Privacy Policy

LinkedIn profile data — When you sign in with LinkedIn, we receive your name, profile photo, email address, and LinkedIn profile URL. We do not receive your password, your connections, or your messages.

Kudos content— The text written by your colleagues when they submit a kudo through your request link. This includes the written testimonial and the relationship context (e.g. “Peer” or “Manager”).

Request data — Recipient names (first name only for quick links, full name and email for direct email requests), the message you crafted, and the channel you used to share the link.

Session data — A secure session token stored in an HTTP-only cookie to keep you signed in. No tracking cookies, no analytics cookies.

LinkedIn data is used to verify that kudos come from real, identifiable people — not anonymous submissions. The verification is the core trust signal of the product.

Kudos content is stored so you can build and manage your reputation library over time.

Request data lets us send branded email requests on your behalf and track the status of outstanding requests in your dashboard.

Session datakeeps you signed in so you don't have to authenticate on every visit.

All data is stored in Supabase, hosted on AWS infrastructure in the EU (Frankfurt, eu-central-1). Your data does not leave the European Economic Area.

Transactional emails are sent via Resend, whose infrastructure is EU-compliant. Only the minimum necessary data (recipient email, sender name, the request link) is passed to Resend per email send.

You — You can see all your data in your dashboard. Your kudos are private by default. Nothing is published without your explicit action.

Giver of a kudo — The person who wrote the kudo can see their own submission. They cannot see other kudos in your library.

MyKudos team — We have access to the database for operational purposes (bug fixes, support requests). We do not read kudo content unless you ask us to investigate a specific issue.

We never sell, rent, or share your data with advertisers or data brokers.

Kudos are user-generated content. MyKudos does not author, curate, edit, or verify the substance of any kudo. We verify only the LinkedIn identity of the giver at the moment of writing — confirming who they are, not what they wrote.

The truthfulness of any claim within a kudo is the responsibility of the giver, not MyKudos. Recruiters and hiring managers who view a verified pack should treat kudo content as the personal opinion of the giver.

If someone has written a kudo about you that you believe is inaccurate, defamatory, or unauthorized, you may request removal by contacting privacy@mykudos.club. Please include:

• The relevant URL — your dashboard if you're the recipient, or a public pack URL if you've seen it shared.
• A description of the issue and why you believe the content is problematic.
• Verification of your identity — for example, a LinkedIn profile URL or a message sent from the same email address you used to authenticate.

We respond within 7 business days and will notify you of the outcome.

When someone views a verified pack at /v/[token], we track:

• Total view count
• First viewed timestamp
• Last viewed timestamp

We do not track:

• Viewer identity — no fingerprinting, no IP logging.
• Which specific kudos were clicked or read.
• Time spent on the page.
• Device information beyond what is necessary for the page to render.

This minimal tracking exists so the sender knows their pack was opened. It is not analytics and is not shared with third parties.

We track product events to understand how MyKudos is used and to improve the product. The events table records:

• When users sign up, complete onboarding, create asks, receive kudos, and create or share briefs.
• For verified brief views: brief ID, sender ID, view count, and timestamps only — never viewer identity, IP address, or fingerprint.
• Event properties such as themes, languages, channels used (for example WhatsApp vs email), and counts.

We do not use third-party analytics like Google Analytics. All event data lives in our own database (Supabase EU).

You can request a copy or deletion of your event data at privacy@mykudos.club.

If you wrote a kudo and want it removed, you may email privacy@mykudos.club from the same address you used to authenticate with LinkedIn. Please include:

• The name of the recipient.
• The approximate date you submitted the kudo.

We will remove the kudo from the recipient's library within 7 business days. Please note: if the recipient has already shared the kudo in a verified pack, that pack may continue to display the content until the sender regenerates or revokes it. We will inform the recipient of the removal request.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — You can request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — You can correct inaccurate data directly in your profile settings.
• Right to erasure (Art. 17) — You can delete your account and all associated data by emailing privacy@mykudos.club.
• Right to data portability (Art. 20) — You can request an export of your kudos in a machine-readable format.
• Right to object (Art. 21) — You can object to processing based on legitimate interest by contacting us.

To exercise any of these rights, email privacy@mykudos.club. We will respond within 30 days.

We process your personal data under two legal bases as defined in GDPR Art. 6:

Contract performance (Art. 6(1)(b)) — Processing your name, email, and LinkedIn identity is necessary to provide the MyKudos service you signed up for, including verifying your identity and delivering kudo requests.

Legitimate interest (Art. 6(1)(f)) — We retain request logs and usage patterns to maintain service quality, prevent abuse, and improve the product. We do this only where your interests and rights do not override our legitimate interest.

We keep your data for as long as your account is active. When you delete your account, all personal data is permanently deleted within 30 days.

Kudos content that was sent to you by a colleague remains in your library until you archive or delete it, or until you delete your account.

We use one essential cookie: a secure, HTTP-only session cookie to keep you signed in. This cookie contains no personal data beyond a session identifier.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify you across the web. No cookie consent banner is required because we only set strictly necessary cookies.

• Supabase — Database and authentication infrastructure. Hosted in EU (Frankfurt). Data processing agreement in place.
• LinkedIn (Microsoft) — Used exclusively for identity verification during sign-in. We receive only standard OpenID Connect claims (name, email, photo). We do not post to LinkedIn on your behalf.
• Resend— Transactional email delivery for kudo request emails. Only the recipient's email and the relevant request content is shared with Resend per email send.
• Vercel — Application hosting. Edge functions and serverless compute. EU region configuration in place.

Email privacy@mykudos.club with the subject line “Delete my account” from the email address associated with your account. We will permanently delete all your data within 30 days and confirm when it's done.

For privacy questions, data requests, or GDPR complaints: privacy@mykudos.club

You also have the right to lodge a complaint with the relevant data protection authority in your EU member state.