← Back to Linkkit

Privacy Policy

Effective March 19, 2026

1. Introduction

Linkkit (“we,” “us,” or “our”) operates the Linkkit platform, a creator toolkit for affiliate marketing and Instagram DM automation. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website and services.

If you have questions about this policy, contact us at gopinho@protonmail.com.

2. Data We Collect

Account Data

When you create an account, we collect your email address, full name, username, and password. Passwords are stored using a secure, one-way hashing algorithm and are never stored in plain text.

Instagram Data (via OAuth)

If you connect your Instagram account, we receive and store your Instagram user ID, Instagram username, and a long-lived access token. Access tokens are encrypted at rest using AES-GCM encryption. We also access reel metadata (reel IDs, captions, thumbnails, and publish dates) to enable the automation features you configure.

Webhook & Automation Data

When Instagram sends webhook events to our servers, we receive comment text, commenter user IDs and usernames, DM message text, and sender user IDs and usernames. This data is stored in our comment and DM log tables to provide you with activity history and troubleshooting information.

Usage & Analytics Data

We use PostHog for product analytics. This includes page views, feature usage events, and general interaction data. PostHog may collect device type, browser information, and approximate location based on IP address.

Cookies

We use the following cookies:

  • Session cookie — an HttpOnly, secure cookie containing your authentication session token. This is essential for keeping you logged in.
  • OAuth CSRF cookie — a short-lived cookie (10 minutes) used to prevent cross-site request forgery during the Instagram OAuth flow.

We do not use advertising or third-party tracking cookies.

3. How We Use Your Data

  • Account data — to authenticate you, display your profile, and provide your public creator page.
  • Instagram data — to connect your Instagram account, display your reels in the dashboard, and send automated DMs on your behalf when triggered by comments matching your configured keywords.
  • Webhook data — to process incoming Instagram events, trigger automated responses, and provide you with activity logs.
  • Usage data — to understand how our product is used and improve the platform.

4. Instagram Data & Automated Messaging

Permissions We Request

We request the following Instagram API permissions:

  • instagram_business_basic — to read your Instagram profile info and media (reels, posts).
  • instagram_business_manage_messages — to send direct messages on your behalf in response to comment triggers.
  • instagram_business_manage_comments — to read comments on your media and identify keyword triggers.

How Automated DMs Work

You configure “reel mappings” that pair a specific Instagram reel with a product collection and a trigger keyword. When a user comments on your reel with a matching keyword, our system automatically sends them a DM containing the product links from the associated collection. You have full control over which reels are mapped, which keywords trigger responses, and which products are included.

Messaging Compliance

We comply with Instagram's 24-hour messaging window policy. DMs are only sent in response to user-initiated interactions (comments) within the allowed window. We enforce a rate limit of 195 DMs per hour per account to stay within Meta's API guidelines.

User Control

You can disable any reel mapping at any time, disconnect your Instagram account, or delete your Linkkit account entirely. Disabling a mapping immediately stops automated DMs for that reel.

5. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with the following third parties:

  • Meta / Instagram — we send DMs via the Meta Graph API on your behalf. Message content and recipient information is transmitted to Meta as part of this process.
  • PostHog — anonymized usage analytics for product improvement.
  • Convex — our backend-as-a-service provider that hosts our database. All data is stored on Convex infrastructure.

We may also disclose data if required by law or to protect our legal rights.

6. Data Retention & Deletion

We retain your data for as long as your account is active. You can request deletion of your data at any time by contacting us at gopinho@protonmail.com or using our data deletion page. Upon receiving a valid deletion request, we will delete your data within 30 days.

If you disconnect your Instagram account, we delete your stored access token and Instagram-related automation data.

7. Data Security

We protect your data through the following measures:

  • Instagram access tokens are encrypted at rest using AES-GCM encryption.
  • All data is transmitted over HTTPS with TLS encryption.
  • Authentication cookies are HttpOnly and Secure, preventing client-side script access.
  • Webhook payloads from Instagram are verified using HMAC-SHA256 signature validation.
  • Passwords are hashed using industry-standard one-way hashing.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate data.
  • Deletion — request deletion of your data.
  • Portability — request a machine-readable export of your data.
  • Objection — object to certain processing of your data.

To exercise any of these rights, contact us at gopinho@protonmail.com. We will respond within 30 days.

9. Children's Privacy

Linkkit is not intended for use by anyone under the age of 13. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13, we will delete that data promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the platform. Your continued use of Linkkit after any changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

gopinho@protonmail.com