Privacy Policy

1. Data Controller

Connecto is operated by ARX di Marco Serafini, Alessio Fini, Diego Simili("we", "us", "our"), acting as data controller responsible for your personal data pursuant to Regulation (EU) 2016/679 (GDPR).

For any privacy-related inquiry, contact us at: privacy@connecto.app

2. Purpose of Processing

Connecto provides automated LinkedIn networking services powered by AI. We process your personal data for the following purposes:

• Service delivery: managing your account, executing LinkedIn outreach campaigns, generating AI-powered messages, and processing payments.
• Service improvement: analyzing usage patterns to enhance features and user experience.
• Communication: sending transactional emails (service notifications) and, with your consent, marketing communications.
• Legal compliance: fulfilling legal obligations (tax records, GDPR requests).

3. Legal Basis

We process your data based on:

• Contract performance (Art. 6(1)(b) GDPR): to provide the Connecto service you subscribed to. This covers account creation, LinkedIn automation, AI message generation, and payment processing.
• Consent (Art. 6(1)(a) GDPR): for optional marketing communications and AI data processing (sending your profile data to OpenAI). You can withdraw consent at any time from your Settings page or by emailing privacy@connecto.app.
• Legitimate interest (Art. 6(1)(f) GDPR): to improve our service, prevent fraud, ensure platform security, and perform error tracking.
• Legal obligation (Art. 6(1)(c) GDPR): for tax records retention and responding to GDPR data subject requests.

4. Categories of Data Collected

We collect and process the following categories of personal data:

• Account data: full name, email address, hashed password (bcrypt, or OAuth token for Google sign-in), authentication provider, interface type, plan selection.
• Professional profile data: CV (uploaded file and extracted text), personal bio, LinkedIn profile information (name, headline, summary, profile URL, experiences).
• LinkedIn automation data: lead information (name, headline, company, location, LinkedIn URL — all publicly available on LinkedIn), connection status, messages sent, campaign configuration.
• Payment data: processed by Stripe. We store only Stripe customer ID and subscription status. We never store card numbers, CVV, or bank details.
• Usage data: pages visited, features used, campaign statistics, daily action counters, analytics events.
• Support data: name, email, and message content submitted via support forms.
• Consent records: consent type, grant/revocation date, IP address, user agent (for proof of consent).

5. Data Processors (Recipients)

Your data may be processed by the following sub-processors:

6. International Transfers (Art. 44-49)

Your data is primarily stored in EU data centers (Supabase EU Frankfurt). Some processors (OpenAI, Stripe, Resend, Sentry, Vercel, Inngest) may process data outside the EU/EEA. All such transfers are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision (EU) 2021/914) or equivalent safeguards as required by GDPR Chapter V.

7. Data Retention

• Account data: retained during active subscription + 30 days after account deletion.
• Campaign analytics: retained for 24 months, then archived.
• Daily statistics: retained for 12 months, then deleted.
• Access logs: retained for 90 days.
• Payment records: retained for 7-10 years as required by tax regulations.
• Consent records: retained for duration of account + 5 years (proof of consent).
• Deleted data: permanently and irreversibly deleted. No soft-delete recovery.

8. Your Rights (GDPR Art. 15-22)

Under the GDPR, you have the following rights:

• Right of access (Art. 15): download all your personal data from Settings > Your Data.
• Right to rectification (Art. 16): edit your name, bio, and files from your Profile and Settings pages.
• Right to erasure (Art. 17): permanently delete your account and all data from Settings > Delete Account.
• Right to data portability (Art. 20): export your data in JSON format from Settings > Your Data.
• Right to object (Art. 21): revoke optional consents (marketing, AI processing) from Settings > Your Consents.
• Right to restrict processing (Art. 18): contact us at privacy@connecto.app.
• Right to withdraw consent (Art. 7(3)): withdraw consent at any time from Settings or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise your rights: Use the Settings page in your Connecto dashboard, use the form below, or email privacy@connecto.app. We will respond within 30 days.

9. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. In Italy, this is the Garante per la protezione dei dati personali(www.garanteprivacy.it).

10. Is Providing Data Mandatory?

Providing your name, email, and payment information is necessary to use the Connecto service (contractual requirement). Without this data, we cannot provide the service. Providing your CV, bio, and LinkedIn profile is optional but enhances AI message generation quality. Marketing consent and AI data processing consent are entirely voluntary and do not affect service availability.

11. Security

We implement industry-standard security measures: encryption at rest and in transit (TLS 1.3, AES-256), Row-Level Security (RLS) on all database tables, CSRF protection, rate limiting, input validation (Zod), password hashing (bcrypt 12 rounds), and regular security audits. LinkedIn credentials are never stored — authentication is handled via Unipile's hosted auth system.

12. Changes to This Policy

We may update this policy from time to time. We will notify registered users via email of any material changes at least 14 days before they take effect.