Privacy Policy
Last updated: 17 May 2025
1 · Who we are
Colleague Boost is a SaaS product operated by ReflaTech Group OÜ.
Registered address
Sepapaja 6, Ülemiste City
15551 Tallinn
Harju maakond
Estonia
Data-protection contact
contact@colleagueboost.com
2 · Scope
This notice covers personal data processed when you:
- visit colleagueboost.com;
- sign in with your LinkedIn account or connect a Company Page;
- use our Slack or Microsoft Teams integration;
- interact with our dashboards, emails or support.
3 · What we collect & why
| Category | Examples | Purpose | Legal basis* |
|---|---|---|---|
| Account data | name, business email, LinkedIn member URN, organisation URN | create & secure your workspace | Contract |
| OAuth tokens | LinkedIn scopes r/w_member_social, r/w_organization_social | publish authorised reactions & pull analytics | Contract |
| Engagement data | post IDs, reaction/comment chosen, timestamps, reach metrics | participation dashboards & ROI | Legitimate interest |
| Usage analytics | clicks, feature flags, error logs (pseudonymised) | product improvement & abuse prevention | Legitimate interest |
| Support records | chat or email threads | customer success & dispute resolution | Contract |
*Under EU GDPR. Where we rely on legitimate interest we balance it against your rights and always offer an opt-out.
4 · How we handle LinkedIn data
- Minimum-necessary storage – we keep only data needed to perform the requested action.
- Encryption – OAuth tokens are AES-256 encrypted at rest; support staff never see them in plain text.
- Revocation – if you disconnect Colleague Boost from LinkedIn, all related tokens and cached content are deleted within 24 hours.
- No resale or profiling – we never sell or repurpose LinkedIn-derived data.
- Processing follows the LinkedIn Marketing & Community-Management API Terms, including the two-year maximum retention for historical analytics.
5 · Retention
| Data | Retention | Deletion trigger |
|---|---|---|
| Tokens & post-level analytics | while account is active + 30 days backup | contract end or user revocation |
| Billing records | 7 years (Estonian Accounting Act) | statutory expiry |
| Product telemetry (aggregated) | rolling 18 months | scheduled purge |
You may request earlier erasure where legally permissible.
6 · Processors & transfers
We use a small set of EU or SCC-protected sub-processors for hosting, email and monitoring. We notify customers at least 30 days before adding a new processor, and our primary data centres are in Frankfurt (DE) and Helsinki (FI). Any transfer outside the EEA relies on Standard Contractual Clauses plus encryption safeguards.
7 · Security
- ISO 27001-aligned policies, MFA and least-privilege access.
- Continuous vulnerability scanning and annual third-party penetration tests.
- TLS 1.3 for all endpoints, full-disk encryption, DNSSEC and HSTS.
- Real-time anomaly detection for token misuse.
8 · Your rights
Subject to local law you can:
- access, rectify or erase your data;
- restrict or object to certain processing;
- receive a portable copy of data you provided;
- lodge a complaint with the Estonian Data Protection Inspectorate or your local authority.
Send requests to contact@colleagueboost.com; we respond within 30 days.
9 · Children
Colleague Boost is aimed at business users and is not intended for minors under 16.
10 · Policy changes
If we make material changes, we will post the update here and email workspace admins at least 15 days before it takes effect. Historic versions are available upon request.
Questions?
Email contact@colleagueboost.com or write to our registered address above—our team will be happy to help.