Privacy Policy | Instagram Graph Sync

1. Introduction

Instagram Graph Sync ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service, including our website, API, and mobile applications (collectively, the "Service"). By using our Service, you consent to the data practices described in this policy.

This Privacy Policy complies with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Meta Platform Terms and Developer Policies.

2. Information We Collect

2.1 Information You Provide

Account Information: When you create an account, we collect your name, email address, and authentication credentials (handled securely through OAuth providers like Google and GitHub).
Instagram Account Connection: When you connect your Instagram account, we collect and store your Instagram User ID, username, account type (Business or Creator), and Instagram access tokens.
Contact Information: If you contact us through our contact form, we collect your name, email address, and message content.
API Key Information: If you create API keys for external access, we store a hashed version of the key and associated metadata (name, creation date, last used date).

2.2 Instagram Data We Collect

When you connect your Instagram account, we collect the following data from the Instagram Graph API:

Profile Information: Name, biography, profile picture URL, username, Instagram User ID
Account Metrics: Followers count, following count, media count
Post Data: Post ID, media type (IMAGE, VIDEO, CAROUSEL_ALBUM), media URLs, thumbnail URLs, captions, timestamps, permalinks
Access Tokens: Long-lived access tokens for API authentication (stored securely and encrypted)

Important: We do NOT store actual media files (images or videos). We only store URLs pointing to media hosted by Instagram. We do NOT collect private messages, comments, or any data beyond what is publicly available through the Instagram Graph API.

2.3 Automatically Collected Information

Usage Analytics: We track API usage, endpoint calls, response times, error rates, and feature usage to improve our service
Technical Data: IP address, browser type, device information, operating system, referring URLs, pages visited, time spent on pages
Session Data: Authentication tokens, session identifiers, login timestamps
Error Logs: Error messages and stack traces for debugging purposes (may contain limited personal information)

2.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to maintain your session, remember your preferences, and analyze usage patterns. You can control cookies through your browser settings, though disabling certain cookies may affect Service functionality.

3. How We Use Your Information

We use the collected information for the following purposes:

Service Provision: To provide, maintain, and improve our Instagram synchronization service and API
API Access: To enable you to access your Instagram data through our REST API endpoints
Data Synchronization: To automatically sync your Instagram profile and posts data (every 6 hours by default)
Authentication: To authenticate your identity and manage your account access
Rate Limiting: To enforce API rate limits and usage quotas based on your subscription plan
Communication: To send you service-related notifications, updates, and respond to your inquiries
Analytics: To analyze usage patterns, monitor service performance, and improve user experience
Security: To detect, prevent, and address security issues, fraud, and unauthorized access
Legal Compliance: To comply with legal obligations, enforce our Terms of Service, and protect our rights
Business Operations: To manage subscriptions, process payments (if applicable), and maintain business records

4. How We Share Your Information

We do NOT sell your personal information. We may share your information only in the following circumstances:

4.1 Public Profile Data

When you connect your Instagram account, your profile information (username, name, bio, profile picture, follower counts, and posts) may be made publicly accessible through our API endpoint /api/user/:id. This allows you to embed your Instagram data on external websites. You can control this by disconnecting your Instagram account.

4.2 Service Providers

We may share information with trusted third-party service providers who assist us in operating our Service, including:

Hosting Providers: Vercel (for application hosting) and Supabase (for database hosting)
Authentication Providers: OAuth providers (Google, GitHub) for account authentication
Analytics Services: For usage analytics and error tracking (data is anonymized where possible)
Payment Processors: If applicable, for processing subscription payments

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our users or others.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

5. Data Security

We implement industry-standard security measures to protect your information:

Encryption: All data transmitted between your device and our servers uses TLS/SSL encryption. Instagram access tokens are encrypted at rest.
Secure Authentication: We use OAuth 2.0 for secure authentication. Passwords (if used) are hashed using bcrypt and never stored in plain text.
Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
API Security: API keys are hashed using SHA-256 before storage. API requests are authenticated and rate-limited.
Regular Security Audits: We conduct regular security assessments and vulnerability scans.
Database Security: Our databases are hosted on secure cloud infrastructure with automated backups and access logging.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes outlined in this policy:

Account Data: Retained until you delete your account or request deletion
Instagram Data: Retained until you disconnect your Instagram account or delete your account
Analytics Data: Retained for up to 2 years for service improvement purposes
API Usage Records: Retained for billing and rate limiting purposes, typically for the duration of your subscription plus 1 year
Legal Records: Some information may be retained longer if required by law or for legitimate business purposes

When you delete your account or disconnect your Instagram account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal or regulatory purposes.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access and Portability

You can access your account information and Instagram data through your dashboard or by using our API endpoints. You can export your data in JSON format.

7.2 Correction

You can update your account information through your dashboard settings. Instagram profile data is synced from Instagram and cannot be directly edited through our Service.

7.3 Deletion

You can request deletion of your account and all associated data at any time. Please visit our Data Deletion page for detailed instructions. We will process deletion requests within 30 days.

7.4 Objection and Restriction

You can object to certain processing of your data or request restriction of processing. Contact us to exercise these rights.

7.5 Withdraw Consent

You can withdraw your consent to data processing by disconnecting your Instagram account or deleting your account. This may limit your ability to use certain features of our Service.

7.6 Opt-Out of Analytics

You can opt-out of non-essential analytics tracking through your browser settings or by contacting us.

8. Instagram Graph API and Meta Platform

Our Service uses the Instagram Graph API provided by Meta Platforms, Inc. When you connect your Instagram account:

You authorize us to access your Instagram account data through the Instagram Graph API
We comply with Meta's Platform Terms, Developer Policies, and Data Use Restrictions
We only access data that you explicitly grant permission for (profile and media data)
We do NOT access private messages, comments, or other restricted data
We do NOT share your Instagram data with third parties except as described in this policy
You can revoke access at any time through your Instagram account settings or by disconnecting in our Service

For more information about how Meta handles your data, please review Meta's Privacy Policy.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. We ensure appropriate safeguards are in place, including standard contractual clauses and compliance with applicable data protection regulations.

10. Children's Privacy

Our Service is not intended for users under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will delete such information.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information (with certain exceptions)
Right to opt-out of the sale of personal information (we do not sell your information)
Right to non-discrimination for exercising your privacy rights

To exercise these rights, please contact us using the information provided in Section 13.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

Right of access to your personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent
Right to lodge a complaint with a supervisory authority

To exercise these rights, please contact us using the information provided in Section 13.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: Contact Form
Website: https://instalink.sitesbysteve.dev
Data Deletion Requests: Data Deletion Page

We will respond to your inquiry within 30 days.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically. Your continued use of our Service after any changes constitutes acceptance of the updated policy.

15. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any information.