Privacy Policy

1. Introduction

Welcome to Send DM. Send DM ("we," "us," or "our") operates an Instagram direct message automation platform that helps businesses and creators automate their Instagram DM workflows through Meta's official API. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services (collectively, the "Service").

By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

Account Information

When you create an Send DM account, we collect the following personal information:

• Full name
• Email address
• Password (stored as a cryptographic hash, never in plain text)
• Profile information you choose to provide

Instagram Account Data

When you connect your Instagram account through Meta's official OAuth flow, we receive and store:

• Instagram username and account ID
• Follower and following counts
• Access tokens (encrypted at rest using AES-256 encryption)
• Business or creator account profile information
• Media and post metadata required for automation triggers

Usage Data

We automatically collect certain information when you interact with the Service:

• IP address and approximate geographic location
• Browser type and version
• Pages visited and features used within the Service
• Date and time of access
• Referring URL
• Device type and operating system

Billing Information

Payment processing is handled entirely by Stripe. We do not store your full credit card number, CVV, or other sensitive payment card details on our servers. We retain only:

• Stripe customer ID
• Subscription plan and status
• Billing email address
• Last four digits of payment card (provided by Stripe for display purposes)
• Invoice and payment history

3. How We Use Your Information

Service Delivery

We use your information to provide, maintain, and improve the Service, including:

• Creating and managing your Send DM account
• Connecting to and authenticating with Instagram via Meta's API
• Processing your subscription and billing through Stripe
• Providing customer support and responding to inquiries

Automation

Your Instagram data is used to power core automation features:

• Monitoring comments, story mentions, and keywords for configured triggers
• Sending automated direct messages based on your defined rules
• Managing contacts who interact with your Instagram account
• Storing message templates and automation configurations

Analytics

We process usage and engagement data to provide you with:

• DM delivery and response rate metrics
• Automation performance insights and conversion tracking
• Audience engagement analytics and trends

Communication

We may use your email address to send you:

• Transactional emails (account verification, password resets, billing receipts)
• Service notifications (automation status alerts, usage limit warnings)
• Product updates and feature announcements (you can opt out at any time)

4. Instagram & Meta Data

Send DM integrates with Instagram through Meta's official Graph API and Messaging API. We take the handling of this data seriously and comply with Meta's Platform Terms and Developer Policies.

What We Access

Through the Meta API, we access the following data based on permissions you grant during the OAuth connection flow:

• Instagram business or creator account profile details
• Comments on your posts and Reels
• Story mentions, replies, and reactions
• Direct message conversations (for automation and auto-reply purposes only)
• Media metadata (post type, timestamps, engagement counts)

Token Storage

Instagram access tokens are encrypted at rest using AES-256 encryption before being stored in our database. Tokens are only decrypted in memory at the time of API calls and are never logged, exposed in URLs, or transmitted in plain text.

Webhook Data

We receive real-time webhook notifications from Meta for events such as new comments, story mentions, and incoming direct messages. This data is processed to trigger your configured automations and is stored in accordance with our data retention policies described in Section 7.

5. Data Storage & Security

We implement industry-standard security measures to protect your data:

• All data is stored in PostgreSQL databases with encryption at rest
• Instagram access tokens are encrypted using AES-256 before storage
• User passwords are hashed using bcrypt with appropriate cost factors
• All data in transit is encrypted using TLS/HTTPS
• Background job queues (BullMQ/Redis) are secured and isolated
• Regular security audits and vulnerability assessments
• Access to production systems is restricted and logged
• Database backups are encrypted and stored securely

While we implement robust security measures, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your information using commercially reasonable safeguards.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information to third parties. We share data only in the following limited circumstances:

Stripe (Payment Processing)

We share necessary billing information with Stripe to process payments, manage subscriptions, and prevent fraud. Stripe's handling of your data is governed by the Stripe Privacy Policy.

Meta (Instagram API)

We interact with Meta's API to deliver Instagram automation features. Data exchanged with Meta is subject to the Meta Privacy Policy.

Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency), or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will notify you via email or a prominent notice on our Service before your information becomes subject to a different privacy policy.

7. Data Retention

We retain your information only for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy. Specific retention periods are as follows:

After the applicable retention period expires, data is permanently deleted or anonymized so that it can no longer be associated with you.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data under applicable data protection laws, including the General Data Protection Regulation (GDPR) and other regional privacy regulations:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data (subject to legal obligations).
• Right to Data Portability: Request a machine-readable copy of your data to transfer to another service.
• Right to Restriction of Processing: Request that we limit how we process your data in certain circumstances.
• Right to Object: Object to processing of your personal data for direct marketing or based on legitimate interests.
• Right to Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, as required by applicable law.

9. Data Deletion

You may request complete deletion of your Send DM account and associated data at any time. You can initiate this process by:

• Using the "Delete Account" option in your account settings
• Sending an email to [email protected] with the subject "Account Deletion Request"

Upon receiving a valid deletion request, we will permanently delete the following within 30 days:

• Your account profile and credentials
• Connected Instagram account data and encrypted access tokens
• All contact records and DM content
• Automation configurations and message templates
• Analytics data associated with your account

Certain data may be retained beyond this period where required by law (e.g., billing records for tax compliance) or where necessary to resolve disputes, enforce our agreements, or for other legitimate business purposes. Any retained data will be minimized and securely stored.

10. Cookies & Tracking

We use a minimal set of cookies that are strictly necessary for the operation of the Service:

Essential Cookies

• Authentication session cookies to keep you logged in
• CSRF (cross-site request forgery) protection tokens
• User preference cookies (e.g., timezone, language)

What We Do Not Use

• Third-party tracking cookies
• Advertising or retargeting cookies
• Social media tracking pixels
• Cross-site tracking technologies

We do not serve ads and do not participate in any advertising networks. Your browsing behavior on Send DM is not shared with any third-party advertisers.

11. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information from our servers promptly.

If you are a parent or guardian and believe your child has provided personal data to Send DM, please contact us at [email protected] so we can take appropriate action.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country.

When we transfer personal data outside the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an adequate level of data protection as recognized by the European Commission
• Other legally recognized transfer mechanisms as applicable

Regardless of where your data is processed, we apply the same security protections and privacy standards described in this Privacy Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email if the changes significantly affect how we process your data
• Display a prominent notice within the Service for at least 30 days

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after any changes become effective constitutes your acceptance of the revised Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are located in the European Economic Area and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.