Privacy, honestly.

Last updated · April 14, 2026

Bonsaily is a small, quiet LinkedIn tool operated by Benjamin Jacobs (sole proprietor, Philippines). This policy explains, in plain English, what we collect, what we do with it, and what we don't do. If anything here is unclear, email [email protected] and we'll fix it.

§ iWhat we collect

If you join the waitlist:

• Your email address
• Your IP address and browser user-agent at signup (abuse prevention only)
• Timestamp

If you sign in with LinkedIn:

• Your LinkedIn profile basics (name, email, profile picture, and a stable LinkedIn user ID)
• An access token and refresh token that lets Bonsaily post on your behalf when you tell it to
• Session records (cookies, timestamps, IP, user-agent) so you stay logged in and we can detect misuse

If you use the product:

• The posts you draft, schedule, or publish through Bonsaily
• Content you explicitly save to your swipe file or voice-training corpus
• Basic usage logs (which features, when) to debug and improve the product

That's the full list. We don't run third-party analytics, fingerprinting, or ad pixels.

§ iiWhat we do with it

• Deliver the product. Post to LinkedIn when you ask us to. Train your personal writing voice. Show you your drafts.
• Send you at most a few emails. A confirmation when you join, a note when your seat opens, and the receipts required if you become a paying customer. No marketing blasts.
• Protect the service. Rate-limit abuse, investigate security incidents.

§ iiiWhat we don't do

• We don't sell your data. Ever.
• We don't share your LinkedIn tokens, profile, or posts with any third party except the subprocessors listed below.
• We don't read your LinkedIn inbox, connections, or private messages. The posting scope (w_member_social) doesn't grant us that access, and we wouldn't want it.
• We don't post anything without your explicit instruction.

§ ivHow it's stored

LinkedIn access and refresh tokens are encrypted (AES-256-GCM) in our database. Even a full database dump alone cannot be used to post on your behalf — the encryption key lives separately on our server. Sessions are stored as opaque random identifiers, never in URLs or JavaScript-accessible storage.

§ vSubprocessors

We run on a small, disciplined stack. These third parties may process your data on our behalf:

• Supabase — database hosting (Postgres)
• Cloudflare — DNS and edge
• Mailtrap — outbound transactional email
• LinkedIn — obviously, since that's the service we connect to
• Stripe — payment processing (only if you become a paying customer)

§ viYour rights

You can, at any time:

• Revoke Bonsaily's access from your LinkedIn permissions page. We'll stop being able to post immediately.
• Delete your account — email us and we'll wipe your record, including encrypted tokens, within 7 days.
• Request a copy of everything we hold on you — same email address.
• Unsubscribe from the waitlist by replying to any email with "unsubscribe" or emailing us directly.

§ viiRetention

Waitlist emails: kept until you unsubscribe or we launch and you either sign up or don't (deleted 90 days after launch if you don't). Account data: kept while your account is active, deleted within 7 days of you requesting deletion or 30 days after subscription cancellation. Backups: rolled off within 30 days.

§ viiiCookies

We use two cookies, both httpOnly and set only after you sign in: bs_access (a short-lived session token) and bs_refresh (a long-lived opaque refresh identifier). No tracking cookies. No third-party cookies.

§ ixChildren

Bonsaily is not intended for anyone under 16. We don't knowingly collect data from minors.

§ xChanges

If this policy changes materially, we'll email waitlist members and active customers before the change takes effect. The "Last updated" date above always reflects the current version.

§ xiContact

Questions, requests, complaints: [email protected]. We read every one.