Privacy Policy

1 · Who we are

Colleague Boost is a SaaS product operated by Reflatech OÜ (Registry code: 17328561).

2 · Scope

This notice covers personal data processed when you:

• visit colleagueboost.com;
• sign in with your LinkedIn account or connect a Company Page;
• use our Slack or Microsoft Teams integration;
• interact with our dashboards, emails or support.

3 · What we collect & why

*Under EU GDPR. Where we rely on legitimate interest we balance it against your rights and always offer an opt-out.

4 · How we handle LinkedIn data (Community Management API)

Colleague Boost integrates with LinkedIn exclusively through LinkedIn’s official APIs, including the LinkedIn Community Management API. We never scrape LinkedIn, never use browser automation, and never operate fake or shared accounts. Every connection to LinkedIn goes strictly through LinkedIn’s standard OAuth 2.0 flow — Colleague Boost never sees or handles a member’s LinkedIn credentials — and every action that touches LinkedIn is initiated by an authenticated member who has explicitly granted us the necessary scopes on LinkedIn’s consent screen.

4.1 · Scopes & consent

• We request only the minimum LinkedIn scopes needed for the features you enable (e.g. w_member_social for member-initiated likes, comments and reshares; r_organization_social / w_organization_social / r_organization_admin / rw_organization_admin for connected Company Pages).
• We do not request the LinkedIn email scope and do not collect your LinkedIn-registered email address through the LinkedIn OAuth flow. The business email associated with your Colleague Boost account is provided directly by you (or your workspace admin) at sign-up.
• The exact scopes are shown on LinkedIn’s consent screen before the member approves them, and the member can revoke access at any time from LinkedIn’s permitted services settings or by disconnecting their account inside Colleague Boost.

4.2 · How LinkedIn data is used

• Member-initiated actions only. Likes, comments and reshares are only sent to LinkedIn after the member clicks a button in a notification — we never act on LinkedIn on someone’s behalf without an explicit click.
• Company-Page detection. For connected Company Pages, we read newly published posts to notify the workspace’s authorised members.
• Aggregated participation analytics. We display post-level engagement and participation metrics so workspace admins can see how their team is supporting Company Page content.

4.3 · What we do not do with LinkedIn data

• We do not sell, rent, license or otherwise share LinkedIn member data with any third party for advertising, lead generation or resale.
• We do not use LinkedIn data to train, fine-tune or evaluate generative-AI or machine-learning models.
• We do not enrich, append or combine LinkedIn data with data from other sources to build profiles about LinkedIn members.
• We do not use LinkedIn data for any purpose that is not expressly authorised by LinkedIn’s API Terms of Use and the LinkedIn Data Processing Addendum.

4.4 · Storage, refresh & deletion

• OAuth access and refresh tokens are encrypted at rest with AES-256; support staff never see them in plain text.
• We refresh and re-sync LinkedIn member data on the cadence required by the Community Management API, so that profile, organisation and post information stays consistent with LinkedIn’s authoritative source.
• When a member disconnects, an admin removes them, or the workspace is closed, the related OAuth tokens are deleted within 24 hours and cached LinkedIn content (posts, profile fields, engagement records) is purged within 30 days.
• We honour LinkedIn-initiated takedown, deletion or correction notices and propagate them to our caches without undue delay, in line with the Community Management API Terms.
• Aggregated post-level analytics derived from LinkedIn data are retained for a maximum of 24 months, in line with the Marketing & Community Management API Terms.

4.5 · Security & abuse prevention

• All LinkedIn API traffic is sent over TLS 1.3 from servers in Frankfurt (DE), with API keys, client secrets and tokens stored in a managed secrets vault.
• We monitor for token misuse, rate-limit abuse and anomalous activity, and we cooperate with LinkedIn on any security or compliance investigation.

5 · Retention

You may request earlier erasure where legally permissible.

6 · Processors & transfers

We use a small set of EU or SCC-protected sub-processors for hosting, email and monitoring. We notify customers at least 30 days before adding a new processor, and our primary data centre is in Frankfurt (DE). Any transfer outside the EEA relies on Standard Contractual Clauses plus encryption safeguards, and no LinkedIn member data is transferred outside the EEA without an equivalent level of protection.

7 · Security

• ISO 27001-aligned policies, MFA and least-privilege access.
• Continuous vulnerability scanning and annual third-party penetration tests.
• TLS 1.3 for all endpoints, full-disk encryption, DNSSEC and HSTS.
• Real-time anomaly detection for token misuse.

8 · Your rights

Subject to local law you can:

• access, rectify or erase your data;
• restrict or object to certain processing;
• receive a portable copy of data you provided;
• lodge a complaint with the Estonian Data Protection Inspectorate or your local authority.

Send requests to contact@colleagueboost.com; we respond within 30 days.

9 · Children

Colleague Boost is aimed at business users and is not intended for minors under 16.

10 · Policy changes

If we make material changes, we will post the update here and email workspace admins at least 15 days before it takes effect. Historic versions are available upon request.