needed to run the Team-Reach service.
  • When you connect your LinkedIn account, we retrieve a narrow, documented set of data through LinkedIn's official Community Management API. We do not scrape, we do not combine LinkedIn data with third-party data, and we do not share LinkedIn data outside your own company's workspace.
  • You can disconnect your LinkedIn account and request deletion of your data at any time.
  • We use industry-standard encryption and tenant isolation to keep customer data separate and secure.

01Who we are

Team-Reach (“Team-Reach”, “we”, “us”, or “our”) is operated by Team-Reach Ltd., registered at Sofia, st. Shipka 6, Bulgaria. If you have any questions about this Privacy Policy or your personal data, you can reach us at dariy@team-reach.com.

Team-Reach is a processor of personal data on behalf of the client companies that subscribe to our platform. Those client companies are the controllers of the personal data their administrators and participants provide to Team-Reach.

02Who this policy applies to

This Privacy Policy applies to:

  • Client Administrators - people managing their company's workspace on Team-Reach.
  • Participants - individuals (typically executives) whose LinkedIn accounts are connected to Team-Reach so that content can be published on their behalf through our platform.
  • Super Administrators - Team-Reach staff who operate the platform.
  • Anyone who interacts with the Team-Reach website or service.

03What personal data we collect

3.1 Account data

Accounts on Team-Reach are created by administrators; there is no public self-signup. When an account is created, we collect:

  • Name
  • Email address
  • Role (Super Administrator, Client Administrator, or Participant)
  • The company workspace the account belongs to
  • Authentication credentials and session data (managed by our authentication provider, Clerk)

3.2 Participant profile data

For each Participant, we may store:

  • Job title, role, and headline
  • Avatar image
  • LinkedIn profile URL
  • Style directives and content preferences used to personalize AI-generated content variations

3.3 LinkedIn data (Community Management API)

When a Participant connects their LinkedIn account, they are redirected to LinkedIn's OAuth 2.0 authorization screen where they explicitly grant Team-Reach a specific set of permissions. The scopes we request are:

  • w_member_social - Publish posts on the Participant's behalf
  • r_member_postAnalytics - Retrieve aggregate engagement metrics for posts published through Team-Reach
  • r_member_profileAnalytics - Retrieve the Participant's follower count
  • openid, profile - Identify the connected LinkedIn member

Through these scopes we retrieve and store the following data from LinkedIn's Community Management API:

Data categoryPurposeRetention
LinkedIn member URN (identifier)To identify the connected member when calling LinkedIn APIs on their behalfUntil the Participant disconnects
OAuth access and refresh tokensTo authenticate subsequent API callsUntil expiry or disconnect
URNs and URLs of posts published by the Participant through Team-ReachTo link Team-Reach records to LinkedIn posts and retrieve analyticsUntil disconnect
Aggregate post engagement counts (impressions, members reached, reactions, comments, shares)To display analytics back to the Participant and their company administratorsRefreshed daily; retained up to 12 months
Daily follower count snapshotsTo display follower-growth trends to the ParticipantUp to 12 months

Team-Reach does not retrieve, store, or display any of the following:

  • The profiles, names, headlines, or other personal data of LinkedIn members other than the connected Participant
  • The identities, text, or content of comments, reactions, or shares made by other LinkedIn members on the Participant's posts
  • LinkedIn direct messages, InMails, or conversations
  • Content from LinkedIn feeds or profiles other than the Participant's own
  • LinkedIn data used for sales prospecting, lead generation, advertising targeting, CRM enrichment, recruiting, audience list building, or any social-feed aggregation

Our retention of data retrieved via the LinkedIn Marketing APIs complies with LinkedIn's Data Storage Requirements.

3.4 Content data

  • Post drafts and published content authored in the Team-Reach editor
  • AI-generated content variations
  • Feedback, edit history, and approval events
  • Scheduling and publishing metadata

3.5 Media data

  • Images and PDF files uploaded by users, stored on our hosting provider (Vercel Blob)
  • File metadata (filename, size, type)

3.6 Usage and technical data

  • IP addresses (for security, rate limiting, and fraud prevention)
  • Session cookies set by our authentication provider (Clerk)
  • Browser and device information
  • Application logs and error reports

04How we use personal data

We use personal data to:

  • Operate the Team-Reach service (publishing content, displaying analytics, managing approvals)
  • Authenticate users and protect the platform from unauthorized access
  • Generate AI-assisted content variations through our LLM provider (Anthropic). LinkedIn-sourced data is never sent to Anthropic; only the user's own drafts, style directives, and prompts.
  • Display LinkedIn post performance back to the Participant who authored the content and to the administrators of that Participant's own company workspace
  • Enforce tenant isolation so that data belonging to one client company is never visible or accessible to another
  • Communicate important service and security notices
  • Comply with legal obligations

05Legal basis for processing (GDPR)

Where the General Data Protection Regulation applies, we process personal data on the following legal bases:

  • Performance of a contract - to deliver the Team-Reach service you (or your employer) subscribed to
  • Legitimate interest - to operate and secure the platform, prevent abuse, and improve the service
  • Consent - for optional integrations such as LinkedIn, which each Participant explicitly authorizes through LinkedIn's OAuth consent screen

You may withdraw consent at any time, including by disconnecting your LinkedIn account from the Team-Reach settings page. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

06Sharing of personal data - sub-processors

We do not sell personal data. We share personal data only with the sub-processors listed below, each bound by their own data protection commitments:

Sub-processorPurposeRegion
ClerkAuthentication and user managementUnited States
AnthropicAI content generation (LinkedIn data is never transmitted)United States
VercelApplication hosting and media storageUnited States / global
NeonManaged PostgreSQL databaseEuropean Union / global
LinkedInContent publishing and analytics through the Community Management APIGlobal

LinkedIn data specifically is displayed only to:

  • The authenticated Participant whose LinkedIn account is connected, and
  • The Client Administrators of that Participant's own company workspace on Team-Reach

LinkedIn data is never exported to third parties, combined with external data sources, used for advertising, sales, or recruiting, or shared with anyone outside the Participant's own company workspace.

07Retention

We retain personal data only as long as necessary for the purpose it was collected for:

CategoryRetention
Account data (name, email, role, company)While the account is active, plus up to 90 days after deletion for audit purposes
LinkedIn OAuth tokens (encrypted at rest)Deleted immediately on disconnect
LinkedIn member URNDeleted on disconnect
Post URNs and LinkedIn URLs of published postsDeleted on disconnect
Aggregate LinkedIn post engagement countsRefreshed daily, retained up to 12 months, deleted on disconnect
LinkedIn follower snapshotsRetained up to 12 months, deleted on disconnect
Uploaded media filesWhile the associated post exists, then deleted
Application logsUp to 90 days
Database backupsUp to 30 days

On Participant disconnect (Section 9), all LinkedIn-derived data for that Participant is purged within 24 hours.

08Your rights

Depending on your jurisdiction, you may have the following rights over your personal data:

  • Access - obtain a copy of the personal data we hold about you
  • Correction - have inaccurate or incomplete data corrected
  • Deletion - request erasure of your personal data
  • Portability - receive your data in a machine-readable format
  • Objection - object to certain processing activities
  • Restriction - ask us to restrict processing in certain cases
  • Withdraw consent - where processing is based on consent
  • Lodge a complaint - with your local data protection authority

To exercise any of these rights, email dariy@team-reach.com. We respond to verified requests within 30 days.

09Disconnecting LinkedIn and deleting your data

Participants can disconnect their LinkedIn account at any time from the Settings → LinkedIn page inside the Team-Reach application. When you disconnect:

  1. Your encrypted LinkedIn OAuth tokens are deleted immediately.
  2. All LinkedIn-derived data stored by Team-Reach for your account - including your member URN, post URNs, aggregate engagement counts, and follower snapshots - is purged within 24 hours.
  3. Posts that were previously published to LinkedIn through Team-Reach remain live on your LinkedIn profile. You can delete them directly on LinkedIn if you wish.

To delete your entire Team-Reach account, contact your Client Administrator or email dariy@team-reach.com.

10Security

We protect personal data with the following measures:

  • LinkedIn OAuth tokens are encrypted at rest using AES-256-GCM with a 32-byte key, random 12-byte initialization vectors, and 16-byte authentication tags
  • All network communication uses TLS
  • OAuth state parameters are signed with HMAC-SHA256 and time-limited to prevent cross-site request forgery and replay
  • Multi-tenant isolation is enforced at the database query layer - every query automatically includes the company scope, preventing cross-tenant data access
  • External API calls are subject to 30-second abort-signal timeouts
  • Authentication secrets are compared in constant time to defeat timing attacks
  • User accounts are provisioned exclusively by administrators; there is no public self-signup
  • Sensitive operations are logged and monitored

No security program is perfect. If we become aware of a personal data breach that affects you, we will notify you and the relevant supervisory authority in accordance with applicable law.

11Children

Team-Reach is a business-to-business platform and is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

12International transfers

Team-Reach and its sub-processors operate in multiple jurisdictions, including the European Union and the United States. Where personal data is transferred outside the European Economic Area, it is protected under Standard Contractual Clauses or other safeguards recognized under applicable law.

13Cookies and analytics

Team-Reach uses strictly necessary cookies for authentication and session management (set by Clerk). We do not use advertising or tracking cookies.

13.1 Website analytics

Our marketing website uses PostHog (PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA) to understand how visitors use the site. Data is processed by PostHog's EU instance hosted in Frankfurt, Germany (AWS region eu-central-1). PostHog is configured in fully cookieless mode: no cookies, localStorage, or other persistent identifiers are written to your device, and no cross-session user identifier is created.

The following data is transmitted to PostHog on each visit:

  • IP address — used only to compute an irreversible daily-salted hash for unique-visitor counting; not stored in raw form
  • Browser type, operating system, device type, language, timezone, screen and viewport size
  • Referring URL and the URL of the page you are viewing
  • UTM campaign parameters present in the URL
  • Anonymous interaction events (page views, clicks on buttons and links). Form input values are never captured. Password, credit-card and one-time-code fields are automatically excluded by PostHog.
  • Session recordings of your visit (when available), with all input fields and visible text content masked client-side before transmission.

Legal basis: Article 6(1)(f) GDPR — our legitimate interest in measuring the performance of our website. Because no identifier is stored on your device, this processing is exempt from the consent requirement under Article 5(3) of the ePrivacy Directive.

You may object to this processing at any time by enabling “Do Not Track” in your browser, which we honour. PostHog data is retained for up to 7 years (PostHog default). Our Data Processing Agreement with PostHog incorporates the EU Commission's 2021/914 Standard Contractual Clauses (Module 2).

13.2 Performance monitoring

We also use Vercel Speed Insights to measure page-load performance. It is cookieless and processes only aggregate technical metrics (Largest Contentful Paint, Interaction to Next Paint, Cumulative Layout Shift) tied to the page URL — no personal data is collected.

14Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top and, where appropriate, notify registered users by email at least 30 days before the changes take effect.

15Contact us

Team-Reach Ltd.

Sofia, st. Shipka 6, Bulgaria

Privacy and data requests: dariy@team-reach.comGeneral inquiries: kaloyan@team-reach.com
Back to Team-Reach