PRIVACY POLICY | THE SALES NINJA

Morpheus Agency, SAS, share capital €1,000, RCS Bordeaux SIREN 943 590 182
16 rue des Quinconces, 33000 Bordeaux, France
Contact: support@thesales.ninja

The Sales Ninja is a trade name operated by Morpheus Agency.

Last updated: 10 May 2026

Governing language. The French version of this Privacy Policy is the legally binding version. This English translation is provided for information only. In the event of any inconsistency, the French version shall prevail.

1. Purpose

This Privacy Policy describes how Morpheus Agency ("we", the "Provider") processes personal data in connection with:

the website https://thesales.ninja;
the The Sales Ninja SaaS platform (the "Service");
the Chrome extension "The Sales Ninja: LinkedIn Connector" (the "Extension").

It supplements and forms an integral part of the Terms of Service.

It addresses three categories of individuals:

Authorized Users of our customers (people who log in to the Platform);
website visitors;
End Users (in particular our customers' prospects whose data is processed by Agents, see Part B).

2. Our role (controller / processor)

We act in two different capacities depending on the processing activity:

Context	Our role	Controller of purposes
Customer account, billing, support, website analytics, operation of the Extension	Controller	Morpheus Agency
Data processed by Agents on behalf of our customers (prospect lists, message content, conversation logs)	Processor under Article 28 GDPR	The Customer (controller)

Sections 3–10 describe the processing for which we are controller (Part A). Section 11 describes the processing for which we act as processor (Part B). Section 12 is dedicated to the Chrome Extension.

PART A: Processing for which Morpheus Agency is controller

3. Categories of data and purposes

Purpose	Data processed	Legal basis
Account creation and management	First/last name, business email, hashed password, company name, role	Performance of contract (GDPR Art. 6.1.b)
Billing and payment	Billing data, Stripe customer ID, payment history, VAT number	Legal obligation and performance of contract
Provision and operation of the Service	Technical IDs, usage logs, task logs, consumption metrics	Performance of contract
Customer support	Email exchanges, screenshots provided, session IDs	Legitimate interest (assistance)
Security and abuse prevention	IP address, login logs, anti-fraud signals	Legitimate interest (Service security)
Product analytics and improvement	Aggregated usage data, PostHog events, Sentry error reports	Legitimate interest (improvement), with opt-out
Marketing communications about our own products	Business email, preferences	Legitimate interest (existing customers) or consent (prospects), with opt-out in every message
Website cookies	See Section 8	See Section 8

We never use the above data to train or improve AI models, and we never sell it to third parties.

4. Retention periods

Data	Retention
Active account	Duration of the subscription
Inactive account (no subscription)	12 months after last login, then deletion or anonymization
Billing data	10 years (French accounting/tax obligation)
Support tickets	24 months after closure
Technical and security logs	12 months
Error logs (Sentry)	90 days
Analytics cookies	13 months maximum

Customer Data processed as a processor follows the periods defined in Part B.

5. Recipients and subprocessors

Data may be accessed by: our authorized staff under confidentiality obligations; the technical subprocessors listed in Section 13; public authorities upon legal request.

We do not sell any personal data.

Mobile information. We do not sell, share, or otherwise disclose mobile information (including mobile phone numbers and any data collected via SMS or text messaging) to third parties for promotional or marketing purposes. Mobile information may only be shared with third parties when strictly necessary to deliver the Service (e.g., telecommunications providers for message delivery) or when required by law.

6. International transfers

Some of our subprocessors are located in the United States (see Section 13). Any transfer outside the European Economic Area is framed by:

a European Commission adequacy decision where one exists (notably the EU-US Data Privacy Framework for certified US subprocessors); or
the Standard Contractual Clauses adopted by the Commission (Implementing Decision 2021/914), supplemented where required by additional measures.

A copy of applicable safeguards is available on request at support@thesales.ninja.

7. Security

We implement appropriate technical and organizational measures: encryption in transit (TLS 1.2+), encryption at rest for sensitive data (in particular session cookies connected via the Extension, see Section 12), per-customer isolation, strict access control, access logging, regular security reviews, documented incident management.

No measure can guarantee absolute security; in the event of a personal-data incident, we notify the relevant supervisory authority (CNIL for France) within 72 hours where required and inform affected individuals where the law so requires.

8. Website cookies

The thesales.ninja website uses:

strictly necessary cookies (session, authentication, security), exempt from consent;
analytics cookies (PostHog) in pseudonymized mode, set after consent through the cookie banner;
functional cookies (language, theme preference), exempt from consent.

No advertising cookie is set. Consent can be amended or withdrawn at any time from the cookie management banner at the bottom of the website.

9. Your rights (GDPR)

Under Articles 15–22 GDPR, you have the rights of:

access, rectification, erasure ("right to be forgotten");
restriction of processing and objection on legitimate grounds;
data portability (in a structured, machine-readable format);
withdrawal of consent at any time, without retroactive effect;
objection to direct marketing, at any time and without justification;
giving instructions on the fate of your data after death.

To exercise these rights, write to support@thesales.ninja specifying the subject of your request. We respond within one (1) month, extendable by two months for complex requests. We may request proof of identity in case of reasonable doubt.

If you believe your rights have not been respected, you may lodge a complaint with the CNIL (French data protection authority), 3 place de Fontenoy, 75007 Paris, www.cnil.fr, or with another competent supervisory authority.

10. Specific rights for California residents (CCPA / CPRA)

If you are a California resident, you additionally have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

right to know which categories of personal data we collect, their sources, the purposes and the categories of third parties with whom we share them;
right of access to your personal data;
right to delete your personal data, subject to legal exceptions;
right to correct inaccurate data;
right to limit the use of sensitive personal information to what is strictly necessary to provide the Service;
right to non-discrimination for exercising your rights.

We do not "sell" personal data nor do we "share" it for cross-context behavioral advertising within the meaning of CCPA/CPRA.

To exercise these rights, write to support@thesales.ninja with the subject "California Privacy Request". We may verify your identity before processing the request. You may designate an authorized agent; written proof of authorization will be required.

PART B: Processing for which our customers are controllers (subprocessing)

11. Data processed on behalf of our customers

When our customers use The Sales Ninja to conduct sales prospecting, we process (on their behalf and on their instructions) personal data relating to prospects and recipients of their messages (the "End Users"), including:

identification and contact data (first/last name, email, LinkedIn profile, phone where relevant);
professional data (employer, role, industry, seniority);
exchanged content (messages sent and received, replies, read statuses);
technical metadata associated with message delivery.

11.1 Our role

We act exclusively as processor within the meaning of Article 28 GDPR. Our customer (the business using the Service) is the controller. It is for the customer to:

determine the purposes of the processing;
ensure a valid legal basis before sending any message (documented legitimate interest, consent, performance of contract, etc.);
inform data subjects in accordance with Articles 13 and 14 GDPR;
implement an effective and easily accessible opt-out mechanism in every message;
comply with applicable prospecting laws (GDPR, ePrivacy, CAN-SPAM, CASL, etc.);
respond to data-subject requests.

11.2 Our commitments

Under Article 28 GDPR, we undertake to:

process the data only on documented instructions from the customer;
not use Customer Data to train or improve AI models or our Platform;
implement appropriate technical and organizational measures (Section 7);
ensure confidentiality and bind authorized personnel by confidentiality undertakings;
assist the customer in responding to data-subject requests;
notify the customer of any data breach within 72 hours;
delete or return the data at the end of the contract at the customer's choice;
engage subprocessors only under the conditions of Section 13.

11.3 Retention

Customer Data is retained for the duration of the contract. Upon termination, the customer has thirty (30) days to request return (export). Beyond that period, or absent any contrary request, data is permanently deleted from active systems within thirty (30) days; encrypted backups may retain it until the end of the backup-rotation cycle (90 days maximum).

11.4 Prospect requests

If you are a prospect contacted by a The Sales Ninja customer and wish to exercise your rights (access, deletion, objection), you may:

contact the customer who sent the message directly, as they are the controller and the only party able to act on the contents of their database;
or write to us at support@thesales.ninja so we can forward the request to the relevant customer. We endeavor to assist promptly.

PART C: Chrome Extension "The Sales Ninja: LinkedIn Connector"

12. Chrome Extension

12.1 Single purpose

The Extension has a single purpose: capturing the LinkedIn session cookies of the user authenticated on linkedin.com and transmitting them to their The Sales Ninja workspace, so that the Platform can perform LinkedIn actions on the user's behalf.

12.2 Data collected by the Extension

The Extension reads, only in the context of linkedin.com, the session cookies issued by LinkedIn for the user's browser window (notably li_at, JSESSIONID, bcookie, bscookie, liap, lang). These cookies are used to authenticate requests to LinkedIn on the user's behalf.

The Extension transmits these cookies, via an HTTPS request, only to the app.thesales.ninja domain corresponding to the authenticated user's The Sales Ninja workspace, or (in development) to http://localhost:3000 or http://127.0.0.1:3000.

The Extension does not collect:

the content of the LinkedIn pages viewed (DOM, profiles, posts, messages);
browsing history;
keystrokes or mouse actions;
data from any site other than LinkedIn;
stable identifiers beyond the LinkedIn session cookies.

The Extension does not set third-party cookies, load external analytics scripts or use advertising pixels.

12.3 Single purpose of processing

The transmitted cookies are used exclusively to enable the Platform to perform, on the user's behalf, the LinkedIn actions configured in their workspace (contact search, invitations, message sending, profile reading, depending on enabled features).

LinkedIn cookies are transmitted only to The Sales Ninja's servers and to our LinkedIn connector sub-processor Unipile (European Union), listed in Section 13, which uses them solely to perform the LinkedIn actions described above on the user's instruction.

LinkedIn cookies are never:

transmitted to any other third party;
used to train or improve AI models;
analyzed for advertising or profiling outside of the Service's purpose;
resold or assigned.

12.4 Storage and security

LinkedIn cookies are stored server-side in a dedicated table of our Supabase database, encrypted at rest (application-level encryption layered on top of native storage encryption). Read access is restricted to the technical components strictly necessary for LinkedIn action execution and is logged.

The user's device only retains, via the Extension, a local session identifier (storage API) used to associate the LinkedIn window with the corresponding The Sales Ninja workspace.

12.5 Retention of LinkedIn cookies

LinkedIn cookies captured by the Extension are retained according to the following rules:

Event	Retention
Active subscription with Extension installed	For the period necessary to operate the Service (refreshed automatically on new LinkedIn sessions)
Extension uninstall	Server-side deletion within seven (7) days
Service cancellation	Deletion within seven (7) days of the effective date
Explicit user request (`support@thesales.ninja`)	Immediate deletion (within 48 business hours at the latest)

LinkedIn may, independently, invalidate cookies by revoking the session server-side (logout, password change, expiry). In that case, stored cookies become unusable and are purged on next use attempt.

12.6 Chrome permissions requested

The Extension requests only the permissions strictly necessary to fulfill its single purpose:

Permission	Justification
`cookies`	Read the user's LinkedIn session cookies in the `linkedin.com` context
`storage`	Locally store the associated The Sales Ninja workspace identifier
`alarms`	Periodically trigger LinkedIn cookie sync while the user is active
`host_permissions`: `https://.linkedin.com/`	Read LinkedIn session cookies
`host_permissions`: `https://app.thesales.ninja/*`	Transmit cookies only to the user's workspace
`host_permissions`: `http://localhost:3000/`, `http://127.0.0.1:3000/`	Local development environment, not active in production

12.7 Uninstallation

The user may uninstall the Extension at any time from the Chrome extension manager. Uninstallation triggers the retention rules in Section 12.5.

13. List of subprocessors

Up to date as of the last-updated date of this Policy:

Subprocessor	Role	Location	Transfer mechanism
Supabase Inc.	Database, authentication, file storage	European Union (Frankfurt region)	N/A (EU)
Railway Corp.	Application infrastructure hosting	European Union	N/A (EU)
Vercel Inc.	Web application hosting	United States	EU-US Data Privacy Framework
OpenAI, L.L.C.	AI model provider (content generation)	United States	EU-US Data Privacy Framework / SCCs
Brave Software, Inc.	Web search for Agents	United States	Standard Contractual Clauses
OpenRouter, Inc.	Embedding-model access (internal memory search)	United States	Standard Contractual Clauses
Unipile	LinkedIn connector for automated actions	European Union	N/A (EU)
Full Enrich	Professional contact-data enrichment	European Union	N/A (EU)
Stripe, Inc.	Online payment and billing	United States	EU-US Data Privacy Framework
PostHog Inc.	Product analytics	European Union (EU region)	N/A (EU)
Functional Software, Inc. (Sentry)	Application error monitoring	United States	Standard Contractual Clauses

Any addition or change of subprocessor with a significant impact on data processing is notified to the customer by email with thirty (30) days' notice, during which the customer may object on legitimate grounds, failing which the customer may terminate under the Terms of Service.

Audit note: the location and transfer mechanisms for Unipile, Full Enrich and PostHog should be reconfirmed before publication.

14. Minors

The Service is exclusively intended for professional use by adults. We do not knowingly collect data concerning minors under 16. Any unintended processing reported to us will be deleted promptly.

15. Changes to this Policy

We may update this Policy to reflect changes in our Service, technical stack or legal framework. Any material change is notified by email to Authorized Users with thirty (30) days' notice and published at https://thesales.ninja/privacy with the new last-updated date.

16. Contact

For any question regarding this Policy or to exercise your rights:

Morpheus Agency
16 rue des Quinconces, 33000 Bordeaux, France
Email: support@thesales.ninja

EU residents may also contact the relevant supervisory authority (in France, the CNIL, www.cnil.fr).