Privacy Policy

1. What Information Do We Collect?

In Short: We collect information you provide directly and information received from your Instagram and Facebook accounts when you connect them.

Personal Information You Provide Directly

When you register for AutoDM, we collect:

• Email address — used for account creation, login, and service communications
• Password — stored encrypted using Supabase Auth (bcrypt hashing); never stored or transmitted in plain text
• Full name — optionally provided during signup for personalised communications

Social Media Account Data (via Meta OAuth)

When you connect your Instagram Business Account and/or Facebook Page via Meta's official OAuth consent flow, we receive and store the following data — but only after you explicitly grant permission on Meta's consent screen:

• Instagram username and profile picture URL
• Instagram Business Account ID (used to identify your account in API calls)
• Facebook Page name, Page ID, and Page access token
• Meta user ID
• Posts, Reels, and Stories metadata: captions, timestamps, media URLs, thumbnails, permalink URLs, media type
• OAuth access tokens (long-lived tokens, valid for 60 days, stored encrypted, used to interact with Meta APIs on your behalf)
• Granted permission scopes
• Comment IDs and comment text from users who comment on your posts (used only to match trigger keywords and send the configured automated DM)
• Instagram user IDs of commenters (used only to send the DM; we do not store commenter profile information)

Information We Do NOT Collect

• We do not read or store the content of your existing private Direct Message inbox
• We do not collect or store your followers list or following list
• We do not collect payment card numbers, bank details, or UPI PINs — payments are processed entirely by Cashfree and are never transmitted to or stored on our servers
• We do not use advertising cookies, third-party trackers, or analytics SDKs (e.g. Google Analytics, Facebook Pixel). We use essential session cookies only, managed by Supabase Auth
• We do not collect sensitive personal information such as health data, biometric data, racial or ethnic origin, or government identification numbers

2. How Do We Process Your Information?

In Short: We process your information to provide and improve the AutoDM service, communicate with you, and comply with legal obligations.

We process your personal information for the following specific purposes:

• Account management: To create and manage your AutoDM account using email/password authentication via Supabase Auth
• Social account connection: To connect your Instagram Business Account and/or Facebook Page using Meta's official OAuth 2.0 consent flow
• Post synchronisation: To fetch and display your posts, reels, and stories from Instagram and Facebook so you can configure automations per post
• Comment monitoring: To receive real-time comment events from your posts via Meta webhooks and match them against your configured trigger keywords
• DM automation: To send automated Direct Messages on your behalf when a commenter's post matches your configured trigger (keywords, all comments, emojis, mentions)
• Follow Gate: To verify that a commenter has followed your account before sending a reward link, using Meta's follower verification API (Pro feature)
• Email lead capture: To collect and store email addresses that commenters voluntarily share in reply to your automated DM prompt (Pro feature)
• Click tracking: To generate short redirect URLs and count clicks on links sent in automated DMs so you can measure engagement
• Analytics: To provide performance metrics including DMs sent, link clicks, click-through rate (CTR), and A/B test results
• Email communications: To send account verification emails, trial notifications, and service updates via Supabase Auth and Resend
• Security and compliance: To detect and prevent abuse, enforce our Terms of Service, and comply with applicable laws

3. What Legal Bases Do We Rely On?

In Short: We process your personal information only when we have a valid legal basis to do so.

• Consent: You explicitly authorise us to access your social media accounts through Meta's OAuth consent screen. You can withdraw consent at any time by disconnecting your accounts from the AutoDM dashboard
• Contractual Obligation: Processing is necessary to fulfil the service agreement between you and AutoDM (i.e., to deliver the DM automation service you signed up for)
• Legitimate Interests: We process certain data for our legitimate business interests, such as improving our service, preventing fraud, and maintaining service security — provided these interests are not overridden by your rights
• Legal Obligations: We may process data to comply with applicable laws, court orders, or regulatory requirements

Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal. To withdraw consent, disconnect your social accounts from the Settings page in the dashboard.

4. When and With Whom Do We Share Your Information?

In Short: We do not sell or share your personal information with third parties for marketing purposes. We share data only with the service providers necessary to operate AutoDM.

• Meta Platforms (Instagram / Facebook): We send API requests to Meta's Graph API to deliver DMs, fetch your posts, receive webhook comment events, and verify follows. This is the core function of the service
• Supabase (Database & Authentication): Your account data, automation settings, and social account tokens are stored in a Supabase-managed PostgreSQL database hosted on AWS. Supabase provides Row Level Security ensuring only you can access your data
• Vercel (Application Hosting): Our Next.js application is deployed on Vercel. Web requests pass through Vercel's infrastructure. Vercel does not store your personal data beyond transient request logs
• Resend (Email Delivery): We use Resend to deliver account verification emails and service notifications. Resend receives your email address to deliver these emails
• Cashfree (Payment Processing): Cashfree processes subscription payments. We share only the information required to create a payment order (your email address and a generated order ID). We never receive or store your payment card or banking details
• Legal Requirements: We may disclose your information if required by law, court order, or government authority, or to protect the rights, property, or safety of AutoDM, our users, or others
• Business Transfers: In the event of a merger, acquisition, or sale of all or part of our business, user data may be transferred as part of that transaction, subject to the same privacy protections

We do not share your data with advertising networks, data brokers, or any third-party monetisation services.

5. Meta Platform Permissions We Request

In Short: We request only the minimum permissions necessary to deliver the AutoDM service. Each permission is explained below along with exactly how it is used.

AutoDM supports two connection types: Instagram Login (for connecting an Instagram Business or Creator account directly) and Facebook Login (for connecting a Facebook Page with an associated Instagram Business account).

Instagram Login Permissions

Requested when you connect via Instagram Login:

• instagram_business_basic
  Why we need it: To read your Instagram Business Account profile information (username, profile picture) and fetch your posts, Reels, and Stories so you can select them for automation configuration. Also used to verify follower status for the Follow Gate feature.
• instagram_business_manage_messages
  Why we need it: To send automated Direct Messages to users who comment on your posts with your configured trigger keywords. This is the core function of AutoDM. We only send DMs to users who have actively engaged with your content.
• instagram_business_manage_comments
  Why we need it: To receive real-time notifications of new comments on your posts via Meta webhooks, and to post automatic reply messages to the triggering comment (e.g., "Check your DMs!"). We read comment text only to match it against your configured trigger keywords.

Facebook Login Permissions

Requested when you connect via Facebook Login (for Facebook Pages or Instagram via Facebook):

• public_profile
  Why we need it: Basic Meta user identification required by Facebook Login to authenticate your session.
• pages_show_list
  Why we need it: To retrieve the list of Facebook Pages you manage so you can select which Page to connect to AutoDM and link it to your Instagram Business Account.
• pages_read_engagement
  Why we need it: To fetch posts and comments from your Facebook Page so you can configure automations for Facebook Page content.
• pages_manage_metadata
  Why we need it: To subscribe your Page to Meta webhook events so we can receive real-time notifications when someone comments on your Page posts. Without this, we cannot monitor comments in real time.
• pages_messaging
  Why we need it: To send automated Direct Messages through your Facebook Page inbox to users who comment on your Page posts with trigger keywords.

Meta Webhook Subscriptions

In addition to the OAuth permissions above, we subscribe to the following Meta webhook event types on your behalf. These deliver real-time event notifications to our servers:

• comments — New comments on your posts and Reels (used to detect trigger keywords)
• messages — Incoming DM replies to your automated messages (used to process Follow Gate confirmations and email collection responses)
• mentions — When your Instagram account is mentioned in another user's Story (used for the Story Mention Auto-DM feature)

We use the data received through these permissions and webhooks exclusively to deliver the AutoDM service as described in this Privacy Notice. We do not use this data for advertising, profiling, selling to third parties, or any purpose unrelated to the features you have explicitly configured.

For more information about how Meta handles your data, please review the Meta Platform Terms and the Meta Privacy Policy.

6. How Long Do We Keep Your Information?

In Short: We retain your information only as long as your account is active or as needed to provide the Services.

• While your account is active: We retain all account data, automation settings, DM logs, and analytics for as long as you maintain an active AutoDM account
• When you disconnect a social account: Your OAuth access token is revoked and scrubbed. Your automation settings are preserved so you can reconnect later without losing your configuration. Your synced posts are deleted from our database per Meta Platform Terms
• Access tokens: Instagram and Facebook access tokens are valid for 60 days. We automatically refresh long-lived tokens before they expire. Tokens are scrubbed immediately upon account disconnection or deletion
• When you request full account deletion: We delete all your personal information, connected accounts, synced posts, automations, DM logs, analytics data, and access tokens within 30 days of your request
• Payment records: Transaction records (order IDs, amounts, dates) may be retained for up to 7 years to comply with financial recordkeeping requirements. No payment card details are stored

7. How Do We Keep Your Information Safe?

In Short: We implement industry-standard security measures to protect your personal information.

• All data is transmitted over HTTPS (TLS encryption)
• Passwords are hashed using bcrypt via Supabase Auth and are never stored or transmitted in plain text
• OAuth access tokens are stored in an encrypted database column accessible only by the service role
• Row Level Security (RLS) policies on all database tables ensure each user can access only their own data
• Our database is hosted on Supabase (powered by AWS) with automatic backups and encryption at rest
• Our application is deployed on Vercel with automatic HTTPS and DDoS protection
• API keys and secrets are stored as environment variables and never committed to source control
• Webhook payloads from Meta are verified using HMAC-SHA256 signature validation before processing

However, no method of electronic transmission or storage is 100% secure. While we implement commercially reasonable measures to protect your information, we cannot guarantee absolute security.

8. Do We Collect Information From Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

Our Services are intended for users who are at least 18 years of age. We do not knowingly collect, solicit, or market to children under 18. By using the Services, you represent that you are at least 18 years old. If we learn that we have collected personal information from a user under 18, we will promptly deactivate the account and delete the associated data. If you believe we have inadvertently collected information from a minor, please contact us at support@autodm.pro.

9. What Are Your Privacy Rights?

In Short: You have rights to access, correct, and delete your personal information at any time.

Depending on your location, you may have the following rights regarding your personal data:

• Right to access: Request a copy of the personal information we hold about you
• Right to rectification: Request correction of inaccurate or incomplete personal data
• Right to erasure ("right to be forgotten"): Request deletion of your personal data from our systems
• Right to withdraw consent: Disconnect your Instagram or Facebook accounts at any time from the Settings page, revoking our API access
• Right to data portability: Request your data in a machine-readable portable format
• Right to object: Object to certain types of processing of your personal data
• Right to restrict processing: Request that we restrict the processing of your data in certain circumstances

To exercise any of these rights, contact us at support@autodm.pro or use the account management options in the AutoDM dashboard. We will respond to your request within 30 days.

10. Meta Platform Data Use Policy

In Short: We comply fully with Meta's Platform Terms and use data obtained from Meta APIs only as permitted and only to deliver the AutoDM service.

AutoDM accesses Instagram and Facebook data through Meta's official Graph APIs and webhooks. We make the following commitments regarding the use of Meta Platform Data:

• We only access data that you have explicitly authorised through Meta's OAuth consent flow
• We use Meta Platform Data solely to provide and improve the AutoDM service that you have subscribed to
• We do not sell, license, transfer, or otherwise monetise data obtained from Meta APIs to any third party
• We do not transfer Meta Platform Data to any data broker, advertising network, or analytics platform
• We do not use Meta Platform Data for targeted advertising, re-targeting, or to build advertising profiles
• We do not use Meta Platform Data for surveillance, discriminatory profiling, or any purpose not disclosed in this Privacy Notice
• We store Meta Platform Data only as long as necessary to deliver the service (see Section 6)
• We delete all Meta Platform Data upon account disconnection or when instructed by the user or by Meta
• We keep Meta Platform Data secure using encryption and access controls as described in Section 7
• We comply with all applicable provisions of the Meta Platform Terms, including restrictions on data use, storage, and transfer

AutoDM is a Meta Business Partner. Our application has been reviewed and approved by Meta for use of the Instagram Graph API and Facebook Graph API for the permissions listed in Section 5.

11. Data Deletion Requests

In Short: You can request complete deletion of all your data at any time. We also handle data deletion requests from Meta automatically.

In compliance with Meta Platform Terms Section 3(d)(i), we provide multiple data deletion mechanisms:

User-Initiated Deletion

• Disconnect account (partial): From Settings → Permissions, disconnect your Instagram or Facebook account. This immediately revokes our API access and scrubs your OAuth tokens and synced posts. Your automation configurations are preserved for potential reconnection
• Delete AutoDM account (full): From Settings → Account → Delete Account. This permanently deletes all your data including automations, DM logs, analytics, connected accounts, and your login credentials. This action is irreversible
• Email request: Send a deletion request to support@autodm.pro. We will process it within 30 days and confirm via email

Meta-Initiated Deletion (Deauthorisation Callback)

When you remove AutoDM from your Facebook/Instagram app permissions (via Meta's app settings), Meta sends a signed data deletion request to our callback endpoint at https://autodm.pro/api/webhooks/data-deletion. We automatically process this request, delete all associated platform data, and log a confirmation code. You can check the status of a Meta-initiated deletion at https://autodm.pro/deletion-status?code={confirmation_code}.

Upon any deletion request, the following data is permanently removed within 30 days: connected account records, OAuth tokens, synced posts and media, DM automation configurations, DM sent logs, click tracking data, email leads, payment order references, and your login account.

12. Do We Make Updates To This Notice?

In Short: Yes, we will update this Privacy Notice as necessary to stay compliant with relevant laws and to reflect changes in our Services.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this page. If we make material changes — such as changes to how we use Meta Platform Data, the permissions we request, or how long we retain data — we will notify you by email and by posting a prominent notice on our website. We encourage you to review this Privacy Notice periodically.

13. How Can You Contact Us?

If you have questions, concerns, or complaints about this Privacy Notice or our data practices, please contact us:

AutoDM
Email: support@autodm.pro
Website: autodm.pro
Data Deletion Callback: https://autodm.pro/api/webhooks/data-deletion

We aim to respond to all privacy-related inquiries within 5 business days.

14. How Can You Review, Update, or Delete Your Data?

You can manage your personal data at any time through the following options:

• Disconnect a social account: Settings → Permissions → Disconnect. Revokes API access and deletes synced posts while preserving your automation configuration
• Update account email: Contact support@autodm.pro
• Download your data: Contact support@autodm.pro to request a copy of your data in JSON format
• Delete your account (full): Settings → Account → Delete Account. Permanently removes all associated data. Alternatively, email us at support@autodm.pro
• Revoke access from Meta's side: Go to your Facebook Settings → Apps and Websites → find AutoDM → Remove. Meta will send a data deletion signal to our servers automatically