Privacy Policy

Last updated: April 9, 2026

This privacy policy applies to the website nooklify.com and the nooklify browser extension (collectively referred to as "the Service").

1. Controller

Amed Otay
HNU Founders Space
John-F.-Kennedy-Straße 7
89231 Neu-Ulm, Germany
Email: hi@nooklify.com

2. Data synced to our servers

The following personal data is transmitted to and stored on our servers (hosted on Supabase) to provide the Service:

Account data

  • Email address and password when you create an account or sign in.

LinkedIn data (via the browser extension)

  • Conversation metadata (conversation identifiers, participant identifiers, timestamps, read/unread status, categories, and archive/mute/star state). We do not store the content of your LinkedIn messages on our servers.
  • Contact information (LinkedIn profile identifiers, names, profile pictures, headlines, connection dates, and any notes you write about contacts within nooklify).
  • Post engagement metrics (likes, comments, shares) when you use the activity analytics feature.

Leads and contacts

  • Lead records you create or import, including display name, LinkedIn URL, status, notes, and labels.
  • Contact data and labels you assign to organize your network.

Content you create

  • Drafts, saved inspiration items, and signal-feed collections.
  • Custom AI prompts, target audience descriptions, and message suggestion settings.

Technical data

  • IP address, browser type, and device information transmitted automatically by your browser when you visit nooklify.com.

All data is transmitted to our servers over encrypted HTTPS/TLS connections.

3. Data stored locally on your device

The following data is cached locally in your browser and never leaves your device. nooklify does not set marketing or analytics cookies.

  • Browser localStorage — authentication session tokens (managed by Supabase), UI preferences (e.g. sidebar state), and search keywords.
  • IndexedDB — message content and conversation data cached for display purposes, contact and participant data.
  • Chrome extension storage (chrome.storage) — your settings, AI prompts, cached lead data, activity analytics results, and productivity-widget data (e.g. focus timer, task lists).
  • LinkedIn session cookies — the extension reads your LinkedIn authentication cookies (such as li_at and JSESSIONID) to authenticate API requests to LinkedIn on your behalf. If you use the multi-profile feature, the extension temporarily stores and swaps these cookies to switch between LinkedIn accounts. These cookies are never transmitted to our servers.
  • Multi-profile data — if you manage multiple LinkedIn accounts, the extension stores serialized cookie sets and profile metadata locally so it can switch sessions. This data remains entirely on your device.

4. Chrome extension permissions

The nooklify Chrome extension requests the following permissions to function. Each permission is used solely for the purpose described:

  • cookies — to read your LinkedIn session cookies for authenticating API requests on your behalf, and to support multi-profile account switching.
  • storage — to save your extension preferences, AI prompts, cached lead data, activity analytics, and multi-profile data locally.
  • tabs — to detect when you are on a LinkedIn page and to open nooklify or LinkedIn tabs as needed.
  • activeTab — to interact with the currently active LinkedIn tab when you invoke extension features.
  • scripting — to inject the nooklify interface into LinkedIn pages for inline features such as reply suggestions and lead actions.
  • sidePanel — to display the nooklify side panel alongside LinkedIn.
  • alarms — to periodically check for new LinkedIn messages and update the unread badge.
  • notifications — to optionally alert you of new LinkedIn messages via desktop notifications.
  • contextMenus — to provide quick-action menu items (e.g. toggle auto-open, notification preferences).
  • declarativeNetRequestWithHostAccess — to modify request headers for LinkedIn API compatibility when the extension communicates with LinkedIn on your behalf.
  • Host access to linkedin.com and media.licdn.com — to communicate with LinkedIn's API and load profile images on your behalf.
  • Host access to nooklify.com and supabase.co — to sync your data with the nooklify web app and our backend services.

5. Purpose and legal basis

  • Providing the Service — processing your account data, LinkedIn data, leads, and content to deliver the features you use (Art. 6(1)(b) GDPR — performance of a contract).
  • AI-assisted features — sending page context or conversation data to our AI provider to generate reply suggestions, research summaries, and content drafts. The data flows from the extension to our Supabase Edge Function, which forwards the request to OpenAI (Art. 6(1)(b) GDPR — performance of a contract).
  • Security and infrastructure — processing technical data to protect the Service against misuse and ensure availability (Art. 6(1)(f) GDPR — legitimate interest).

6. Sub-processors and third-party services

We use the following service providers who may process personal data on our behalf:

  • Supabase Inc. (USA) — user authentication, database hosting, and serverless edge functions (including the AI proxy). Data is stored in Supabase-managed infrastructure and encrypted at rest. Supabase Privacy Policy
  • OpenAI, L.L.C. (USA) — AI text generation for reply suggestions, research, and content drafts. Conversation context and page content may be sent to OpenAI via our Supabase Edge Function. OpenAI Privacy Policy
  • Google Fonts (Google LLC, USA) — font files loaded on some pages. Your browser transmits your IP address to Google when requesting fonts. Google Privacy Policy
  • jsDelivr / Cloudflare — CDN for delivering the Supabase client library. Your browser transmits your IP address when loading this resource.

Where data is transferred to the USA, this is covered by the respective provider's EU Standard Contractual Clauses or an adequacy decision.

7. LinkedIn data, multi-profile accounts, and your responsibility

The browser extension accesses LinkedIn on your behalf using your own LinkedIn session. nooklify acts as a tool that you direct; you remain responsible for complying with LinkedIn's terms of service when using the extension. We do not independently collect data from LinkedIn — all access occurs through your authenticated session and at your instruction.

Multi-profile accounts. If you use the multi-profile feature, the extension stores your LinkedIn authentication cookies for each account locally in Chrome extension storage. When you switch profiles, the extension swaps the active cookie set so LinkedIn recognizes the selected account. These cookie sets are never transmitted to our servers. You can remove stored profiles at any time through the extension settings, which immediately deletes the associated cookie data from your device.

8. Data security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit — all data transmitted between your browser (or the extension) and our servers is encrypted using HTTPS/TLS.
  • Encryption at rest — data stored on our servers (hosted on Supabase) is encrypted at rest using AES-256.
  • Access control — server-side access is restricted via row-level security policies and authenticated API keys.
  • Local data isolation — data stored in Chrome extension storage and IndexedDB is sandboxed by the browser and accessible only to the nooklify extension and origin.

Despite these safeguards, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. We cannot promise that unauthorized third parties will never be able to defeat our security measures.

9. Data retention

  • Account data — retained for as long as your account is active. When you delete your account, we delete your personal data from our servers, including conversation metadata, contact data, leads, labels, drafts, collections, and preferences.
  • Leads, contacts, drafts, and collections — retained for as long as your account is active or until you delete them.
  • AI request content — not stored by us after the response is delivered. Refer to OpenAI's data retention policy for their processing.
  • Local browser data — remains on your device until you clear it, uninstall the extension, or sign out (which clears cached data). Locally cached data in IndexedDB and chrome.storage is automatically removed by Chrome when you uninstall the extension, or you can clear it manually via your browser settings at any time.
  • Server logs — automatically deleted after 30 days.

10. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectification of inaccurate data.
  • Erasure of your data ("right to be forgotten").
  • Restriction of processing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with a supervisory authority (e.g. the Bayerisches Landesamt für Datenschutzaufsicht).

The easiest way to exercise your rights is by emailing us at hi@nooklify.com. We will consider and act upon any request in accordance with applicable data protection laws.

11. Changes to this policy

We may update this privacy policy from time to time. The "last updated" date at the top of this page reflects the most recent revision. If we make material changes, we may notify you by prominently posting a notice or by directly sending you a notification. We encourage you to review this page periodically.

12. Contact

For privacy-related requests, contact us at hi@nooklify.com.