Privacy Policy

TEKODOT LTD (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to visitors and users of the Layer0 platform and our website. It does not apply to personal data that our customers store within the Services on their own behalf — customers are responsible for that data as data controllers and should refer to our Data Processing Agreement for details of how we handle it as their processor.

The data controller for your personal data is:

We collect the following categories of personal data:

Account and Registration Data

• Name and email address
• Password (stored in hashed form)
• Organisation name and details
• Profile photo (if provided)

Usage and Technical Data

• Log data (IP address, browser type, pages visited, timestamps)
• Device and browser information
• Feature usage and interaction data
• Error reports and performance data

Communications Data

• Messages sent to us via email or in-app feedback
• Support ticket content

Payment and Billing Data

• Billing name, address, and VAT number (if applicable). Card details are handled directly by our payment processor and are not stored by us.

We use your personal data on the following legal bases:

We use cookies and similar technologies to operate the Services and collect usage data. Cookies fall into the following categories:

• Strictly necessary cookies: Required for authentication, security, and core functionality. These cannot be disabled.
• Analytical / performance cookies: Help us understand how users interact with the Services. We obtain your consent before setting these.
• Functional cookies: Remember your preferences (e.g. theme, language).

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the Services.

The Layer0 browser extension sends a limited stream of diagnostic events to our analytics provider (PostHog Inc.). We use this data to detect when third-party websites we integrate with (notably LinkedIn) change their interface and break our extension, so we can fix regressions before users notice. Without this telemetry we would have to wait for individual bug reports — which would mean longer outages and a worse experience for everyone.

What we collect

• Lifecycle events: when the extension is installed, updated, signed in, or signed out.
• Action outcomes:for each connection request or message handoff, whether it succeeded or failed, the failure category (e.g. “rate limited”, “already connected”, “send button missing”), how long it took, and which page surface was used.
• Interface diagnostics: when the extension cannot find an expected button, dialog, or composer on the page, we record counts of similar elements present, the page type (e.g. /in/<vanity>,/messaging/thread/<id>), and the API status code returned by LinkedIn. This is the data that lets us detect a LinkedIn redesign within hours rather than days.
• Errors: exception type, message, and stack trace when the extension hits an unexpected runtime error.
• Identifier: when you are signed in, your Layer0 user id and email address are attached so we can correlate failures to your account if you contact support. Before sign-in, an anonymous random id is used.

What we do not send to PostHog

• The text of any message you send or draft.
• The names, profile slugs (/in/<vanity>), profile photos, or any other identifying details of the people you contact through LinkedIn.
• LinkedIn URN values (the opaque internal ids LinkedIn assigns to people and threads).
• The content of LinkedIn pages, replies, or any other browsing activity outside the specific extension actions described above.

Our legal basis for this processing is legitimate interests (Article 6(1)(f) UK GDPR) — specifically, ensuring the extension continues to function correctly as third-party websites change. PostHog acts as our data processor under a Data Processing Agreement; their privacy policy is available at posthog.com/privacy. You may object to this processing or request deletion of telemetry associated with your account by contacting us at the address in section 16.

Operational data forwarded to Layer0

Separately from the PostHog telemetry described above, the extension forwards a small amount of operational data to Layer0’s own backend as part of the normal CRM workflow you are signed in to. This is application data, not analytics, and is stored against your organisation’s account so that Layer0 can show you an accurate record of the actions taken on your behalf. It includes:

• Sent message bodies: when the extension dispatches a queued draft on LinkedIn, the actual text that was sent (which may differ from the original draft if you edited inline before clicking Send, or if placeholders such as {{first_name}} were resolved at paste time) is recorded against the corresponding send in your Layer0 account.
• LinkedIn identifiers:URNs and conversation ids observed alongside the dispatched message, used to reconcile the send with the recipient’s contact record and surface delivery state in the dashboard.
• Connection and reply observations:connection-state changes and inbound replies on threads you have sent through Layer0, used to update the recipient’s status in your CRM.

This data is treated like any other personal data you store in Layer0 and is covered by sections 3 (Personal Data We Collect), 4 (How We Use Your Personal Data), 9 (Data Retention), and 10 (Your Rights) of this policy.

We do not sell your personal data. We may share it with the following categories of recipients only where necessary:

• Service providers: Third-party vendors who process data on our behalf (e.g. cloud hosting, payment processing, email delivery, error monitoring). These providers are bound by data processing agreements and may only use your data as instructed by us.
• Legal and regulatory authorities: Where required by law, court order, or to protect the rights, property, or safety of TEKODOT LTD, our users, or others.
• Business transfers: In connection with a merger, acquisition, or sale of all or part of our business, in which case personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.

We primarily process personal data within the United Kingdom and the European Economic Area (EEA). Where we transfer personal data to countries outside the UK that have not been granted an adequacy decision by the UK Secretary of State, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses to ensure your data receives an equivalent level of protection.

We retain your personal data for as long as necessary to fulfil the purposes described in this policy and to comply with our legal obligations. Our default retention periods are:

• Account data: Retained for the duration of your account and deleted within 90 days of account closure, unless we are required to retain it longer by law.
• Billing and financial records: Retained for 7 years in accordance with HMRC requirements.
• Usage and log data: Retained for up to 12 months.
• Communications and support records: Retained for up to 3 years.

Under UK GDPR you have the following rights in respect of your personal data. To exercise any of these rights, contact us at luke@tekodot.com.

• Right of access:Request a copy of the personal data we hold about you (a “Subject Access Request”).
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure:Request deletion of your personal data in certain circumstances (“right to be forgotten”).
• Right to restriction of processing: Request that we limit how we use your personal data in certain circumstances.
• Right to data portability: Receive your personal data in a structured, machine-readable format and, where technically feasible, have it transmitted to another controller.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making: Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, unless you have given explicit consent or it is necessary for a contract.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

We will respond to rights requests within one calendar month. We will not charge a fee unless a request is manifestly unfounded or excessive.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include encryption in transit (TLS), encryption at rest, access controls, and regular security reviews.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with our obligations under UK GDPR.

The Services are not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

The Services may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any external sites you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Where we make material changes, we will notify you by email or by a prominent notice within the Services before the changes take effect. The “last updated” date at the top of this page will always reflect when we last made changes.

If you have concerns about how we handle your personal data, please contact us first at luke@tekodot.com and we will do our best to resolve the issue.

You also have the right to lodge a complaint with the UK's supervisory authority:

For any questions or requests relating to this Privacy Policy or your personal data, please contact: