🔗

LinkLoop

Last updated: February 2026

📱 iOS 🗂 Social Networking 💰 Free 🔢 v1.0.0

🔒

We do not sell your data. Ever.

Your profile and circle data is stored securely on our servers and never shared with third parties for advertising or sold in any form.

About LinkLoop

LinkLoop is a social app that lets you share what matters with your circle. Because LinkLoop is a social network, it stores the profile and connection data necessary to provide the service.

What LinkLoop Collects

Profile data — display name and any profile information you choose to add
Circle data — your connections and shared content within the app
Account credentials — to authenticate your account securely
CGM data (if connected) — glucose readings fetched from Dexcom or your personal Nightscout instance only when you explicitly authorize it and initiate a sync. See the Dexcom Integration and Nightscout Integration sections below.

All data is stored on secure servers operated by VibeCMD LLC and is used solely to provide the LinkLoop service.

What We Do Not Do

We do not sell your data to third parties under any circumstances
No advertising SDKs — LinkLoop contains no ad networks or tracking pixels
No behavioral profiling for advertising purposes
No data brokers — your data is never shared with or sold to data brokers

🩺 Dexcom CGM Integration

LinkLoop offers an optional integration with Dexcom Continuous Glucose Monitors (CGMs). This feature is strictly opt-in and follows the authorization and consent flow described below. No glucose data is ever accessed without your explicit approval.

Authorization & Consent Flow

Explicit Opt-In

The user must actively tap "Connect Dexcom" on the CGM screen. Nothing is connected automatically. No data is fetched until this action is taken.

Dexcom's Own OAuth Consent Screen

Tapping "Connect Dexcom" opens Dexcom's official OAuth login page in the system browser (https://api.dexcom.com/v3/oauth2/login). The user logs in with their own Dexcom credentials and explicitly approves the requested scope on Dexcom's own interface. LinkLoop never sees your Dexcom password.

Token Stored Server-Side Only

After approval, Dexcom redirects to the LinkLoop server callback. Access and refresh tokens are stored only on our server. They are never sent to or stored in the mobile app.

User-Initiated Sync Only

Data is only pulled from Dexcom when you tap "Sync Now". There is no background polling or automatic data retrieval without your action.

Revocation & Disconnect

You can tap "Disconnect Dexcom" at any time in the app. This immediately nulls all stored tokens server-side and marks the connection as inactive. You can also revoke access directly through your Dexcom account at dexcom.com.

Medical Disclaimer: LinkLoop is not a medical device and is not intended to replace clinical care, professional medical advice, or your Dexcom app. CGM data displayed in LinkLoop is for informational and support purposes only. Always rely on your primary Dexcom device and consult your healthcare provider for medical decisions.

🌐 Nightscout Integration

LinkLoop offers an optional integration with Nightscout, the open-source DIY CGM data platform used widely across the T1D community. Nightscout is self-hosted by you — LinkLoop simply reads from your own Nightscout instance with your permission. LinkLoop does not host, control, or have access to your Nightscout server.

How It Works

You Provide Your Nightscout URL

On the CGM screen, you enter the URL of your own Nightscout instance (e.g. https://yoursite.ns.10be.de). LinkLoop does not know or store this URL until you deliberately enter it.

API Token Authentication

Access is authenticated using a read-only API token that you generate from your own Nightscout admin panel. LinkLoop stores this token server-side and only uses it to read glucose data — it never uses it to write, modify, or delete any records on your Nightscout instance.

User-Initiated Sync Only

Just like Dexcom, Nightscout data is only fetched when you tap "Sync Now". There is no background polling or automatic retrieval without your action.

Disconnect Anytime

Tapping "Disconnect Nightscout" immediately removes your stored URL and API token from our server. Revoking or rotating the token in your own Nightscout admin panel also immediately cuts off LinkLoop's access.

Note: Nightscout is a third-party open-source project not affiliated with VibeCMD or LinkLoop. You are solely responsible for the security and configuration of your own Nightscout instance. LinkLoop is not a medical device. CGM data displayed is for informational and family support purposes only.

🔧 Technical Details

Expand any section below for a deeper look at how LinkLoop is built and how your data is handled.

01 Technical Architecture

Layer	Technology
Mobile App	React Native / Expo — iOS (iPhone only)
Backend	Node.js / Express — hosted on Render.com (US region)
Database	MongoDB Atlas (US region, encrypted at rest)
Transport	HTTPS / TLS enforced on all endpoints — no HTTP fallback
App Auth	JWT tokens (short-lived, validated server-side)
Dexcom Auth	OAuth 2.0 Authorization Code flow — server-side only

The mobile app communicates only with LinkLoop's own backend. It never contacts Dexcom's API directly.

02 How We Use the Dexcom API

Parameter	Value
Endpoint	`GET /v3/users/self/egvs` (Estimated Glucose Values only)
Auth Method	OAuth 2.0 — Authorization Code flow
Scope	`offline_access`
Token Storage	Server-side only — never stored in or sent to the mobile app
Sync Model	User-initiated ("Sync Now") — no background polling
Data Stored	Glucose value (mg/dL), trend direction, trend arrow, timestamp
Not Stored	Dexcom username/password, device serial number, raw Dexcom user ID
Other Endpoints	None — calibrations, devices, events not accessed

03 Data Storage & Retention

What is stored in LinkLoop's database (MongoDB Atlas):

Data	Location	Retention
Dexcom access_token	Server DB only	Until disconnect or account deletion
Dexcom refresh_token	Server DB only	Until disconnect or account deletion
Glucose readings (value, trend, timestamp)	Server DB	While account is active
User account (name, email)	Server DB	While account is active
Care Circle memberships	Server DB	While account is active

What is never stored:

✗Dexcom username or password
✗Dexcom device serial numbers
✗Raw Dexcom internal user IDs
✗Any data not directly needed to display glucose to the user
✗Advertising identifiers, behavioral data, or analytics profiles

04 Security Controls

✅All traffic — HTTPS / TLS 1.2+ enforced, no HTTP fallback
✅App authentication — JWT tokens, short-lived, validated server-side
✅Dexcom tokens — stored server-side only, never transmitted to app
✅Database — MongoDB Atlas with access controls and encryption at rest
✅Server hosting — Render.com managed infrastructure (automatic security patches)
✅Auto token refresh — silent, 5 min before expiry, no user interruption
✅Disconnect — full token wipe on user request, takes effect immediately
✅Care Circle members — read-only access to data the Warrior explicitly shares

05 Care Circle Sharing Model

The T1D "Warrior" controls their Care Circle completely. They generate a private invite code and choose who to admit. Care Circle members can view glucose data but have strictly limited access.

Members CAN:

✅View the Warrior's current glucose value and trend
✅See recent glucose history

Members CANNOT:

✗Modify or delete glucose data
✗Access the Warrior's Dexcom tokens or credentials
✗Share the Warrior's data further outside the app
✗Add or remove other Circle members

The Warrior can remove any Circle member at any time. Removed members immediately lose access.

🛡️ Privacy Program Statement

VibeCMD LLC maintains the following active privacy practices for LinkLoop:

✅

Privacy Policy

Publicly posted at vibecmd.net/privacy/linkloop. Covers data collection, use, storage, deletion, security, and user rights. Last updated February 2026.

✅

User Data Deletion

Users may request full account and data deletion at any time by emailing vibetech@vibecmd.net. All data is permanently deleted within 30 days.

✅

No Data Selling

LinkLoop does not sell, share, or monetize user data in any form. No advertising SDKs, no tracking pixels, no data brokers.

✅

HTTPS Enforcement

All data in transit is encrypted via TLS/HTTPS. No unencrypted data transmission.

✅

Privacy Contact

Privacy inquiries handled directly by the owner of VibeCMD LLC at vibetech@vibecmd.net.

Not yet formally established:

Formally designated Privacy Officer / DPO title
HIPAA NPP (not currently operating as a covered entity)
ISO 27001 / SOC 2 certifications
Formal written record retention schedule

LinkLoop is a pre-launch application. These formal program elements are on the roadmap as the user base grows.

Deleting Your Account & Data

You can delete your account and all associated data at any time by contacting us at vibetech@vibecmd.net with the subject line "Delete my LinkLoop account". We will permanently delete your account and all associated data within 30 days.

Data Security

All data is transmitted over HTTPS/TLS. Stored data is protected using industry-standard security practices on servers hosted by Render. In the event of a breach that affects your personal data, we will notify you promptly.

Changes to This Policy

If this policy changes materially, we will notify users in-app and update this page with a new revision date.

Contact

Questions about this policy, your data, or the Dexcom integration:

VibeCMD LLC
Email: vibetech@vibecmd.net
Web: vibecmd.net/contact

← Back to Privacy Hub