Legal

Privacy Policy

Last updated: March 19, 2026

Contents

1. Who we are 2. What data we collect 3. Google account data 4. What we do not collect 5. How we use your data 6. What we never do 7. Legal basis for processing 8. Where data is stored 9. Data retention 10. Third-party services 11. Your rights 12. Children's privacy 13. Changes to this policy 14. Contact

1. Who we are

DMCoPilot is a Chrome browser extension operated by Unfair Advantage Ltd ("we", "us", "our"). DMCoPilot helps professionals draft personalised LinkedIn messages, comments, and posts using AI. This privacy policy explains how we collect, use, store, and protect your personal data when you use the DMCoPilot extension and associated services.

2. What data we collect

We collect only the data necessary to provide and improve the DMCoPilot service:

Account data: Your email address and hashed password (or Google account identifier if you sign in with Google) used to create and manage your account.
Your LinkedIn profile: During onboarding, we read your own publicly visible LinkedIn profile data (name, headline, about section, experience, skills) and recent posts to build a writing style profile. This data is used solely to personalise AI-generated drafts to sound like you.
Prospect LinkedIn data: When you save a prospect, we read their publicly visible LinkedIn profile information (name, headline, company, about, experience, location). This data is stored to generate contextual message drafts.
LinkedIn message content: When you open a LinkedIn messaging thread, the extension reads the visible message content in that thread to provide conversation context for draft generation. Messages are stored in our database.
LinkedIn post content: When you use the Comment Writer feature, the extension reads the content of the specific LinkedIn post you are commenting on. When you use Post Studio, we read your recent posts to analyse writing patterns.
AI generation data: We log each AI generation request including token counts, estimated cost, playbook used, and the generated draft text. This is used to enforce usage limits, track costs, and improve draft quality.
Payment data: Subscription payments are handled entirely by Stripe. We do not store or have access to your credit card numbers, bank account details, or other financial account information. We store your Stripe customer ID and subscription status to manage your account tier.
Radar signal data: The Radar feature discovers publicly available LinkedIn posts relevant to your industry and ideal customer profile. We store the public post content, author name, and engagement metrics of these posts. This data is sourced from public LinkedIn content via third-party data providers and is used to surface outreach opportunities.
Image generation data: If you use the Post Studio image feature, we store your visual style preferences (colours, layout style) and, if you choose to upload one, a reference photo. These are sent to an AI image generation service to create post images. Your reference photo is used solely for style matching and is not used for any other purpose.

3. Google account data

If you choose to sign in with Google, we receive the following information from Google:

Your email address
Your name (as set in your Google account)
Your Google account identifier (a unique ID used to link your Google account to your DMCoPilot account)

We use this information solely to create and authenticate your DMCoPilot account. We do not access your Gmail, Google Contacts, Google Drive, Google Calendar, or any other Google service data. We do not request any Google API scopes beyond basic profile and email.

Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. What we do not collect

We do not collect your LinkedIn login credentials, session cookies, or authentication tokens.
We do not access LinkedIn data beyond what is publicly visible on screen while you are actively using the extension, except for the Radar feature which discovers publicly available LinkedIn posts via third-party data providers based on industry keywords you configure.
We do not track your browsing activity outside of LinkedIn.
We do not collect data from other browser tabs, extensions, or applications.
We do not record keystrokes, take screenshots, or capture audio/video from your device (except for optional voice-to-text input, which is processed in-memory and never stored).
We do not access your Gmail, Google Drive, Google Calendar, or any Google service beyond authentication.
We do not run in the background when you are not on LinkedIn.

5. How we use your data

To generate AI-powered LinkedIn message drafts, comments, and posts on your behalf.
To personalise drafts to match your natural writing style and voice.
To provide conversation context so drafted messages are relevant to existing threads.
To enforce usage limits based on your subscription tier.
To send transactional emails (account verification, password reset, billing receipts).
To improve the quality of AI draft generation over time using anonymised, aggregated usage patterns (never individual message content shared externally).
To detect and prevent abuse, fraud, and violations of our terms of service.
To discover publicly available LinkedIn content relevant to your industry for the Radar feature, helping you identify outreach opportunities.
To generate post images that match your visual style preferences.

6. What we never do

We never send LinkedIn messages on your behalf. Every message, comment, and post is manually sent by you. The extension generates drafts — you decide what to send.
We never sell your data to third parties.
We never share your LinkedIn data with advertisers, data brokers, or marketing companies.
We never use your data to train third-party AI models without your explicit consent.
We never share your individual message content with other DMCoPilot users.
We never automate any LinkedIn actions (clicks, connections, messages, endorsements, or profile views).

7. Legal basis for processing (GDPR)

We process your personal data on the following legal bases:

Contract performance: Processing necessary to provide the DMCoPilot service you signed up for (account data, LinkedIn profile data for draft generation, message content for context).
Legitimate interest: Processing necessary for service improvement, security, and abuse prevention, where our interests do not override your fundamental rights.
Consent: For optional features like the Post Studio deeper voice analysis, you provide explicit consent before we process additional data.

8. Where data is stored

All application data is stored on Supabase infrastructure hosted in the EU West (Ireland, eu-west-1) region. Data is encrypted at rest and in transit.

AI draft generation requests are processed by the following providers. In each case, the data sent is used solely to generate your requested output and is not used to train their models under their commercial API terms:

Anthropic API (US) — Primary AI provider for message drafts, comments, posts, and profile analysis. Receives your profile context and the prospect/post content relevant to the specific generation. See Anthropic's privacy policy.
OpenAI API (US) — Backup AI provider used when the primary provider is unavailable. Receives the same data types as Anthropic. See OpenAI's privacy policy.
Perplexity API (US) — Used for topic research in Post Studio. Receives search queries based on your industry and ideal customer profile. Does not receive your personal data or message content. See Perplexity's privacy policy.
Google Gemini via OpenRouter (US) — Used for post image generation. Receives style prompts and, if provided, a reference photo. Does not receive message content or prospect data. See Google AI terms and OpenRouter's privacy policy.

Payment processing is handled by Stripe, which stores payment data on their PCI-compliant infrastructure. See Stripe's privacy policy.

9. Data retention

LinkedIn message content: Retained while your account is active. Deleted within 30 days of account deletion.
Prospect profile data: Retained until you delete the prospect or your account.
AI generation logs (tokens, cost, draft text): Retained for 12 months for billing, analytics, and abuse prevention, then automatically deleted.
Account data: Retained until you request deletion of your account.
Payment records: Retained as required by applicable tax and accounting regulations (typically 7 years for transaction records).
Radar signal data (public post content, engagement metrics): Retained for up to 90 days and refreshed automatically. Deleted when you delete your account.
Image style data and reference photos: Retained while your account is active. Reference photos are deleted within 30 days of account deletion.

10. Third-party services

We use the following third-party services to operate DMCoPilot:

Supabase (EU) — Database hosting, user authentication, and serverless functions.
Anthropic (US) — Primary AI language model API for draft generation (messages, comments, posts, profile analysis). Data sent is used solely to generate your output and is not used for model training under commercial terms.
OpenAI (US) — Backup AI language model API, used when the primary provider is unavailable. Same data handling as Anthropic.
Perplexity AI (US) — Web search API for Post Studio topic research. Receives search queries based on your industry topics. Does not receive personal data.
Google Gemini via OpenRouter (US) — AI image generation for Post Studio visuals. Receives style prompts and optionally a reference photo. Does not receive message content or prospect data.
Apify (EU/US) — Data provider for the Radar feature. Discovers publicly available LinkedIn posts matching industry keywords. Receives search keywords only. Does not receive your personal data, account information, or LinkedIn credentials.
Stripe (US/EU) — Payment processing. We never see or store your card details.
Resend (US) — Transactional email delivery (verification emails, password resets).
Google (US) — Optional sign-in via Google OAuth. Only basic profile and email data is accessed.
Vercel (US) — Hosting for our website and landing pages.

11. Your rights

Under GDPR and applicable data protection laws, you have the right to:

Access your personal data and request a copy of what we store.
Rectify inaccurate or incomplete personal data.
Delete your account and all associated personal data.
Restrict processing of your personal data in certain circumstances.
Data portability — receive your data in a structured, machine-readable format.
Object to processing based on legitimate interest.
Withdraw consent at any time for consent-based processing.

To exercise any of these rights, email support@unfairadvantage.ltd. We will respond within 30 days.

12. Children's privacy

DMCoPilot is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

13. Changes to this policy

We may update this privacy policy as the product evolves. Significant changes will be communicated via email to registered users. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the extension after changes constitutes acceptance of the updated policy.

14. Contact

If you have questions about this privacy policy or how we handle your data, contact us at:

Unfair Advantage Ltd
Email: support@unfairadvantage.ltd