Legal

Privacy Policy

Last updated · Effective immediately for all customers and visitors.

1. Overview

This Privacy Policy explains how autodmig ("autodmig", "we", "our", "us") collects, uses, discloses and safeguards personal data when you visit our website, create an account, connect your Facebook and Instagram Business assets, and use our Instagram Auto-DM automation services (collectively, the "Service").

We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA / CPRA), and Meta's Platform Terms and Developer Policies.

TL;DR. We only collect what we need to run automated Instagram messaging on your behalf, we encrypt access tokens at rest, we never sell your data, and you can delete everything at any time.

2. Data controller

The data controller responsible for personal data processed under this policy is:

Legal entity
autodmig
Registered address
Privacy contact / DPO
vedvyas1414@gmail.com
General support
vedvyas1414@gmail.com

EU/UK residents may also lodge a complaint with their local supervisory authority. We are happy to work with you directly first — please reach out before escalating.

3. Data we collect

3.1 Data you provide

  • Account data — your name, email address, profile picture (received from Facebook on first sign-in).
  • Workflow content — keywords, message templates, automation rules and any text you author in the dashboard.
  • Support correspondence — messages you send to vedvyas1414@gmail.com or via our contact form.

3.2 Data we receive from Meta when you connect your accounts

When you click "Continue with Facebook", Meta returns the following data, scoped to the permissions you grant:

  • Facebook user ID, name, email and profile picture URL.
  • The list of Facebook Pages you administer (page id, name, category, page access token).
  • Linked Instagram Business / Creator accounts (instagram id, username, profile picture).
  • Public content delivered through Meta webhooks: incoming DMs, comments on your posts, story replies and mentions, including the sender's IG-scoped id and the message text.

3.3 Data collected automatically

  • Session data — a single first-party authentication cookie (INSTAREACH_SESSID), CSRF tokens.
  • Logs — IP address, user-agent, request path and timestamp for security and abuse detection.
  • Usage analytics — aggregated counts of dashboard actions and message events. We do not run third-party advertising trackers on the dashboard.

4. How we use data

We process personal data only for the purposes listed below, and only to the minimum extent necessary:

  • To authenticate you and operate the Service (account creation, sign-in, dashboard access).
  • To deliver the automation features you configure — sending DMs, comment replies and private replies on your behalf via the official Meta Graph API.
  • To produce in-app analytics, message logs and notifications.
  • To bill you, process payments and prevent fraud.
  • To respond to support requests and communicate service-related notices.
  • To comply with our legal obligations and enforce our Terms of Service.

We do not use Meta-derived data to train artificial-intelligence or machine-learning models that determine eligibility for, or otherwise extend, financial, housing, employment, education, or insurance opportunities. We do not sell or rent personal data to third parties.

6. Data we receive from Meta & how we treat it

We comply with the Meta Platform Terms in particular by:

  • Only requesting permissions strictly required for the features you enable.
  • Storing access tokens encrypted at rest with AES-256-GCM; the encryption key is held outside the database and rotated periodically.
  • Restricting employee access to Meta data on a strict need-to-know basis with audit logging.
  • Honouring deletion within the time-frame stated in our data-deletion procedure.
  • Not transferring Meta-derived data to data brokers, ad networks or any party that uses it for advertising.

7. Sharing & sub-processors

We share personal data only with the following categories of recipient:

  • Meta Platforms, Inc. — to read and send messages via the Graph API.
  • Cloud infrastructure providers — to host the application and database (e.g. AWS, Hetzner, DigitalOcean).
  • Email provider — to deliver transactional emails (receipts, password recovery).
  • Payment processor — to handle subscription billing (e.g. Stripe). We do not store full card numbers.
  • Authorities — when required by law, court order, or to protect our rights and users.

An up-to-date list of sub-processors is available on request to vedvyas1414@gmail.com.

8. International transfers

Personal data may be transferred to, and processed in, countries other than your own — including the United States. Where required, we rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and additional safeguards reviewed under Schrems II.

9. Data retention

Data categoryRetention period
Account & profile For the lifetime of your account, then 30 days for grace-period restoration
Encrypted access tokens Until you disconnect Facebook, log out, or delete your account
Workflow definitions Until you delete them or close your account
Message logs 90 days, then aggregated and anonymized
Security & access logs12 months
Billing records As required by tax law (typically 7 years)
Backups Up to 35 days, encrypted at rest

After account deletion, residual data in encrypted backups is purged on the next rotation cycle (max 35 days).

10. Security measures

  • All traffic is served over TLS 1.2+.
  • OAuth access tokens are encrypted at rest with AES-256-GCM; keys are stored outside the database and rotated periodically.
  • CSRF protection on every state-changing request, HMAC verification (SHA-256) on every Meta webhook.
  • Sessions are HttpOnly, SameSite=Lax and Secure on HTTPS.
  • Database access is restricted to a minimal IP allow-list; engineer access is audited.
  • Penetration testing and dependency scanning are performed regularly.

No system is 100% secure. If we become aware of a breach affecting your personal data we will notify you and the relevant authorities within 72 hours, as required by Art. 33 GDPR.

11. Your rights

Subject to applicable law, you have the right to:

  • Access — receive a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — see the Data Deletion page.
  • Restriction — limit how we process your data while we resolve a dispute.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — at any time, where processing is based on consent.
  • CCPA rights — California residents may opt out of "sale" or "sharing" (we do neither) and request specific disclosures.

To exercise any of these rights, email vedvyas1414@gmail.com. We respond within 30 days.

12. Cookies

We use a minimal set of strictly-necessary first-party cookies for authentication and CSRF protection. We do not use third-party tracking or advertising cookies on the dashboard. See our Cookie Policy for the full list.

13. Children's privacy

The Service is not directed at children under 13 (16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact vedvyas1414@gmail.com and we will delete it promptly.

14. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated by email or in-app notice at least 14 days before they take effect.

15. Contact us

Questions about this Privacy Policy or your personal data?

You can also use our contact form.