Privacy Policy

DemandBird LLC (“we”, “us”, or “our”) operates the website at demandbird.com and provides a LinkedIn analytics and content strategy platform for B2B teams (“Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service. Please read it carefully.

Note on scope: DemandBird is a business-to-business (B2B) platform. Our customers are companies and professionals using LinkedIn for business purposes. This policy covers data about our customers (account holders) and, where applicable, data processed on their behalf via integrations such as LinkedIn OAuth.

If you have questions about this policy, contact us using the contact form on our website.

1. Information We Collect

Information you provide directly:

• Email address and name when you join our waitlist, create an account, or contact us
• Billing information when you subscribe to a paid plan (processed by Stripe — we do not store card details)
• Content you submit when using our free tools (e.g., LinkedIn post text, profile information)
• Messages and attachments when you communicate with us via email or contact forms

Information collected automatically:

• Usage data — pages visited, features used, session duration, and actions performed
• Device and browser information — device type, operating system, browser type, and IP address
• Referral sources and referring URLs
• Cookies and similar tracking technologies (see Section 6)

Information from LinkedIn (via OAuth integration): See Section 3 below.

Content you enter into our free tools is processed in real time to generate results and is not stored, shared, or used for any other purpose.

2. How We Use Your Information

We use the information we collect to:

• Operate, maintain, and improve our website and Service
• Provide LinkedIn analytics, content strategy recommendations, and scheduling features
• Process payments and manage your subscription
• Send you product updates, launch announcements, and communications you have signed up for
• Respond to your questions and requests
• Understand how users interact with our Service so we can improve it
• Detect, prevent, and address fraud, abuse, and security issues
• Comply with legal obligations

3. LinkedIn OAuth Integration

When you connect your LinkedIn account to DemandBird via OAuth, you authorize us to access certain data from your LinkedIn profile and activity on your behalf. We access only the data necessary to deliver the Service.

Data we may access via LinkedIn OAuth:

• Profile information — name, profile photo, headline, and public profile details
• Post and content data — your published posts, articles, and content you create within DemandBird
• Engagement and analytics data — impressions, reactions, comments, shares, and follower metrics associated with your posts and profile
• Network data — connection count and follower information as exposed by the LinkedIn API

What we do not access: We do not access your LinkedIn messages, private contact information beyond what you explicitly share, or any data beyond the OAuth scopes you authorize.

Your role as Data Controller: When you connect LinkedIn, you remain the Data Controller for your LinkedIn data. DemandBird acts as a Data Processor, processing this data solely to deliver the Service you have contracted with us for. You may revoke LinkedIn access at any time through your DemandBird account settings or directly through your LinkedIn account.

LinkedIn’s own privacy policy governs how LinkedIn collects and uses your data. DemandBird’s use of data obtained via LinkedIn APIs is subject to the LinkedIn API Terms of Use.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area or the United Kingdom, we process your personal data based on the following legal grounds:

As a Data Controller (your DemandBird account information):

• Contract performance — processing necessary to provide the Service you have subscribed to
• Legitimate interests — to operate and improve our Service, prevent fraud, and conduct analytics, where these interests do not override your fundamental rights
• Consent — where you have given explicit consent, such as joining our waitlist or subscribing to marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation — where processing is necessary to comply with applicable laws

As a Data Processor (LinkedIn data accessed via OAuth): We process your LinkedIn data under your instructions as the Data Controller, solely for the purpose of delivering the DemandBird Service.

5. Sharing Your Information

We do not sell your personal information. We do not disclose personal information for third-party marketing purposes. We may share information with:

• Service providers (subprocessors) — third parties who perform services on our behalf, including email delivery, payment processing, hosting, and analytics. See Section 10 for our subprocessor list. These providers are contractually obligated to process your information only as necessary to provide services to DemandBird and to comply with applicable data protection laws.
• Legal requirements — law enforcement or other parties when required by law, court order, or to protect our rights, property, or safety, or that of others.
• Business transfers — a successor entity in the event of a merger, acquisition, or sale of assets. We will provide notice before your information becomes subject to a different privacy policy.

6. Cookies and Analytics

We use cookies and similar tracking technologies to analyze site traffic and improve your experience. Types of cookies we use:

• Essential cookies — required for authentication, security, and basic functionality
• Analytics cookies — help us understand how visitors use our site (e.g., Google Analytics)

You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on. You can control or disable cookies through your browser settings, though this may affect some site functionality.

7. Data Retention

We retain your information for as long as necessary to provide our Service and comply with legal obligations:

• Account information — retained while your account is active. After account termination, personal data is deleted within 30 days except where retention is required by law.
• Billing records — retained for the duration of our business relationship plus 7 years for tax and accounting compliance.
• LinkedIn integration data — retained while your LinkedIn connection is active. Upon disconnection or account deletion, this data is deleted within 30 days.
• Analytics data — usage logs retained for up to 12 months, then aggregated and anonymized. Aggregated data may be retained indefinitely.
• Communications — support and contact messages retained for 12 months after last communication, unless related to an active dispute.

You may request deletion of your personal data at any time. We will respond within 30 days, subject to legal retention obligations.

8. Your Privacy Rights

All users: You may opt out of marketing communications at any time by clicking “unsubscribe” in any email we send, or by contacting us via our contact form.

EEA and UK residents (GDPR): You have the right to:

• Access (Article 15) — request a copy of the personal data we hold about you
• Rectification (Article 16) — request correction of inaccurate or incomplete information
• Erasure (Article 17) — request deletion of your personal data, subject to legal exceptions
• Restriction (Article 18) — request that we limit how we process your data pending resolution of a dispute
• Portability (Article 20) — receive your data in a structured, machine-readable format
• Object (Article 21) — object to processing based on legitimate interests, including for direct marketing
• Withdraw consent (Article 7) — at any time, without affecting the lawfulness of prior processing
• Automated decision-making (Article 22) — see Section 9
• Lodge a complaint — with your local data protection authority at any time, without contacting us first

California residents (CCPA/CPRA): If you are a California resident interacting with DemandBird in a business capacity, you have the following rights:

• Right to Know — request what personal information we collect, use, and disclose
• Right to Delete — request deletion of personal information we have collected, subject to exceptions
• Right to Correct — request correction of inaccurate personal information
• Right to Opt-Out — opt out of the sale or sharing of your personal information. DemandBird does not sell or share personal information.
• Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, use our contact form and note “California Privacy Request” in your message. We will verify your identity and respond within 45 days.

Virginia, Colorado, Connecticut, and Utah residents: You have rights similar to those under the CCPA, including rights to access, delete, correct, and opt out of certain processing. Submit requests via our contact form.

Nevada residents: Nevada law permits you to opt out of the future sale of certain personal information. While DemandBird does not currently sell personal information, you may submit an opt-out request via our contact form.

To exercise any GDPR rights, contact us via our contact form and note “Data Subject Request” in your message. We will respond within 30 days, or provide an explanation if additional time is required (up to 90 days for complex requests).

9. Automated Decision-Making

DemandBird may use automated analysis to generate content recommendations, post scoring, engagement predictions, and performance insights based on your LinkedIn data and usage patterns. These are analytical tools designed to assist your decision-making, not to replace it. No decisions with legal or similarly significant effects are made about you solely by automated means without human review.

If you are an EEA or UK resident and believe an automated process has produced a decision with significant effects on you, you have the right under GDPR Article 22 to request human review, express your point of view, and contest the decision. Contact us via our contact form to exercise this right.

10. Subprocessors and Service Providers

We use the following third-party subprocessors to deliver our Service. All subprocessors are contractually required to process data only as instructed by DemandBird, ensure confidentiality, implement appropriate security measures, and comply with applicable data protection laws.

• Cloudflare — website hosting, CDN, and network infrastructure. Data is served via Cloudflare’s global edge network. (Cloudflare Privacy Policy)
• Stripe — payment processing and subscription billing. Stripe complies with PCI DSS standards. We do not store card details; you authorise Stripe directly. (Stripe Privacy Policy)
• Postmark — transactional email delivery (e.g., account confirmations, receipts). (Postmark Privacy Policy)
• Loops — marketing and product email communications. (Loops Privacy Policy)
• Google Analytics (GA4) — website usage analytics. Google Analytics collects usage data in aggregated and anonymized form. You can opt out via the Google Analytics Opt-Out Add-on. (Google Privacy Policy)
• PostHog — product analytics and feature usage tracking. (PostHog Privacy Policy)
• Help Scout — customer support ticket management and communications. (Help Scout Privacy Policy)
• Crisp — live chat and customer messaging. (Crisp Privacy Policy)
• HubSpot — customer relationship management (CRM). (HubSpot Privacy Policy)
• Anthropic — AI language model features within the Service. Data submitted to AI features may be processed by Anthropic’s API. (Anthropic Privacy Policy)
• OpenAI — AI language model features within the Service. Data submitted to AI features may be processed by OpenAI’s API. (OpenAI Privacy Policy)

We may add or change subprocessors as our business evolves. We will update this list when material changes occur. GDPR customers may object to new subprocessors by contacting us via our contact form.

11. Data Security

We implement comprehensive technical and organizational security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction:

• Encryption of data in transit using SSL/TLS and encryption of sensitive data at rest
• Secure authentication protocols, including support for multi-factor authentication
• Access controls and role-based permissions limiting data access to authorized personnel only
• Regular security assessments and vulnerability reviews
• Security monitoring and incident response procedures
• Employee confidentiality obligations and security training

However, no method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are also responsible for maintaining the security of your account credentials.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required under GDPR Article 33
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under GDPR Article 34
• Provide notice by email to the address associated with your account, or by prominent notice on our website if individual notification is not practicable

If you believe your account may have been compromised, contact us immediately via our contact form.

13. Do Not Track

Our Service does not currently respond to Do Not Track (DNT) signals. You can control tracking preferences through your browser settings and through the cookie options described in Section 6.

14. Children’s Privacy

Our Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with their information, please contact us and we will delete it promptly.

15. International Data Transfers

Your information may be transferred to, stored in, and processed in the United States and other countries. If you are located in the EEA or UK, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) approved under GDPR where applicable. Our subprocessors maintain their own transfer safeguards as described in their respective privacy policies.

16. Third-Party Links

Our website may contain links to third-party sites. This Privacy Policy applies only to our Service. We are not responsible for the privacy practices of third-party sites and encourage you to review their policies.

17. SMS/Text Messaging

If you are a paying subscriber, you may choose to receive SMS notifications from DemandBird regarding the status of your scheduled social media posts (e.g., confirmation that a post has been saved or published). You initiate SMS communication by scanning a QR code within your account dashboard and sending a text message to our designated number. We will only send SMS messages in response to your initiated communication.

Message frequency varies based on your usage. Message and data rates may apply. You can opt out of SMS communications at any time by replying STOP to any message. Reply HELP for assistance.

We do not share your phone number or SMS consent with any third parties. Your phone number is used solely for delivering post status notifications through our service.

18. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will update the “last updated” date at the top of this page. Material changes will be communicated by email where you are on our list or by notice on our website. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please use the contact form on our website. We will respond within 30 days. If you are an EEA resident and believe we have violated your privacy rights, you also have the right to lodge a complaint with your local data protection authority.