Privacy Policy

Cridl is an AI-assisted LinkedIn content tool that helps professionals and small businesses draft, schedule, and publish LinkedIn posts in their own voice. The Cridl service is operated as a sole proprietorship from India. This Privacy Policy applies to the application available at https://app.cridl.com and to all related features.

We collect only the data needed to run the service:

• Account data — your email address and display name, captured through Firebase Authentication when you sign up or sign in.
• LinkedIn data — when you connect LinkedIn, we receive your LinkedIn user ID (sub), name, email address, and profile picture via the openid, profile, and email scopes. We also store your LinkedIn access token and refresh token so we can publish posts on your behalf when you ask us to.
• User-generated content — posts you draft in our editor, AI-generated or uploaded images, your brand profile settings, writing samples, and any custom instructions you provide for the AI.
• Payment metadata — when you subscribe to a paid plan, we store the Razorpay subscription identifier, plan tier, and renewal status. We never see or store your card details — those are held entirely by Razorpay.
• Usage telemetry — counts of posts generated and published, feature usage for plan-limit enforcement, and basic server logs (request paths, status codes) for debugging and abuse prevention.

We process your data to provide the Cridl service you signed up for — researching, drafting, and publishing LinkedIn posts on your behalf. For users in India this falls under the contractual necessity basis of the Digital Personal Data Protection Act, 2023 (§4(c)). For users in the EU/EEA, the equivalent basis is Article 6(1)(b) of the GDPR. We do not process your data for advertising or profiling.

Your account data and content are stored in Google Cloud Firestore via Firebase (region asia-south1, Mumbai). The application itself is hosted on Vercel. LinkedIn access and refresh tokens are stored in a per-user Firestore document (tokens/{uid}) and are accessed only from our server-side API routes — they are never sent to your browser or exposed via any public endpoint. All communication with LinkedIn uses Authorization: Bearer headers over HTTPS.

We use a small number of trusted infrastructure providers to operate the service. We do not sell or rent your data to any third party, and we do not use it for advertising or retargeting.

• Google Firebase / Google Cloud — authentication, database storage, file storage.
• Vercel — application hosting and edge functions.
• OpenRouter — routes the AI inference calls used to draft your posts. The post topic, your brand profile, and recent posts you've published are sent as context.
• fal.ai — generates AI images for your posts based on an image prompt derived from the post you wrote.
• Razorpay — payment processing for subscriptions.
• LinkedIn — the publishing target, when you click “Post now” or when a scheduled post becomes due.

We only call LinkedIn APIs for scopes you have explicitly granted at OAuth time. We never publish a post without an explicit action from you — either clicking “Post now” in the editor, or setting an explicit future schedule date that you can edit or delete right up until our hourly publisher picks it up. We never read your LinkedIn connections, messages, or activity feed.

You can revoke our app's access at any time from LinkedIn's “Permitted Services” page, or by clicking Disconnect LinkedIn inside Cridl's Settings. Both actions delete the stored tokens immediately.

We keep your account data and content for as long as your Cridl account is active. When you disconnect LinkedIn, your tokens are deleted immediately. When you delete your account, all your data — account, posts, tokens, settings — is deleted within 30 days. Backup snapshots held by our infrastructure providers may persist for up to 90 days before being overwritten.

You can access, correct, export, or delete your data at any time. Most of this is self-serve inside Cridl Settings. For anything you can't do yourself, email support@cridl.app and we'll respond within 30 days. Users in jurisdictions with additional rights under GDPR, DPDP, or similar laws (objection, restriction, complaint to a supervisory authority) may exercise those rights via the same email.

We use a small number of strictly-necessary cookies: a Firebase Auth session cookie to keep you signed in, and a short-lived LinkedIn OAuth state cookie (10-minute lifespan) used only during the LinkedIn connect flow to protect against CSRF. We do not use third-party analytics pixels or ad-tracking cookies at this time.

Cridl is not directed at users under 18. If you believe a minor has created a Cridl account, please contact us at support@cridl.app and we will delete the account.

We may update this Privacy Policy from time to time. Material changes will be notified by email to your registered address before they take effect. The “Last updated” date at the top of this page always reflects the current version.

For any privacy-related question or request, email support@cridl.app. This policy is governed by the laws of India and any disputes will be subject to the exclusive jurisdiction of the courts at our registered place of business.