AI Skill Audit — Privacy Policy
1. Introduction
This Privacy Policy describes how the AI Skill Audit LinkedIn Developer Application (the “Application”) accesses, uses, stores, and protects information when publishing automated content from the operator’s own LinkedIn Company Page through LinkedIn’s official APIs.
The Application is operated by Mark Zhou as the developer behind tarai.dev — the AI Skill Safety Scoreboard (formerly AI Michelin Guide). The Application is used solely to publish editorial and audit-report content originating from tarai.dev to the operator’s TARAI LinkedIn Company Page. No third-party content, no sponsored advertising, no client-on-behalf publishing.
2. Information We Access
2.1 Authentication Tokens
When a LinkedIn Page administrator authorizes the Application via OAuth 2.0, LinkedIn returns the following credentials:
| Data Type | Purpose | Storage Location |
|---|---|---|
| Access Token | Authenticate API requests on behalf of the authorizing administrator | Local .linkedin_org_tokens.json on the operator’s server |
| Refresh Token | Renew the access token on expiry, without re-prompting the administrator | Same local file as above |
| Administrator Profile (sub, name, email) | Confirm the authorizing user is an administrator of the target Page | Local configuration, used at link time only |
2.2 Organization Identifiers
The Application accesses the LinkedIn Organization URN (urn:li:organization:<id>) for the TARAI Company Page. This identifier is used as the author field on outgoing posts so LinkedIn correctly attributes them to the Company Page rather than the administrator’s personal profile.
2.3 Posted Content
The Application transmits content created and reviewed by the operator. This content is generated upstream by tarai.dev’s editorial pipeline (audit reports, weekly spotlights, security findings, etc.) and includes:
- Plain-text post body
- Optional cover image (uploaded as a LinkedIn asset reference)
- Optional external links to
tarai.devfor the full audit report
The Application does not read or store the existing followers, comment threads, or reactions on the TARAI Page beyond what is required to confirm a successful post.
2.4 Operational Telemetry
The following operational data is recorded locally on the operator’s server:
- Publishing timestamps
- LinkedIn API response status (success / error code)
- Returned post URN and URL for each successful publish
- Local error logs for troubleshooting failed publishes
3. How We Use the Information
| Purpose | Description |
|---|---|
| Content Publishing | Create posts on the TARAI Company Page on behalf of the authorizing administrator. |
| Authentication | Maintain authorized access to the LinkedIn API. |
| Token Management | Automatically refresh the access token before expiry. |
| Error Handling | Diagnose and resolve failed publishes via local logs. |
| Compliance | Confirm administrator role on the target Page before publishing. |
Prohibited uses. The Application is not used for: advertising or sponsored content delivery; reselling LinkedIn data to third parties; profiling LinkedIn members or building behavioral models; publishing on behalf of any organization other than TARAI / tarai.dev; bulk member outreach, scraping, or any other practice prohibited by the LinkedIn API Terms of Use.
4. Storage and Security
4.1 Local-Only Storage
| Data | Location | Format |
|---|---|---|
| OAuth Credentials | /opt/postall/projects/tar/.linkedin_org_tokens.json | JSON, mode 600 |
| Application Logs | /opt/postall/logs/linkedin-org.log | Plain text |
| Posted Content Reference | Local Markdown file under /opt/postall/output/ | Per-topic folder |
No LinkedIn-sourced data is transmitted to any third-party server. All communication is point-to-point between the operator’s server and api.linkedin.com over HTTPS.
4.2 Security Measures
- Access tokens are used only against official LinkedIn API endpoints.
- Token files are stored with restrictive POSIX permissions (mode 600, owner-only).
- All API requests use HTTPS (TLS 1.2+).
- The operator’s server enforces SSH key-only access; no shared credentials.
- Refresh tokens are rotated on use; expired refresh tokens trigger a re-authorization prompt rather than a silent failure.
4.3 Data Retention
- Credentials are retained until the authorizing administrator revokes them through LinkedIn (see §7) or the operator deletes them manually.
- Logs are retained on a rolling 30-day window and deleted thereafter.
- Published-post references stay until the operator removes the source folder.
4.4 Deletion
Anyone with administrator access to the TARAI LinkedIn Page may revoke the Application at any time through LinkedIn’s permitted-services settings. Revocation invalidates the stored access and refresh tokens immediately. The operator deletes the corresponding token file and log entries within seven (7) days of any revocation.
5. Data Sharing
The Application does not share, sell, or transmit LinkedIn-sourced data to any third party. There are no analytics services, advertisers, data brokers, or external dashboards involved.
Data flow:
- Operator’s server ↔
api.linkedin.comonly.
6. LinkedIn-Specific Considerations
| Item | Detail |
|---|---|
| API Product | Community Management API |
| OAuth Scopes | r_organization_social, w_organization_social, openid, profile, email |
| Token Lifetime | Access token: 60 days. Refresh token: 365 days. Both auto-refreshed on use. |
| Target Page | TARAI LinkedIn Company Page (operator-owned). No third-party Pages are targeted. |
| LinkedIn Privacy Policy | https://www.linkedin.com/legal/privacy-policy |
| LinkedIn API Terms | https://legal.linkedin.com/api-terms-of-use |
7. Your Rights and Choices
| Right | How to Exercise |
|---|---|
| Access | The authorizing administrator may inspect the stored token metadata by contacting the operator. |
| Revoke | Disconnect the Application via LinkedIn → Settings → Data privacy → Permitted services. |
| Delete | Request token-file deletion through the contact channel below; the operator removes the file and confirms within seven (7) days. |
| Withdraw Consent | Stop using the Application at any time. Revocation through LinkedIn is sufficient. |
| Complaint | Direct any complaint about LinkedIn data handling to LinkedIn directly via their privacy form, with a copy to the operator if it concerns this Application. |
7.1 Revoking Application Access on LinkedIn
- Go to
linkedin.com→ Settings → Data privacy. - Open “Permitted services.”
- Find “AI Skill Audit” in the list and click “Remove.”
Revocation is immediate. The operator will no longer be able to publish on behalf of the TARAI Page after revocation.
8. Legal Basis for Processing (GDPR)
For users in the European Economic Area, the Application processes personal data on the following bases:
- Consent — The Page administrator explicitly grants the Application access through LinkedIn’s OAuth 2.0 consent screen, with the requested scopes visible at the time of authorization.
- Contract — Processing is necessary to deliver the requested publishing service.
- Legitimate Interest — Operational logs are kept on a 30-day rolling window solely to diagnose publishing failures.
9. International Data Transfers
The Application’s server is located in the United States. LinkedIn’s API endpoints are operated by LinkedIn Corporation and its affiliates and may serve traffic from multiple regions. All transfers in and out of the operator’s server happen directly with LinkedIn’s official infrastructure; no intermediate processors handle LinkedIn data.
10. Children’s Privacy
The Application is not directed at, and does not knowingly collect information from, children under thirteen (13) years of age (sixteen (16) in the EEA). The Application’s only data subjects are LinkedIn Page administrators authorizing publishing access on their own Pages.
11. Changes to This Policy
Material changes are reflected by updating the “Last Updated” date at the top of this page. Continued use of the Application after a material change constitutes acceptance of the revised policy. The operator will surface a notice on tarai.dev for any change that materially expands the data collected or its use.
12. Compliance
This Application is designed to comply with:
- LinkedIn API Terms of Use
- LinkedIn Marketing Developer Agreement (where applicable)
- LinkedIn Community Policies
- The General Data Protection Regulation (GDPR) for EEA users
- The California Consumer Privacy Act (CCPA) for California residents
13. Contact
Questions about this policy, requests for data access, or revocation confirmations should be directed to:
- Operator: Mark Zhou
- Site: https://tarai.dev/
- GitHub: https://github.com/qingxuantang
14. Consent
By authorizing the Application through LinkedIn’s OAuth 2.0 consent screen, the authorizing Page administrator acknowledges having read and understood this Privacy Policy. Consent covers:
- The collection of authentication tokens scoped to the TARAI Company Page;
- The use of those tokens to publish operator-authored content on the TARAI Page;
- The local storage of credentials and operational telemetry as described in §4.
Consent may be withdrawn at any time by revoking the Application through LinkedIn’s permitted-services settings (see §7.1).
This privacy policy is published at https://tarai.dev/privacy-policy.html and is referenced as the Privacy Policy URL for the “AI Skill Audit” LinkedIn Developer Application.