Privacy Policy

Last updated: April 20, 2026

1. Introduction

This Privacy Policy describes how Soshi, Inc. ("Tomoji," "we," "us," or "our") collects, uses, and protects your personal information when you use:

By using our services, you agree to the collection and use of information as described in this policy.

2. Information we collect

2.1 Account information

When you sign up for Tomoji, we collect the information you provide during authentication, including your name, email address, and profile picture. We use WorkOS to manage authentication. We do not store your password — all credential handling is managed by WorkOS.

2.2 Content you create

We store content you create and manage through the dashboard, including draft posts, themes, editorial notes, and comments. This content is stored in our database powered by Convex.

2.3 Chrome extension data

The Tomoji Chrome extension collects and processes:

  • Authentication tokens — stored locally in your browser via chrome.storage.session and chrome.storage.local to maintain your sign-in state.
  • Team preference — your last-selected team is stored locally so the extension remembers your context.
  • Page interaction data — the extension interacts with the DOM on x.com and linkedin.com to fill composer fields and detect when you publish a post. When a post is published, the extension sends the publish status and the posted URL back to our servers so your content's status can be updated in the dashboard.

The extension does not read, collect, or transmit your browsing history, personal messages, or any content beyond what you explicitly choose to publish through Tomoji.

2.4 Contact and marketing information

When you submit a contact form on www.tomoji.com, we collect your name, email address, and any optional information you provide (such as LinkedIn URL, company website, and funding stage). This information is stored in Notion for our internal use and added to our mailing list via Loops.

2.5 Usage analytics

We use Google Analytics on our marketing website to understand traffic patterns. Google Analytics collects anonymized usage data such as pages visited, referral source, and device type. No analytics are collected within the Chrome extension or the dashboard.

2.6 LinkedIn integration data

When you connect a LinkedIn account to Tomoji, we access and process LinkedIn member and organization data through LinkedIn's official APIs, in accordance with the LinkedIn Marketing API Terms and LinkedIn's Data Storage Requirements.

What LinkedIn data we access

  • Authenticated member identifiers and basic profile data — for the LinkedIn member who completes the OAuth flow to connect an account to Tomoji. This includes the member's LinkedIn Person ID, person URN, name, profile picture, and headline. We use this to identify the connected account inside the dashboard.
  • Posts, comments, and reactions on content that Tomoji publishes on behalf of a connected account. This includes post content, post identifiers, the profile data of other LinkedIn members who comment on or react to those posts (name, profile picture, headline, LinkedIn profile URL), and aggregated engagement counts. We use this to display comments and engagement in the dashboard alongside the content we helped publish.
  • Company Page profile and administration data — for LinkedIn Pages that an authenticated admin has connected to Tomoji. This includes Page name, logo, industry, follower counts, and aggregated post-performance metrics.

We request only the OAuth scopes necessary to provide the functionality above. Connected members may review and revoke Tomoji's access at any time from LinkedIn's permitted services settings.

How long we retain LinkedIn data

We follow LinkedIn's Data Storage Requirements and apply the shortest applicable duration where any data field is covered by more than one rule:

  • Authenticated members' IDs, URNs, and basic profile information — retained while the LinkedIn connection is active.
  • Profile data of other LinkedIn members (e.g. people who commented on your post) — cached for no more than 24 hours and not stored beyond that window.
  • Content of members' posts, comments, and other social activity — retained for no more than 48 hours.
  • Connected organizations' posts, comments, and social activity — retained for up to six months while the Page connection is active; otherwise no more than six weeks.
  • Connected organizations' Page profile data — retained for up to eight weeks while the Page connection is active.
  • Page admin and aggregated reporting data — retained for up to one year.

When a LinkedIn connection is disconnected — from inside Tomoji or from LinkedIn's own settings — we revoke Tomoji's access, delete the associated OAuth tokens, and purge any stored LinkedIn data that is no longer covered by an active connection, within the windows above. OAuth access and refresh tokens are encrypted at rest.

Restrictions on use of LinkedIn data

We do not use LinkedIn data for advertising, profiling, retargeting, CRM enrichment, AI model training, or any purpose outside what is required to operate the Tomoji service for the connected member or organization. LinkedIn data is never sold, rented, or shared with third parties other than the infrastructure providers listed in Section 4, and only to the extent necessary to operate the service.

Your LinkedIn data rights and deletion requests

  • Disconnect a LinkedIn account from Tomoji at any time from the team settings page. Disconnecting revokes Tomoji's access and triggers deletion of the associated data within the retention windows above.
  • Revoke Tomoji's access directly in LinkedIn at linkedin.com/psettings/permitted-services.
  • LinkedIn members whose data is stored or cached by Tomoji as a result of engaging with a Tomoji-published post (e.g. by commenting) may request deletion of their data by emailing founders@tomoji.com. We will process verified deletion requests within 30 days, or sooner where required by applicable law or LinkedIn's Marketing API Terms.

3. How we use your information

We use the information we collect to:

  • Provide and maintain the Tomoji dashboard and extension
  • Authenticate you and keep your session active
  • Sync your content between the dashboard and Chrome extension in real time
  • Detect when content is published to X or LinkedIn and update its status
  • Respond to your inquiries and support requests
  • Improve our services based on general usage patterns

We do not use your information for advertising, profiling, or any purpose unrelated to providing the Tomoji service.

4. How we share your information

We do not sell, rent, or trade your personal information. We share data only with the following service providers who are necessary to operate Tomoji:

  • WorkOS — authentication and identity management
  • Convex — real-time database and backend infrastructure
  • Vercel — web application hosting
  • Google Analytics — anonymized marketing website analytics
  • Loops — email communications
  • Notion — internal contact management

Each provider processes data only as necessary to perform their service and is bound by their own privacy policies. We may also disclose information if required by law or to protect our legal rights.

5. Data storage and security

Your content and account data are stored on servers provided by Convex and Vercel, located in the United States. Authentication tokens in the Chrome extension are stored locally on your device and are only transmitted to Tomoji's own backend services for authentication purposes. They are never shared with third parties.

We use industry-standard security measures including encrypted connections (HTTPS/TLS), secure token handling, and access-controlled infrastructure. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

6. Data retention

We retain your account data and content for as long as your account is active. If you request account deletion, we will delete your personal information and content within 30 days, except where we are required by law to retain it.

Contact form submissions are retained in our internal systems for business relationship management purposes.

LinkedIn integration data is retained according to LinkedIn's Data Storage Requirements as described in Section 2.6. Those windows — which for some categories of data are as short as 24 or 48 hours — take precedence over the general retention described above.

7. Your rights

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your account and associated data
  • Export your content data in a portable format
  • Withdraw consent for any processing based on consent

To exercise any of these rights, contact us at founders@tomoji.com. For rights specific to LinkedIn integration data — including disconnecting an account, revoking Tomoji's LinkedIn access, and requesting deletion of data about you that Tomoji received from LinkedIn — see Section 2.6.

8. Chrome extension permissions

The Tomoji Chrome extension requests the following browser permissions:

  • storage — to persist authentication tokens and user preferences locally
  • alarms — to periodically refresh authentication tokens and keep your session active
  • identity — to initiate the OAuth sign-in flow through your browser
  • Host access to x.com and linkedin.com — to inject the Tomoji side panel for browsing drafts, editing content, and filling the platform composer
  • Host access to dashboard.tomoji.com — to receive messages from the Tomoji dashboard (e.g., when you click "Create post")

The extension does not access any websites beyond those listed above. It does not monitor your browsing activity, read your personal messages, or collect any data outside of the Tomoji workflow.

9. Cookies

The Tomoji dashboard uses essential cookies for authentication and session management. Our marketing website uses Google Analytics cookies for anonymized traffic analysis. We do not use cookies for advertising or cross-site tracking.

10. Children's privacy

Tomoji is not directed at children under 13 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the "Last updated" date at the top of this page. Your continued use of Tomoji after any changes constitutes acceptance of the updated policy.

12. Contact us

If you have any questions about this Privacy Policy or our data practices, please contact us: