For Patients & Visitors

24/7 answers to common questions—no call needed

For Healthcare Teams

Protocols, contacts, and policies—found instantly

For Admins

Upload, organize, and manage your knowledge base

Use Cases
Pricing
Sign inGet Started →
Legal

Privacy Policy

Linkd HQ — A product of DesignedIT Inc.
Effective January 21, 2026

1. Purpose and Scope

This Privacy Policy explains how DesignedIT Inc., operating under the brand Linkd HQ (“Linkd,” “we,” “us,” or “our”), collects, processes, stores, and protects information in connection with:

  • the Linkd website and related pages,
  • the Linkd software platform, including internal and public-facing knowledge spaces,
  • any related services, features, APIs, or integrations (collectively, the “Service”).

This policy applies only to Linkd and does not govern third-party services or websites that may be linked or integrated.

2. Roles and Data Responsibility Model

Critical Information

Understanding how data responsibility is shared between Linkd and Customers.

2.1 Customers as Controllers

Organizations that create or manage a Linkd account (“Customers”) are the sole controllers of all content, data, and information they upload, connect, publish, or otherwise make available through the Service (“Customer Content”).

2.2 Linkd as a Service Provider

Linkd acts solely as a technology service provider / processor, providing infrastructure that enables Customers to organize and access their own information.

Linkd:

  • does not determine the purpose or legality of Customer Content,
  • does not review, approve, or validate Customer Content,
  • does not decide what information is appropriate to publish internally or publicly.

3. Categories of Information Collected

3.1 Administrative & Account Information

Collected from Customers and administrators:

  • Name
  • Business email
  • Organization name
  • Account settings
  • Subscription and billing metadata

3.2 Usage, Log, and Technical Data

Collected automatically:

  • IP address and approximate geographic location
  • Device type, operating system, browser
  • Query timestamps, frequency, and performance metrics
  • Authentication events and access logs
  • Error logs and security events

3.3 Customer Content

Customers may upload or connect:

  • documents, PDFs, spreadsheets,
  • text, forms, policies, procedures,
  • URLs, structured data, or other materials.

Important: Linkd does not require Customers to upload personal data, patient identifiers, medical records, or regulated health information. Customers alone determine what content they choose to upload and are responsible for ensuring lawful use.

Data Minimization Principle: We encourage customers to upload only the minimum information necessary to operate their knowledge base. For patient-facing content, generic FAQs and policies are typically sufficient—individual patient records should not be uploaded. If Customer Content does contain personal health information (PHI), customers are responsible for ensuring they have legal authority to process such data and must execute a Business Associate Agreement with Linkd.

3.4 Communications

Information contained in support requests, onboarding emails, and feedback submissions.

4. How Information Is Used

Linkd uses information strictly to:

  • operate and deliver the Service,
  • authenticate users and enforce permissions,
  • process Customer Content to generate responses,
  • maintain security, integrity, and availability,
  • monitor performance and prevent abuse,
  • comply with legal obligations.

Linkd does not use Customer Content for advertising or resale.

5. Artificial Intelligence & Model Use

Very Important

Your data is never used to train AI models.

  • Customer Content is never used to train, fine-tune, or improve general AI models.
  • Customer Content is processed only to index, retrieve, summarize, or respond to user queries within the Customer's configured spaces.
  • Any analytics or metrics used to improve the Service are aggregated and de-identified.

6. Disclosure of Information

Information may be disclosed:

  • to infrastructure and service providers under contractual confidentiality obligations,
  • to Customers (administrators accessing their own organization's data),
  • to comply with lawful requests or legal obligations,
  • in connection with mergers, acquisitions, or asset transfers.

We do not sell personal information.

6.1 Third-Party Service Providers (Subprocessors)

Linkd uses the following third-party service providers to deliver the Service:

ProviderPurposeData ProcessedLocation
Google Cloud PlatformInfrastructure, database, file storageCustomer Content, metadata, logsUS / Canada
ClerkAuthentication & identityName, email, login eventsUS
StripePayment processingBilling information (not stored by Linkd)US
OpenAIAI inferenceQuery text only (ephemeral, not stored)US

Subprocessor Changes: We will notify customers at least 30 days before engaging new subprocessors that handle Customer Content. Enterprise customers may object to new subprocessors and request alternatives.

Data Flow Transparency: Customer Content flows: Customer → Linkd → Google Cloud (storage) → OpenAI (inference, ephemeral) → Response returned to customer. At no point is Customer Content stored by OpenAI, shared with third parties for marketing, or used for any purpose other than generating responses.

7. Data Retention and Deletion

7.1 Customer Content Retention

  • Active accounts: Retained while subscription is active
  • Cancelled accounts: 30-day grace period, then permanent deletion
  • Deletion method: Cryptographic erasure (encryption keys destroyed)
  • Timeline: Complete deletion within 30 days of request

7.2 Audit Logs (Team Chat)

  • Retention: Minimum 6 years (HIPAA/PHIPA requirement)
  • Cannot be deleted by users to maintain compliance
  • After 6 years: Available for deletion upon customer request

7.3 Security & System Logs

  • Authentication logs: 1 year
  • Error logs: 90 days
  • Performance metrics: Aggregated and anonymized after 90 days

7.4 Backup Retention

  • Active backups: 30 days rolling
  • Deleted data purged from backups within 30 days
  • Backups encrypted with separate keys

7.5 Right to Deletion

Customers and end users can request deletion via:

  • Self-service in dashboard (Settings → Delete Organization)
  • Email to seyran@linkdhq.com with subject “Data Deletion Request”
  • Automatic deletion 30 days after subscription cancellation

Upon completion, we provide written confirmation of deletion, a list of what was deleted, and any residual data (audit logs) with its retention period. Deletion is irreversible and cannot be undone.

8. Security Practices

Linkd implements administrative, technical, and organizational safeguards designed to protect information, including encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, automated monitoring, and regular security assessments. No system is infallible; use of the Service is at Customer's risk. For full details, see our Security page.

9. Individual Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Right to Access (GDPR Art. 15, PIPEDA): Request a copy of the personal data we hold about you. Response time: 30 days.
  • Right to Rectification (GDPR Art. 16): Request correction of inaccurate or incomplete data. Response time: 30 days.
  • Right to Erasure (GDPR Art. 17): Request deletion of your personal data (subject to legal retention requirements). Response time: 30 days.
  • Right to Restrict Processing (GDPR Art. 18): Request that we limit how we use your data while a dispute is resolved. Response time: 30 days.
  • Right to Data Portability (GDPR Art. 20): Request your data in a structured, machine-readable format (JSON, CSV). Response time: 30 days.
  • Right to Object (GDPR Art. 21): Object to processing of your data for certain purposes. Response time: 30 days.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw at any time. Effect is immediate, though lawful processing prior to withdrawal remains valid.

How to Exercise Your Rights

Email: seyran@linkdhq.com with subject “Privacy Rights Request”. Include your name, email, organization (if applicable), and the specific right you are exercising. We may request additional information to verify your identity before fulfilling requests. We do not charge for most requests.

Complaints & Supervisory Authorities

If you believe we have violated your privacy rights, please contact us first at seyran@linkdhq.com. You may also file a complaint with your local supervisory authority: Office of the Privacy Commissioner of Canada (priv.gc.ca), your local EU Data Protection Authority, or your US State Attorney General.

10. Team Chat Privacy & Data Handling

Internal Communications

This section specifically addresses privacy practices for Linkd's Team Chat feature.

10.1 Information Collected in Team Chat

  • Identity Information: Email address, first name, last name as provided during authentication
  • Message Content: Messages sent between team members within the organization
  • Session Data: Login timestamps, session tokens, last activity time
  • Device Information: IP address, browser type, device identifier for security purposes
  • Audit Data: Records of all actions taken within Team Chat for compliance

10.2 How Team Chat Data Is Used

  • Deliver messages between authenticated team members
  • Verify user identity through email-based one-time password (OTP) authentication
  • Maintain session security and enforce automatic timeouts
  • Generate audit logs for organizational compliance
  • Enable administrators to manage team access and data

10.3 Data Storage & Encryption

  • All Team Chat data is encrypted in transit using TLS 1.3
  • Data at rest is encrypted using AES-256 encryption
  • Session tokens are cryptographically generated and securely stored
  • OTP verification codes expire after 10 minutes and are deleted after use

10.4 Terms Acceptance & Consent Tracking

When you first access Team Chat, you will be asked to accept these Terms of Service and Privacy Policy. We record the exact timestamp and version of your acceptance, along with your email address and IP address. This record is maintained for legal compliance and may be provided to your organization's administrator upon request.

10.5 Your Rights Regarding Team Chat Data

  • Access: Request a copy of your Team Chat data
  • Deletion: Request deletion of your messages and profile data
  • Portability: Request export of your data in a standard format

To exercise these rights, contact your organization administrator or email seyran@linkdhq.com.

10.6 Administrator Access

Your organization's administrators may view audit logs of your Team Chat activity, revoke your access, delete your messages and data, and export data for compliance purposes. This access is provided to enable organizations to meet their regulatory and compliance obligations.

10.7 Audit Log Retention

Audit logs documenting Team Chat access and actions are retained for a minimum of six (6) years in accordance with healthcare compliance requirements. These logs cannot be deleted by users or administrators to ensure regulatory compliance.

11. Data Processing Agreement (DPA)

Linkd provides a Data Processing Agreement (DPA) for customers subject to GDPR, PIPEDA, or other international privacy regulations. The DPA includes Standard Contractual Clauses (SCCs) for international data transfers, processor obligations and security commitments, subprocessor management and change notifications, data subject rights assistance procedures, security incident notification requirements, and audit rights.

How to Request a DPA: Email seyran@linkdhq.com with subject line “DPA Request” and include your organization name and primary contact. Enterprise plan customers receive the DPA automatically upon subscription.

Business Associate Agreement (BAA): For US healthcare customers requiring HIPAA compliance, we provide a Business Associate Agreement covering permitted uses and disclosures of PHI, safeguards and security measures, breach notification procedures, subcontractor agreements, and return or destruction of PHI upon termination. BAA is available to all plans upon request.

12. International Data Transfers

12.1 Data Storage Locations

  • US Customers: Google Cloud US regions (Iowa, South Carolina, Oregon)
  • Canadian Customers: Google Cloud Toronto region (northamerica-northeast2)
  • EU Customers: EU regions available (Enterprise plan)

12.2 Cross-Border Transfer Safeguards

When data must cross borders, we use Standard Contractual Clauses (EU Commission approved), adequacy decisions (Canada has adequacy status with EU), Data Processing Agreements with explicit transfer terms, encryption in transit (TLS 1.3), and access limited to authorized personnel only with purpose limitation.

12.3 Data Residency Commitment

Your data stays in your chosen region unless you explicitly request cross-region support, or legal process requires disclosure (e.g., court order). In either case, you will be notified when legally permitted. Enterprise customers can configure policies to prohibit data transfer outside their region and receive notification when data crosses borders.

13. Security Incident & Breach Notification

13.1 Customer Notification

If a breach affects your Customer Content or personal data, we will notify you within 24 hours of confirming the breach with details of what happened, what data was affected, how many individuals were potentially impacted, steps taken to contain and remediate, and recommended actions for your organization. We provide ongoing updates every 48 hours until resolved.

13.2 Regulatory Notification

For breaches involving personal information, Linkd will notify applicable authorities:

  • HIPAA (US): HHS notification within 60 days if 500 or more individuals affected
  • PHIPA (Ontario): Information and Privacy Commissioner without undue delay
  • GDPR (EU): Supervisory authority within 72 hours of awareness
  • PIPEDA (Canada): Privacy Commissioner if real risk of significant harm

13.3 Your Notification Obligations

Customers are responsible for notifying affected individuals (patients, staff, etc.) as required by applicable law. Linkd will provide a breach notification letter template, technical details for your legal/compliance team, and support during regulatory inquiries. Past Incidents: None to date (as of January 2026).

14. Policy Updates

We may update this Privacy Policy from time to time. Changes take effect upon posting. For material changes affecting Team Chat data handling or Customer Content processing, we will notify active users via email at least 30 days before changes take effect.

Privacy Questions?

Contact us at seyran@linkdhq.com for any privacy-related questions, DPA/BAA requests, or to exercise your data rights.