Privacy Policy

Last updated: April 23, 2026

1. Introduction

Instoly ("we", "our", or "us") operates the Instoly platform (instoly.com), a creator engagement platform that helps you grow and connect with your Instagram community. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

2. Information We Collect

2.1 Account Information

When you create a Instoly account, we collect:

  • Email address
  • Display name
  • Password (stored in hashed form — we cannot see your password)
  • Country and currency preferences

2.2 Instagram Account Data

When you connect your Instagram account, we receive:

  • Instagram username and user ID
  • Profile picture URL
  • Follower count
  • Account type (Business or Creator)
  • OAuth access token (used to send messages on your behalf)

2.3 Comment and Message Data

To provide our DM engagement service, we process:

  • Comments on your Instagram posts (text and commenter's ID)
  • Messages sent on your behalf
  • Trigger keywords you configure in your flows

2.4 Usage Data

We collect basic analytics such as page views, feature usage, and error logs to improve the service.

3. How We Use Your Information

  • Core Service: Matching comments to trigger keywords and sending DM replies
  • Account Management: Authentication, profile management, and billing
  • Analytics: Providing you with flow performance statistics (DMs sent, clicks, conversions)
  • Service Improvement: Debugging issues, improving performance, and developing new features
  • Communication: Sending you important service updates and notifications

4. Third-Party Services

We interact with the following third-party services:

  • Meta/Instagram: We use the Instagram Graph API and Messenger Platform to send DMs and read comments. Your Instagram data is processed in accordance with Meta's Platform Terms.
  • MongoDB Atlas: Your data is stored securely on MongoDB Atlas cloud infrastructure with encryption at rest.

We do not sell your personal information to third parties.

5. Data Retention

We retain your data for as long as your account is active. You may request deletion of your account and associated data at any time by contacting us. When you disconnect your Instagram account, we immediately delete your access token and Instagram-specific data.

6. Data Security

We implement industry-standard security measures including:

  • HTTPS encryption for all data in transit
  • Hashed passwords using bcrypt
  • JWT-based authentication with httpOnly cookies
  • MongoDB Atlas encryption at rest
  • Access token isolation per user

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Disconnect your Instagram account at any time
  • Export your data in a portable format

8. Instagram Data Deletion

If you remove Instoly from your Facebook/Instagram connected apps, we will receive a data deletion request from Meta. We will delete all your Instagram-related data (tokens, username, profile info, comment history) within 48 hours.

9. Children's Privacy

Our service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website.

11. Contact Us

If you have questions about this Privacy Policy, please contact us at: contact@instoly.com